Building pretty much anything from scratch typically presents challenges. Those simple looking Ikea bookshelves that are advertised as to be a simple build are always more involved than initially expected. If you work in a NOC, you can apply that logic to expanding a technical service offering. You can quickly start to appreciate the complexity associated with augmenting existing infrastructure to accommodate increasing organizational security needs. When integrating dedicated 24×7 Security Operations capabilities into an existing NOC, focusing on the fundamental processes and procedures can pay dividends on the back end and enable a more seamless build experience. Below I’ll outline some key considerations for developing a Security Operations program.
Teamwork Makes the SIEM Work
At the heart of the security toolbox is the Security Information and Event Management (SIEM) solution. The SEIM provides real-time monitoring, correlation and notification capabilities for the Security Operations Center (SOC) to analyze and, if necessary, remediate. Implementing this tool adds both key capabilities and major challenges. Selecting the right solution is just the beginning. You need to understand implementation costs as well as the ongoing maintenance and operational considerations. Once properly implemented, the team has the power to analyze security alerts and accurately correlate them to infrastructure events in business critical environments.
Pairing Tech and Process
Beyond the tool set, the real challenge is to integrate the new processes into existing incident response methodologies. To do this a security assessment should be performed. As a result of that process, you can determine what the critical systems are and how support can be tailored to include security for these systems.
Next come questions about how to properly equip the team with processes for investigating and remediating issues. Some common questions you may need to ask yourself are:
- Do we respond with the same SLA/OLA structure?
- When does a security issue pre-empt an infrastructure issue?
- When do they actually correlate and need to be addressed in parallel?
How you respond to these questions relies heavily on process and training to ensure your team can be effective. There are additional, more advanced functions on an SEIM that you can train the team to use, but it is imperative that the basic framework for how we want the team to interface with security alerts is fully integrated into the lifeblood of how the team responds.
Where Do We Go From Here
Proper process integration ensures smooth operations and provides a consistent understanding of the business environment for our staff. Implementing structured knowledge management and investing in the right resources leads to positive results. There is a massive knowledge gap between a freshly repurposed engineer or analyst and a security engineer fully trained and effective at detection and correlation.
Training and equipping the team should be viewed as a critical component when integrating security into operations. Training and effective use of the SIEM can be more important than the system itself. As you prepare for the integration be sure to ask yourself:
- Can your team piece together security concerns across multiple threat vectors?
- Can they properly vet non-SIEM alert traffic and social engineering, reconnaissance, or phishing attempts?
- How do they stay current on known exploits and how to address them?
- Do they verify user domain access changes against the Change Approval Board?
Much like those IKEA bookshelves, the actual frame itself, while the most visible result, is only one part of the kit. Without the specialized wrench, three different sized dowels, and small bottle of glue, your bookshelf won’t hold anything.
With the regulatory environment getting more complicated, and the threats getting more advanced, tailoring a solution to meet your needs and risk tolerance is important. Partnering with a managed security provider that understands how it all fits together can be a quick way to create a strong security posture while leveraging the tools and experience that partner brings to the table.