A significant number of high profile cybersecurity incidents in the last year from Sony pictures, Ashley Madison, T-Systems to Apple Application store hacking have made enterprise beeline for managed SOC services. They confirmed that their “IT department was struggling to handle sophisticated security events around hybrid environments colocation including on private and public clouds. The truth is enterprises are increasingly finding it difficult to manage security in hybrid environments. Enterprises are increasingly investing in the development of security operations centers (SOCs) to provide security and rapid response to events. People in these operations rooms analyze threats from Bots to phishing detected by the algorithms of tools. A security operations center (SOC) is a centralized unit that deals with security issues on an organizational and technical level. There is a phenomena of easy access and provisioning of these SOC services now.
To support business, a SOC must reduce both the duration and impact of security related incidents exploiting, denying, degrading, disrupting business operations. This is done through effective monitoring. The SOC is a vehicle for incident prevention. A SOC needs to maintain an effective staffing level appropriate to the size of the business and the responsibilities accorded, with continual training and improvement, and should always be able to respond effectively and efficiently. Log monitoring is an important part of an enterprise security program, enabling enterprises to detect and protect against threats. This is best done using a SIEM solution (managed and maintained in-house) delivered from the Security Operations Center (SOC). The size of the organization and threat to the organization drives the size and scale of the SOC.
- Efficient response time.
- Identifying attacks and responding before they can cause damage
- Helps recovery in a reasonable time.
- Real-time monitoring & management
- Post-incident analysis
The Service function of a SOC would include monitoring and incident detection, diagnostics and incident isolation, problem correction, working with devices, systems, software and endpoints, escalation and finally closure of incidents. The SOC benefits come from the good SIEM tool and its people, which consolidates all data and analyzes it intelligently, provides visualization. However, SIEM does not replace a good SOC analysts.
The SOC would detect attacks from internet, detecting insider threats, monitoring compliance, incident response. Subsequently, forensic analysis, vulnerability review, etc can be included. The SIEM solutions will integrate with disparate systems and provide comprehensive threat detection. A typical SIEM tool would utilize security intelligence data to proactively monitor for suspicious activity and actions. Additionally, the tool is going to be able to provide metrics reporting and analytics to spot problem areas and reports to management.
Logging mechanisms including ability to track user activities is essential. Secure log collectors, correlation and analysis environment are integrated to end systems. We collect the logs from different systems and correlating them together to generate influential and useful information at the SOC. Thus, essentially it is the correlation of every event logged in the enterprise that is being monitored. The ticketing system will help create, update, and resolve reported issues and track progress. If a SOC receives more alerts, more work needs to be done. So, higher number of alerts also requires more resources needed to address those alerts. Efficiencies will need to be created to reduce alerts, and make alerts easier and quicker to respond and remediate. Finally, an incident is a violation or imminent threat of policy, or standard security practices like denial of service, unauthorized access, vulnerability identification, hacking, data loss etc and would need to be addressed and closed decisively. The priority level based on impact, severity and timeline of the response must be defined for every assigned incident. If an incident remains un- resolved at a level, then an escalation to the next level is required and procedures documented.
Today, it becomes the SOC's responsibility to find the indications that something is wrong and put a stop to it quickly. It is vital for operations to be efficient to guide remediation energies. SOC has to be fully integrated with the larger organization. Reporting with the right detail with filters and criteria applied to graphs. The SOC would consist of layers like level 1/level 2/ level 3 analysts, engineers, management layer.
The sensors provide logging ie. Firewall, Routers, ACLs, HUBs etc. Collectors gather information from different sensors and translate them into a standard format for having homogeneous format. Custom Parsers would need to be created to troubleshoot Log sources. The SIEM solutions will have be tuned to accommodate the unique needs and use cases. The use cases must be defined and are typically the events that require SOC’s intervention or monitoring. For example, finding, containing, and removing malware not detected by antivirus software from our network involves some steps. There are several rules in this use case that will be used to alert the SOC to perform an investigation including creating the ticket. Other typical use cases are SMTP traffic from an unauthorized host, antivirus failed to clean, repeated attack from a IP, excessive outbound SMTP traffic, excessive outbound web or email traffic, access to a malicious website, exploit traffic from a single IP, scan timeouts from antivirus, account access to an unauthorized device, other anomalies baselines, multiple logins, unauthorized access, suspicious traffic, Logs modified or deleted etc.
The policies are essential. The SOC would start to develop internal policy as how it controls and governs the configurations of the devices it manages. Modifications will be made to ensure the devices are in alignment with policy and doing the expected job. One of the primary policies and procedures that need to be developed first is communication. A SOC needs to make sure that information system security incidents are promptly reported, security events and weaknesses are promptly communicated to the appropriate system administrators, and timely corrective actions are taken. Additionally, the SOC must establish a formal information security event reporting procedure so it can perform incident response effectively. Data is usually worthless and needs to be turned into information and analyzed to take action.
Decision - In-house SOC vs Outsourced Managed Security Service Provider (MSSP)
A question often asked is whether we opt for an in-house SOC or Outsourced MSSP. Setting up a SOC could cost you around 500 to 750k$ for tools and infrastructure initially. Additionally, a team between 5-9 FTEs (depending on size, volume, complexity), maintenance, depreciation, training would need further investment of 600 to 800k$ annually. In contrast, a MSSP would charge an initial setup of 50k$ and 500k$ yearly subsequently. The advantages of in-house SOC is having a dedicated team, better for organization producing sensitive log data, known environment, easy to customize, efficient correlations between groups, logs stored locally, but the dis-advantage is higher costs up-front. The advantages of MSSP SOC is less capital expenses, access to security expertise, research and threat intelligence of MSSP, scalable & flexible, experiences of MSSP.
The MSSP would monitor security logs and additionally makes changes to environment based on event analysis and security intelligence. A MSSP delivers greater cost efficiency and more effective security monitoring. MSSP' solutions also have the advantage of scale. Many organizations use the MSSP service, so the infrastructure and processes needed to support has been built. Intelligence gathering and usage is also how a SOC can begin to become proactive in the IT security fight and this will be brought-in. This would be built in by either using reactive information gathered by compromises, forensic examinations, malware analysis, questions etc or proactive information or leading indicators from external sources. The proactive methods would use of information from partners, databases. The quality of the intelligence and evaluation of that information into SIEM tools would be continuously matured.
The SOC would be process driven. These processes and SOC functions will be documented in advance as part of Run book. It is also important to assess or audit a SOC. ITIL methodology could be one baseline for service strategy, service design, define key performance indicators (KPI), service functions, service level agreements (SLA), transitions, change management, operations, continual improvement. With a well-managed operations and team, an enterprise can ensure service quality and feels confident of the response to security events.