Security Operations the Final Frontier – Part II

Security Operations Model (SOM) a Technology Discussion

Security Operations as a capability was the topic of discussion that we started in the previous article Security Operations the Final Frontier. Recent press coverage of Operation Shady RAT, Operation Aurora, Operation Night Dragon during which information was compromised and data assets stolen stands as testimony. That article closed with the sentiment that like everything in business, information security is a risk-based domain and security risk is an extension of an organisations operational risk framework and a good security operations framework/model (SOF/SOM) my personal view it should include the classic 4 quadrants of Prevent, Detect, Respond and Investigate.

Since then having tried, and failed, to find something that is freely available and can be used for our discussion, I have created my own interpretation of what a good pragmatic Security Operations Model (SOM) would look like. This has been adapted from a number of Security Frameworks and Industry Good Practices like ITIL, COBIT, NIST, OCTAVE, OWASP and the ever present ISO 27001/2 all of which have an input into the structure and makeup of an effective security operations framework or security operations model.

Now in practice when discussions on establishing, or maturing, the security operations capability within an organisation takes place there is a natural tendency to think about a technology rich and tool heavy Security Operations Centre (SOC). Add to that, over the last few years, the emergence of a silver bullet for our secops problems is the Security Information and Event Management (SIEM) solution. Really? I am not convinced, my view is that across the domains of Prevent, Detect, Respond and investigate, whilst SIEM is an important technology it definitely is no silver bullet.

People make or break security, process implements the practices of security that have been agreed to within an organisation and technology is the enabler that assists people to implement the processes for an optimum and successful security operations model.

So where do we start? Is often a question, I say “start” with what people understand, with what executives are familiar with, that is the technology layer.

Why? Because if security is not spending money on technology and products it probably is not doing the right thing, or there is a gap because technology and products are how security is traditionally implemented, such is the perception of security. But “start” does not equate to buy and invest in technology, “start” in my view is a discussion on what the end-to-end technology tooling landscape for security operations management looks like, what is the risk that the organisation is trying to manage? And, what part of its security controls framework will the security technology tooling cater to?

In my experience technology tooling discussions, for security operations, should always be held in the context of what security controls are required to; manage, operate and sustain an optimum security posture for the organisation.  Whilst often given the poor cousin treatment and not considered to be of real importance, security process and people controls, and their relative maturity within an organization, this however defines the effectiveness of implemented security capability. If not, then why does the International Information Security Standard ISO:IEC 27001/2 have only 30% of its controls related to technology and the rest related to process. ITIL for Security is all about process, although with support from technology elements within the environment. Food for thought.

Now considering that we have matured and are moving to an operational world where all security operations technology and associated capability is a control requirement, as always funds are limited, where do we start? 

I say tackle technology tooling requirements that will assist with Prevent and Detect capability;

• Firewalls (network and application)
• Network Intrusion Prevention and Detection Systems (NIPS/NIDS)
• Gateway anti-spam capability
• Endpoint anti virus, anti-spam, host based firewalls
• Host intrusion prevention capability for critical endpoints where identified, and a,
• IT Vulnerability Management solution

Now once the above is in place I would move to the next tranche that looks to address parts of the Respond and Investigate tooling capability;

• Data leakage prevention (network, fileservers, database and endpoint host)
• Email classification marking to classify your emails if the environment demands
• Content management filters for web traffic monitoring

Finally once you understand your environment and are comfortable that all implemented capabilities are performing to a satisfactory level should you move and consider implementing the much-hyped silver bullet, a Security Information and Event Management (SIEM) solution.

In closing I have not told you anything that most of us not already know, but in my experience this is only half of story and no security operations model would be complete without robust processes and security metrics. More on this in the next article where I talk about the security processes that are required to be implemented within a Security Operations Centre (SOC) to support a robust and mature Security Operations Model within an organisation.

Join the CSO newsletter!

Error: Please check your email address.

Tags Operation Aurorasecurity operations model (SOM)security riskoperation shady RATsecurity operationssecurity standardssecurity information and event managementoperation Night DragonSIEM

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Puneet Kukreja

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place