Role of Security Administrators
Note: All views in this article are my personal and team structure differs upon organization size, infosec team size, and business priorities.
A Security Administrator department in an Information Security team is responsible for overseeing and managing the organization’s overall security posture by administrating security tools and technologies. This may include managing its configuration, infrastructure, software and firmware version.
They are tasked with ensuring that the company’s information assets are protected from unauthorized access, disclosure, disruption, modification, or destruction. The primary focus is to minimize risk and protect critical information and systems, using security technologies that are running at the best optimal level aligned with business objectives.
Security Administrator teams are usually the members who have experience with one or more IT tool and has shifted their career to Cyber Security.
Sub Teams
Network Security: This sub-team is responsible for maintaining organization’s network security infrastructure like Intrusion Detection and Prevention System (IDS/IPS), Network Access Control (NAC), Web Application Firewall (WAF), Firewall Rule Analyzers, Deep Packet Inspection, Network Data Loss Prevention (NDLP) and Email Security Gateway. They do also have an understanding of IT network infrastructure technologies and tools, such as firewalls, routers, switches, wireless access points, and email gateways, and can provide consultancy to the IT team of the organization for security best practices.
Endpoint Security: This sub-team manages tools and technology which protects and secure the devices that access the organization’s network, such as laptops, desktops, servers (both on-prem and cloud), and other IT/IoT devices. They usually cover tools like Anti Virus (AV), Anti-APT endpoint agents, Endpoint Detection and Response (EDR), Endpoint Data Loss Prevention (DLP), Endpoint Proxy Agents, and any other type of client or agent-based security tool. Endpoint security team members have experience in configuring, maintaining, and running a fleet of endpoint agents and policies rolled out through the central console. The team also takes care of upgrading and troubleshooting the agents across different flavors of Operating Systems (OS). They typically do know how to collect debug logs of the agent, and artifacts from OS as well (like memory acquisition) and what tools can be used to troubleshoot issues.
Identity Security Team: This sub-team is responsible for ensuring that only authorized individuals have access to specific resources within the organization. Their focus includes maintaining tools such as Privileged Identity Management (such as a password vault for highly privileged accounts) and Multi-Factor Authentication (MFA). While there may not be a wide range of tools available specifically for information security from the identity perspective, this team possesses knowledge of the organization’s commonly used tools and is capable of securely configuring and auditing IAM-related tools (PIM, SSO, Active Directory) and authentication protocols.
SIEM Administrators: Their primary responsibility is to manage the organization’s SIEM system, which is a centralized platform that collects, analyzes, and correlates security events and logs from various sources across the network. This would include maintaining the hardware, storage, and configuration of the SIEM solution. They ensure that it is properly deployed, and relevant systems and devices are sending logs to it, throughout the organization. They also handle routine maintenance tasks such as SIEM software updates, patch management of all components of it, and performance optimization. Since SIEM is a critical tool and service for Infosec, its important that SIEM gets dedicated administrators for upkeeping and maintenance, so security monitoring isn’t affected.
Cloud Security: This sub-team is responsible for ensuring the security of the organization’s cloud infrastructure and services. Their role includes implementing and maintaining security measures to protect data and applications hosted in the cloud. They assess and mitigate risks associated with cloud environments, establish and enforce cloud security policies and standards, and help the Incident response team to mitigate security incidents on cloud. Additionally, the team conducts security audits and assessments of cloud providers, implements secure cloud architecture and configurations, and manages identity and access controls for cloud services. They focus on encrypting data in transit and at rest, implementing disaster recovery and business continuity plans for cloud services, and staying up to date with emerging cloud security threats and technologies. Their aim is to send cloud alerts and logs to SIEM for SOC team’s consumption, so security violations can be monitored and acted upon.
InfoSec Overall
So far we have learned about the two teams in Information Security Org i.e. Security Operations Center (SOC) and the Security Administrators. The role of the Security Administrators is to ensure the proper maintenance of technologies used by the SOC and other InfoSec teams. By doing so, they contribute to safeguarding assets and data against cyber threats.
The Security Administrators collaborate with various sub-teams operating under the SOC team. They actively engage with these sub-teams to create custom policies, enabling additional features and functionalities. Furthermore, they play a critical role in containment efforts by creating customized blocks on endpoints, networks, and identities. This helps prevent unauthorized access and mitigate potential security incidents.
While Security Administrators maintain the SIEM infrastructure and bring the new logs and parse them, the SOC team is responsible for content development on the SIEM, such as creating detection rules, handling the triggered notifications, creating reports meaningful for monitoring, and correlating these logs to improve detections.
Additionally, Security Administrators focus on increasing the coverage of security tools by implementing the above-mentioned security controls on missing endpoints and network segments. This proactive approach helps extend the protective measures to areas that may have been overlooked, further enhancing the organization’s overall security posture.
Conclusion:
We learned how Security Administrators are enablers for SOC team, so they can protect, detect, respond, and prevent cyber attacks happening to the company. The better the Security Administrators are, the better SOC team and defenses of the company become.
In the next blog, I will be covering Security Architects and Engineering team in more detail and how they lay the foundation for Security Administrators team.
Link to Part 4: https://medium.com/@inishantgrover/security-architects-and-engineering-team-33eeb32de17a
Video Series Link: https://www.youtube.com/playlist?list=PLYvPOAFzOkSsGlrW74f-2351WW9Sh7S3u
Link to Part 2: https://medium.com/p/1c15375e2402