10 Attributes of a Leading Security Operations Center (SOC) in 2014
I was asked by Rob Westervelt of CRN what top ten things our clients are doing to improve their security operations capabilities leading into 2014. Here is what I shared:
1) Visibility.
Security teams must detect and respond to digital attacks. To do this, the SOC must have the visibility needed to determine if an attack is occurring, what the nature of the attack is, and have the data needed to understand the difference between different track types. This requires Tier 1 baseline controls to be put into place and the associated data-centric tools from companies like PaloAlto Networks, Alert Logic, NetWitness, ArcSight etc., be properly deployed.
2) Intelligence.
Threat intelligence goes far beyond patch and vulnerability management. Real threat intelligence is a capability that ties human analysts to metadata about attacker profiles, attack signatures, the timing of the attack, internet advanced warning indicators, and information about the target (what kind of data is on the host, what is it connected to, what is its current posture, what could potentially be exploited, what are recent attack patterns and from where did they originate? When armed with this intelligence, a SOC can provide predictive analysis, early warning, and mitigate threats before or during the attack with the utmost efficiency and complete it with effective executive communication.
3) Resource throttling.
Executives are looking for an end-to-end solution for managing achievement of the business executive’s directives while continuing to improve on the processes and tools IT teams have put into place. This results in the efficient detection, block, notify, and efficient response to threats while maintaining a virtual dial enabling effective control of SOC resources and utilization to meet dynamic business constraints.
4) Outcome based metrics.
All metrics are not created equal. The best SOCs utilize metrics that drive an adjustment, a change of behavior or result in security resource adjustments. Its no longer sufficient to provide the total count of identified vulnerabilities as that doesn’t map to an outcome or adjustment. Instead, report on the count of vulnerabilities that are net new (newly discovered since the last scan), exempted (known but risk accepted), or carry forward (previously identified, but still unresolved). Each of these is due to a different root cause, and therefore require different paths to root cause resolution. The count of vulnerabilities simply doesn’t provide the requisite information for a change of behavior that results in an improved outcome.
5) Real-time scalability.
Not only does security need to be scalable and cost effective, but thanks to the marketing messaging behind virtualization and cloud capabilities has lead to the expectation from boards that security resources can be increased or decreased at a moments notice through a virtual dial that is constantly being adjusted to achieve perfect harmony. What’s the biggest challenge? Communication of security value vs. the spend and the resultant outcomes. Whats the next big challenge? Demonstrating that security can manage KPIs like the rest of the business, and increase (or decrease) spend according to business risk. Success has been achieved when resources (people, time, and $) utilized to run security operations can be re-deployed at a moments notice based on risks, threats, and policy decisions that take place between budgeting cycles. The re-deployment is easily documented and visualized to show the outcome of the adjustments of your security resource “dial”.
6) Cloud options (public and private).
There is no question that the cloud offers many advantages: scalability, reliability, efficiency, and so on. However, many organizations debate between private or public cloud. In each, the organization gives up some level of control over their data, especially the public cloud. However, in both scenarios, basic security controls must be implemented.
7) IR capabilities on-premise, remote, and cloud IR capabilities on demand.
A compromise can occur at a satellite office 1,000 miles away or in the cloud just as easily as it could at your corporate headquarters. Having the capability to effectively respond to an incident without flying your team to Hong Kong to deal with it on-site can save you money and time in a critical moment. Having the visibility, intelligence, and control to respond to an incident in Amazon or Rackspace can be a challenge, but must be gained in order to effectively secure your cloud environment.
8) Cloud enablement controls.
The same controls required on-premise are necessary to implement in the cloud environment. An inventory of architecture, exfiltration protection, DNS, and logging controls are among those controls required to manage and protect the data in the cloud environment.
9) Approved cloud vendors by category.
Not all cloud vendors are created equal, and if there was ever a time when organizations could simply say no to all of them, it’s long since past. Identifying those cloud vendors that enable the business, but maintain sufficient security controls is a task that involves both the security operations team and management alike. Then, it’s on the SOC to implement controls to block unapproved cloud vendors.
10) Monitoring of cloud security controls integrated with core SOC monitoring capabilities.
Although the implementation differs slightly, the controls implemented for the cloud environment should be integrated and handled the same as your core SOC monitoring capabilities. Your SOC should be indifferent to the location of the data. Security must follow the data and provide the same monitoring capabilities regardless of where it resides.
