Requirements of a good Security Operations Centre

I have recently been thinking about and reading up on how to improve Security Operations Centres (SOC) to meet the constantly evolving environment and threat landscape in which we operate.  There are obviously many tools that are required from Network Monitoring to IPS (Intrusion Prevention System) to Log Collection and Correlation systems to Auditing and File Integrity Monitoring.

This post will however briefly cover the ‘soft’ side of the SOC and three key skills / processes that there seems to be agreement are required for a SOC to be effective and forward looking.

The first of these is understanding the business and business systems in detail and being able to put any event in the context of the business.  Which systems are affected?  Which business processes does this impact?  What is the relative priority?  This means the team needs to understand more than just vulnerability x and y and their generic severity rating.  They must understand your business context and be able to effectively relate events to this.  Tools can also help here in terms of event correlation and scale of the issue, this is where the new breed of ‘big data’ real time analysis and correlation tools such as Splunk, Palantir, or Security Analytics.

The second key skill / process is that of effective incident handling. This must again focus on your specific business and the priorities in case of an event, such as evidence gathering, escalation, keeping services running, regulatory requirements.  The event must be related to these factors with an understanding of it’s impacts to your business.  The more effective and streamlined this process can be, the lower the impact will be when the inevitable issues from virus infections to ful scale breaches occur.

The third key area is around business processes.  Any process that involves users of the companies system will likely be key attack vectors.  Technology can’t ever stop all attacks – this is why social engineering is still the number 1 way any attackers gain a foothold in most environments.  The security team must work with the business to perform threat assessment and modelling sessions to understand the attack vectors and work with the users to minimise or mitigate them.  Solid user training, awareness and engagement will also help here.

Attackers who want to get into your system for whatever reason from financial gain to hacktivism are constantly changing and improving their game.  We need to work hard to keep up and keep them out or at least contained.  A well formed and smoothly functioning SOC that is closely aligned to the business is a key part of any organisations defence.

K

Advertisements

Author: Kevin Fielder

Innovative and dynamic security professional, with a passion for driving change by successfully engaging with all levels of the business. I am a determined individual with proven ability to provide security insights to the business, in their language. These insights have gained board buy in for delivering security strategy aligned to key business goals. This is achieved by understanding the need to drive change through people, process and technology, rather than focusing exclusively on any one area. I take pride in being a highly articulate, motivational and persuasive team-builder. I have a strategic outlook with the ability to engage with and communicate innovative and effective security solutions to all levels of management. Along with a proven ability to translate security into business language and articulate the business benefits I am also passionate about leading security innovations and making security a key part of the business proposition to its customers. Security should be made a key differentiator to drive sales and customer retention, not just a cost centre! Outside of work I am a proud husband and father to an awesome family, and a passionate CrossFit coach and athlete.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s