Corporate spend millions of dollars on building and operating Security Operations. To avoid failures and maximize the return out of investment (ROI), there are some expert pieces of advice to consider while designing and building a mature Security Operations Center (SOC).
Security operations success starts from knowing the corporate business and technical needs and setting appropriate goals. Following are the key success factors to be considered while building and running a successful SOC:
1. Knowing and setting the monitoring goals (Building Meaningful Use Cases):
Unfortunately, most of the SOCs are built without knowing what is needed to be monitored in the environment. It could be the business needs or technical requirements that need to be well understood and tackled before planning the building. The time invested in planning the SOC build should be much more than the time spent in the whole design and build process.
The effort pyramid should look opposite in this case.
These requirements (business and technical) are translated into use cases. A Use Case can either be a business use case for example: it can detect any financial transaction exceeding a specific number and get alerts on that, Or it can be a technical one e.g. an anomaly behavior to be watched out.
2. Setting up the right technical configurations (Rules, Integration, tuning etc.):
Another challenge is to translate these use cases into the rules to be configured on the SIEM tool. If the events are not parsed correctly or the rules are not configured properly i.e. the threshold setting and rule design is wrong, the required results cannot be achieved. These correlation rules should be tuned on periodic basis to get rid of noise of false positives. Similarly, there should be a periodic check on the integrated log sources not reporting to the SIEM tool.
Similarly, the log sources' details and network hierarchy details along with any vulnerability details of assets should be fed into the SIEM device to have a better visibility into the corporate environment.
3. Building the right team (Job responsibilities and SOC reporting structure):
Another important aspect is to team the SOC with skilled and appropriate people. Their job responsibilities and RACI should be built on the processes that are being built. e.g. Monitoring, triage, incident response, security intelligence etc. The staff should be well trained and have right tools to perform their jobs. The analysts should get help of threat intelligence and research feeds (if available).
4. Responding (Building robust incident response process):
Incident response is key to all activities within SOC. The response starts from triage, rating and remediating the root cause of the incident. There are several tickets opened and assigned to individuals who work on any steps within the incident response i.e. containing, remediating, eradicating etc. on the incidents or compromised systems.
A knowldege base is built based on the incident response history and experience. All this should be happening in a systematic and recorded fashion.
5. Lobbying and getting help from IT and other departments:
Day to day security operations require a lot of help and support from other departments like HR, Compliance, IT, Legal etc. A steering committee pertaining the Executives of these departments should be formed and coordinators should be assigned.
Lobbying with IT and other departments and their designated coordinators is crucial to build healthy relations. KPIs and goals can be set for representatives of steering committee and they can be provided with dashboards and reports access to the SIEM device to monitor the parameters set for their goals.
About this Author:
Bilal Aslam is a seasoned security consultant with over 12 years of experience in this field with 8 years in world's leading Security Consulting firms like Deloitte and PwC. Bilal graduated his Msc. Information Security from Royal Holloway University of London and currently working with IBM security services. Bilal has served clients in multiple industries and advised them on multiple security domains.
His major areas of interest are Governance, Risk and Compliance, Business Continuity, Security Intelligence, Cloud and Security Enterprise Architecture.