The six pillars of security operations

Six key points that should be considered when creating and developing a SOC

As mobilisation and bring-your-own-device (BYOD) becomes increasingly prevalent, business security has been propelled to the forefront of corporate strategy. The Security Operations Centre (SOC) is a key part of the enterprise security infrastructure – it enables an organisation to establish effective protection against security threats. There are six key points that should be considered when creating and developing a SOC that can effectively detect and counter any cyber threats in a timely manner.

  1. Determine the correct policy

    Security policy is the beating heart of an effective Security Operations Centre – it clearly defines the scope of protection and outlines the responsibilities of all relevant parties. The first step in designing a policy is to determine exactly what role you want the SOC to play. Will it simply observe, record and report on recurring attacks? Will it be actively involved in mitigating threats? Determining its role is crucial to ensuring your resources are not working against each other, but are instead working in harmony.

    The second step is to agree on the scope of your SOC’s activities, such as whether it is restricted to the network only, or includes suspicious behaviour from user activity. An effective policy allows for the delegation of responsibility for certain actions within the SOC, maintaining close involvement among related parties who need to work together to accomplish a shared purpose.

  2. Perform risk analysis

    In a perfect world, there would be no risk and thus no need for security. But since the world is not perfect, risk is the main driver of security processes. A careful risk analysis can reveal critical issues – maybe issues you originally thought were insignificant, or perhaps vice versa. For example, attention may have previously been focused on your network monitoring, with anti-virus updates taking lesser precedence. This leaves your organisation more vulnerable due to anti-virus signatures not being updated.

    A thorough risk analysis will enable you to pinpoint any threats and take corrective action. The results of the risk assessment should be used as the foundation of your security policy, with periodic reassessments. The SOC must meet the strategic needs of the business and it is usually appropriate to revise the risk analysis on an annual or biannual basis.

  3. Define appropriate procedures

    Procedures are vital – they will inform the actions you take in any security crisis. Implementing a clear set of procedures for your SOC will mean that all parties know, and understand, how to undertake their responsibilities properly in the event of an attack. If your current procedures need altering, if they do not meet best practice standards, changes should be agreed to by all parties involved.

    It will also be valuable to provide instructions on how to best implement the procedure tools. Small but significant details about business operations should be stated clearly and used as reference in any incidents.

  4. Focus on staffing

    Staff are the life blood of any organisation, so your SOC staff are in a key position to prevent any threats disrupting your business. It is therefore essential to hire experienced staff such as incident responders, IDS analysts or knowledgeable forensics analysts with proper network experience. These people may not be easily found amongst job seekers and they may be expensive to hire, but the bottom line is – you get what you pay for. They are valuable resources who can search for a tiny detail in an ocean of data, and this ability makes them a good investment. It is too risky to have a security attack go unnoticed due to inexperienced staff.

  5. Consider the organisational dynamics

    When you begin to implement your SOC, you need to define your organisational dynamics. There are three tiers you should consider, namely:

    Tier 0: Core services where the security centre operational procedures run monitoring, prevention and mitigation of incoming attacks. Tier 0 is responsible for performing incident response, complete monitoring, and providing the patches and updates appropriate to the business needs of the organisation.

    Tier 1: Internal customer base. This tier incorporates the other departments in your organisation which receive security protection. Protection and monitoring Tier 1 are daily duties.

    Tier 2: External or business partners. When business is being conducted over the shared network, they are protected by your security operational procedures and monitored directly.

    These three tiers require different levels of security. Tier 0 needs optimum protection and control over any incoming threats, while Tier 2 only needs minimum protection. Ideally, the critical assets in Tier 0 should be kept close to the core of the security operations centre.

  6. Integrate the SOC in the organisation

    It is necessary to integrate the SOC into your organisational information flow and activity. If there is any information that is valuable to the SOC, it needs to be passed on as every piece of information helps. Integration of information and effective communication strategies will enable the security operations manager to obtain information from within the organisation that may be relevant and applicable to detecting threats. Fully integrating the SOC into the organisation will enable a rapid response to any attacks.

These six pillars are vital to building a strong and effective security operations centre. By having a solid SOC, you can feel confident conducting daily business with minimal risk. In an increasingly online world, having the right defence in place is critical to business operational security.

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Join the CSO newsletter!

Error: Please check your email address.

More about etwork

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Gordon Makryllos

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts