Wednesday, 25 October 2017
Time to Bring in The External SOC Provider
With the growing complexity and frequency of cybersecurity threats, CSOs are looking at offloading a significant part of their operations to external security operations centers.
A security operations center (SOC) is an external control room that houses a team responsible for monitoring and analyzing an organization’s security profile on a continuous basis. The team’s goal is to detect, analyze and respond to cybersecurity incidents using a blend of their skills, technology solutions and a set of well-established processes.
Without exception, security operations centers work closely with an organization’s incident response teams to ensure incidents detected are addressed and controlled without delay. The security operations center tracks anomalous activity on endpoints, networks, servers, databases, applications and websites, and is responsible for identifying, analyzing, defending and reporting such threat incidents.
An external security operations center focusses on the day to day operational component of enterprise information security. This allows the inhouse security and IT teams to focus on developing and improving security strategy, designing the security architecture, and implementing latest protective measures. However, security operations centers can also provide advanced services such as forensic analysis and reverse malware engineering to analyze the source, points of intrusion, and modus operandi of threat incidents.
Integrating the role and services of an external security operations center requires getting the right balance in preventive, detective and reactive security roles as well as access to its threat intelligence capabilities. This can be driven by an objective and proactive assessment and audit procedure or through the experience of painful and damaging historical incidents, including breaches and compromises.
An important step in integrating the services of an external security operations centre is to identify business specific goals and include senior management and business heads as well, in the build-up process. Incorporating the role of an external security operations center requires an internal gap analysis, detailing a list of milestones to be achieved based on the gap analysis, and an incremental budget spending approach as well.
The security operations center will also need to communicate and coordinate with internal points of administrative control, such as first responders, public relations, and other identified points of control.
An external security operations center can provide services built through integration of threat intelligence, security monitoring, incident response, security analytics, to manage advanced persistent threats on the network, endpoint threat detection and data exfiltration. Security operations centers typically blend skilled people resources into processes and use the latest technologies to provide business focused compliance and service level agreements.
A key benefit from the services of an external security operations center is its uninterrupted and round the clock ability to build up a baseline profile of normal activity by monitoring users, applications, infrastructure, network and other supporting systems. The inability to establish such a normal baseline of activity is a common obstacle that enterprises face in being able to issue credible alerts over false positives.
According to global research trends, one of the top challenges cited by respondents in utilizing log data is the inability to distinguish normal from suspicious activity. Whenever there is an unexpected behavior or deviation from the normal baseline activity, the security operations center can issue an alert requiring further investigation.
Here are some of the recurrent internal issues and bottlenecks that can drive an organization to start considering the role of an external security operations center.
- Consistent overload of network traffic data repositories
- Incomplete monitoring of vulnerability points
- Inconsistent and silo based incident handling across enterprise
- Internal monitoring teams overwhelmed with events
- Lack of aggregated log data for security monitoring and event correlation
- Lack of procedures and training for inhouse first-responder team
- Lack of qualified forensic analysis resources and installed technologies
- Lack of refresh to latest threat intelligence suitable for the organization
- Lack of resources for incident detection and analysis
- Log data not available to conduct incident forensics and investigation
- Monitored threat vectors are too narrowly focused
- No defined incident response procedure for the IT team
- No defined organization-wide, cross-functional, incident response procedure
- Security monitoring rules leading to excessive false positives
- Security monitoring rules not aligned with available threat intelligence
- Security monitoring rules not aligned with threat techniques, tactics, procedures
A well-managed security operations center can form the core of an enterprise’s operational defense against all types of cyberattacks.