Requirements of a good Security Operations Centre

I have recently been thinking about and reading up on how to improve Security Operations Centres (SOC) to meet the constantly evolving environment and threat landscape in which we operate.  There are obviously many tools that are required from Network Monitoring to IPS (Intrusion Prevention System) to Log Collection and Correlation systems to Auditing and File Integrity Monitoring.

This post will however briefly cover the ‘soft’ side of the SOC and three key skills / processes that there seems to be agreement are required for a SOC to be effective and forward looking.

The first of these is understanding the business and business systems in detail and being able to put any event in the context of the business.  Which systems are affected?  Which business processes does this impact?  What is the relative priority?  This means the team needs to understand more than just vulnerability x and y and their generic severity rating.  They must understand your business context and be able to effectively relate events to this.  Tools can also help here in terms of event correlation and scale of the issue, this is where the new breed of ‘big data’ real time analysis and correlation tools such as Splunk, Palantir, or Security Analytics.

The second key skill / process is that of effective incident handling. This must again focus on your specific business and the priorities in case of an event, such as evidence gathering, escalation, keeping services running, regulatory requirements.  The event must be related to these factors with an understanding of it’s impacts to your business.  The more effective and streamlined this process can be, the lower the impact will be when the inevitable issues from virus infections to ful scale breaches occur.

The third key area is around business processes.  Any process that involves users of the companies system will likely be key attack vectors.  Technology can’t ever stop all attacks – this is why social engineering is still the number 1 way any attackers gain a foothold in most environments.  The security team must work with the business to perform threat assessment and modelling sessions to understand the attack vectors and work with the users to minimise or mitigate them.  Solid user training, awareness and engagement will also help here.

Attackers who want to get into your system for whatever reason from financial gain to hacktivism are constantly changing and improving their game.  We need to work hard to keep up and keep them out or at least contained.  A well formed and smoothly functioning SOC that is closely aligned to the business is a key part of any organisations defence.

K

RSA Conference Europe 2012 – Moving your SOC beyond the bloatware

Talk from Amit Yoran of EMC/RSA.

Where SOC in the title refers to Security Operations Centre.

Everything is evolving;

–          Organisations are evolving and changing rapidly – cloud, BYOD, new systems, new devices, new operating systems, new regulations

–          Data is evolving rapidly – explosive data growth, big data

–          Threats are evolving rapidly, with actors from petty criminals to organised crime to terrorists to anti-establishment vigilantes (think Anonymous – Hactivists) to nation states.

Existing security systems are ineffective;

–          Signature based – from AV to anti-spam to firewalls to IPS tends to look for known things and behaviours (signatures)

–          Perimeter orientated – Firewalls, IDS / IP, router security etc. still make up much of the focus.  We are becoming more and more porous or boundary-less.

–          Compliance driven – often at the expense of ‘real’ security and risk management.

Detection time is poor – many attacks go undetected for far too long.  How do we reduce this attacker free time or dwell time?

Focus needs to shift from I will stop breaches to I will be breached and how do we manage this and prevent / minimise damage.

Identified four impediments to change from the current;

–          Information deluge – too much information

–          Budget dilemma – so much hype and marketing, what do I spend limited budget on?

–          Cyber security talent – what talent do I have in my organisation, how do I leverage it, and scale the limited number of very talented peoples reach to work for the whole organisation?

–          Macro situational awareness – How are am I of my organisation, and of its wider operating environment?

So what can we do?

SIEM (Security Information and Event Management) has been a good start, but limited ability to deal with the complex, multi-faceted attacks of today.  Separating bad from good has become an increasingly difficult problem.

How do we understand what ‘good’ looks like.  Much more complex than just is it a valid login, ‘bad’ may be a complex set of apparently authorised transactions, that look very similar to ‘good’ activity.

Traditional SIEM is not enough –

–          Cannot detect lateral movement of attacks, or covert characteristics of advanced attack tools

–          Cannot fully investigate exfiltration or sabotage of critical data

–          Issues with scaling to collect, sort, and analyse large enough data volumes

Need better security analytics!

Incident response lessons learned;

–          Stop doing things that provide little value

–          Focus on securing the most important material assets to the enterprise and understand their risk exposure from people to processes to systems to data

–          Obtain a deeper visibility into what is happening on the network and what is known about the organisation and its users

–          Collaborate in real time with others more effectively and gain actionable intelligence

–          Measure performance across some established methodology or continuum (success, failure, compliance etc.) – but make them valid and don’t tune behaviour just to do well on the ‘test’!

Security operations require;

–          Comprehensive visibility

–          Agile analytics

–          Actionable intelligence

–          Optimise incident management

How do we improve understanding and analytics?

–          Security Analytics Warehouse

Scalable, centralised data warehouse for long-term data retention and deep intense analysis.

Visibility of – Logs, network data, raw content, reassembled content, enterprise events, enterprise data, flow, structured and unstructured data, host telemetry…

This must be backed with a powerful analytics engine to enable complex searches and analysis on these varied and large data sets.

This is a step beyond traditional logging / SIEM platforms.

Allows us to move to ‘active defence’ that gives the user ability to take action or automatically remediate common functions.  This turns a passive system into an active one, largely using existing infrastructure.  In turn this fuels actionable and effective workflows for the SOC.

Interestingly this talk links back to the those on SOA and big data from the service technology symposium, both identify the need to manage and analyse big data in real time or as near to real time as possible.  These points highlight how entirely disparate areas, in this case SOA / development and security, can have similar needs and come to the same conclusions.  Being able to meet the needs of your systems and application teams as well as your security team may help get your log correlation and analysis project approved.  Another reason for understanding your wider business teams and environment!

Also kudos to the presenter for remaining very vendor neutral despite working for RSA / EMC, there were hints of their products, but none mentioned and no sales pitch.

K