Security Operations as a capability was the topic of discussion that we started in the previous article Security Operations the Final Frontier. Recent press coverage of Operation Shady RAT, Operation Aurora, Operation Night Dragon during which information was compromised and data assets stolen stands as testimony. That article closed with the sentiment that like everything in business, information security is a risk-based domain and security risk is an extension of an organisations operational risk framework and a good security operations framework/model (SOF/SOM) my personal view it should include the classic 4 quadrants of Prevent, Detect, Respond and Investigate.
Since then having tried, and failed, to find something that is freely available and can be used for our discussion, I have created my own interpretation of what a good pragmatic Security Operations Model (SOM) would look like. This has been adapted from a number of Security Frameworks and Industry Good Practices like ITIL, COBIT, NIST, OCTAVE, OWASP and the ever present ISO 27001/2 all of which have an input into the structure and makeup of an effective security operations framework or security operations model.
Now in practice when discussions on establishing, or maturing, the security operations capability within an organisation takes place there is a natural tendency to think about a technology rich and tool heavy Security Operations Centre (SOC). Add to that, over the last few years, the emergence of a silver bullet for our secops problems is the Security Information and Event Management (SIEM) solution. Really? I am not convinced, my view is that across the domains of Prevent, Detect, Respond and investigate, whilst SIEM is an important technology it definitely is no silver bullet.
People make or break security, process implements the practices of security that have been agreed to within an organisation and technology is the enabler that assists people to implement the processes for an optimum and successful security operations model.
So where do we start? Is often a question, I say “start” with what people understand, with what executives are familiar with, that is the technology layer.
Why? Because if security is not spending money on technology and products it probably is not doing the right thing, or there is a gap because technology and products are how security is traditionally implemented, such is the perception of security. But “start” does not equate to buy and invest in technology, “start” in my view is a discussion on what the end-to-end technology tooling landscape for security operations management looks like, what is the risk that the organisation is trying to manage? And, what part of its security controls framework will the security technology tooling cater to?
In my experience technology tooling discussions, for security operations, should always be held in the context of what security controls are required to; manage, operate and sustain an optimum security posture for the organisation. Whilst often given the poor cousin treatment and not considered to be of real importance, security process and people controls, and their relative maturity within an organization, this however defines the effectiveness of implemented security capability. If not, then why does the International Information Security Standard ISO:IEC 27001/2 have only 30% of its controls related to technology and the rest related to process. ITIL for Security is all about process, although with support from technology elements within the environment. Food for thought.
Now considering that we have matured and are moving to an operational world where all security operations technology and associated capability is a control requirement, as always funds are limited, where do we start?
I say tackle technology tooling requirements that will assist with Prevent and Detect capability;
• Firewalls (network and application)
• Network Intrusion Prevention and Detection Systems (NIPS/NIDS)
• Gateway anti-spam capability
• Endpoint anti virus, anti-spam, host based firewalls
• Host intrusion prevention capability for critical endpoints where identified, and a,
• IT Vulnerability Management solution
Now once the above is in place I would move to the next tranche that looks to address parts of the Respond and Investigate tooling capability;
• Data leakage prevention (network, fileservers, database and endpoint host)
• Email classification marking to classify your emails if the environment demands
• Content management filters for web traffic monitoring
Finally once you understand your environment and are comfortable that all implemented capabilities are performing to a satisfactory level should you move and consider implementing the much-hyped silver bullet, a Security Information and Event Management (SIEM) solution.
In closing I have not told you anything that most of us not already know, but in my experience this is only half of story and no security operations model would be complete without robust processes and security metrics. More on this in the next article where I talk about the security processes that are required to be implemented within a Security Operations Centre (SOC) to support a robust and mature Security Operations Model within an organisation.