In today’s corporate
environment, information technology (IT) security is becoming an ever more
complex matter. Corporate infrastructure includes many heterogeneous assets and
the main disadvantage defensive security experts have against attackers is that
one unique point of exploitation is usually enough to generate negative results
for the organization. Trying to implement the proper defensive mechanisms in
order to mitigate these risks is a constant challenge for security experts.
Moreover, the mere detection of an attack, a malware infection and propagation
or any other type of malicious activity is a difficult task due to the
constantly growing and evolving complexity of hardware and software.
In
combination with the rapid advance in the sophistication level of attacks and
malware code, a need for a holistic and more importantly realistic view of the
whole IT infrastructure has emerged. Attacks usually involve more than one
component and will probably affect multiple assets. This is why multiple security
solutions have emerged so as to provide a constant monitoring system that will
detect any suspicious behavior and try to mitigate any attempted exploit.
Intrusion detection/Intrusion prevention systems (IDS/IPS), host based security
solutions as well as Internet protection technologies have appeared in order to
cover the need for continuous and multi-layered security awareness.
Definition
of a SOC
****************
Inevitably, the problem
of being over flooded with security data is becoming a real challenge to deal
with. While heterogeneity of security solutions is required as explained above,
it also means that warnings, alerts, actions or even just plain logs include a
wide range of formats and standards. Moreover, almost every piece of equipment
is providing logging functionalities of different verbose levels raising the
volume of data to be treated to unmanageable levels. Only to make things worse,
keeping your IT infrastructure secure involves reaction delay. One cannot
simply take too much time to collect, detect, interpret and prioritize threats
and warnings because by the time this procedure will be done, the results may
already be disastrous.
In order to deal with these problems of security
information, organizations cover their needs with Security Operation Centers
(SOC) either as an integrated part of the organization itself or as a service
provided by an external collaborator/ company. The SOC’s role is mainly to
provide situational awareness by continuous monitoring of the IT infrastructure
and real-time alerting of security related incidents. It constitutes actually
of an operational supervision system dedicated to protect the IT infrastructure
and react in real-time in case of an intrusion or an attack.
Security Operations Center (SOC)
mission and success factors
*****************************************************
A SOC is a team primarily
composed of security analysts organized to detect, analyze, respond to, report
on, and prevent cyber-security incidents. A SOC provides services to a set of
customers referred to as a constituency—a
bounded set of users, sites, IT assets, networks, and organizations. Combining
definitions from and, a constituency can be established according to
organizational, geographical, political, technical, or contractual
demarcations. In order for an organization to be considered a SOC, it must:
- Provide
a means for constituents to report suspected cyber-security incidents
- Provide
incident handling assistance to constituents
- Disseminate
incident-related information to constituents and external parties.
SOC’s mission statement
typically includes the following elements:
- Prevention of cyber-security
incidents through proactive:
- Continuous threat analysis
- Network and host scanning for
vulnerabilities
- Countermeasure deployment coordination
- Security policy and architecture
consulting.
- Monitoring,
detection, and analysis of potential intrusions in
real time and through historical trending on security-relevant data sources
- Response
to confirmed incidents, by coordinating resources and directing use of timely
and appropriate countermeasures
- Providing
situational awareness and reporting on cybersecurity status, incidents, and
trends in adversary behavior to appropriate organizations
- Engineering
and operating.
If company or
organization considers building own in-house internal SOC success
factor the entity needs:
- Trained
and competent staff
- Good,
robust SOC management
- Adequate
budget for resource (required CAPEX and ongoing OPEX)
- Good
processes (access, incident, change, and security and etc. management process
according COBIT, ITIL or ISO27001)
- ntegration
into incident response
If your organization
can’t commit above mentioned factors, do not consider
for internal SOC – it will fail: company will waste money and time and create
false sense of security; if you need a SOC but can’t cover these factors,
strongly consider go to outsource.
*****************************************************************
Written by Abuchu
Comments
Post a Comment
Nice To Hear From You we will be responsive as possible as we can. Thank you!!