You’re just about to build a security operations center (SOC). Or maybe you need to make sure the security operations team you already have in place has all the bases covered when it comes to protecting digital assets. Knowing where to start and where to focus can be a challenge in itself!
To help you chart your course, here’s a quick rundown of nine essential components that should be core to your security efforts. Each one generates useful data and a unique perspective to help your team find out exactly what’s going on and determine how to best prevent, contain, and mitigate security threats.
- Log Collection can generate millions of events per day. You need a tool that lets you quickly search, visualize, and analyze them all immediately when a security event occurs. The previous 90 days are usually the most critical. But depending on your industry’s compliance regulations, you may be required to store logs for up to seven years. Considering that the average breach takes about 200 days to find, we recommend keeping at least a year’s worth of logs. Retaining a thorough log history gives lets you compare current activity to past activity, which can often uncover the cause of recurring breaches. Take note that you should also pull log information from every environment you operate in, not just your on-premises infrastructure. If you have cloud instances, be sure that you have visibility into each cloud environment and include them in your log collection process.
- SIEM (security information and event management) tools generate alerts based on rules you set and present dashboards with real-time and historical visual analysis on the logs you collect. This systematic approach can help you immediately identify strange behaviors and quickly diagnose security issues. SIEM tools also help you monitor who logs into your systems and from where. This can make it easy to identify if an attacker has infiltrated your network.
- Endpoint Detection and Response covers all servers and workstations and helps you identify processes that create security issues and domain-name system look-ups executed by user accounts. With a sound endpoint detection and response, you can see which files were left open and which ones were saved just prior to a security incident. The data helps you know if there’s an advanced threat or malware outbreak on your network and identify precisely where it exists. That way, when you encounter a legitimate threat, you can virtually isolate any infected machines until the vulnerability is resolved.
- Threat Hunting teams find unknown or suspicious malware and network intrusions. Acting like super sleuths, they assume there’s always someone lurking on the network, trying to do harm. By utilizing a tool that scans all machines, they can determine who is currently logged in and establish whether each machine has come across any hash values that indicate an intrusion. If the SOC team discovers a suspicious process, they can use the endpoint detection and response tool to shut down the attack and quarantine any affected machine(s). Even more important, they can make sure the threat does not spread.
- User and Entity Behavior Monitoring runs real-time analysis on users and entities (workstations and servers) to establish normal baseline behaviors. The security operations center team can then compare current activity to a normal day to determine if something suspicious is going on. They can also compare user activity to peer activity. If a user or entity’s behavior changes, the risk score rises to indicate something is amiss. The level of privileges along with combinations of various activities can cause risk scores to rise, raising red flags. For example, in the case of a privileged user logging into 500 servers in eight hours, the risk score would immediately spike so the team would know it needs to investigate the matter—immediately.
- Vulnerability Management proactively identifies and prioritizes security defense gaps, so you can quickly close them before a digital asset is compromised. The right vulnerability management tools can manage every user account and every device by loading agents on each machine to run passive scans that do not impact application performance. You can then monitor and receive alerts when a vulnerability emerges. Oftentimes, it’s simply a matter of applying a patch. But without this capability, your team may never know when one is needed.
- Deception Technology applies decoy devices using unassigned IP addresses to attract cybercriminals…and steer them away from your real digital assets. If a decoy is engaged by a hacker, you receive an alert and can investigate to possibly find out who the cybercriminal is. Look for decoy software that captures information on the methods used to compromise your network so your team can improve network defenses over time.
- Threat Intelligence Feeds provide information to supplement all the threat information you are collecting internally on your network and stay ahead of new types of attacks. By subscribing to the right external feeds, your team can identify threats your company has not yet encountered. The intelligence improves your contextual understanding as to what might happen inside your network, and by learning about new attacks on other businesses, you can proactively apply measures to block those threats.
- SOAR (Security Orchestration, Automation and Response) tools will allow Security Operations Centers to streamline and automate their workflows, making them much more efficient and effective. Using SOAR allows you to optimize threat intelligence, standardize processes and reduce manual tasks. This can allow for much faster response times to threats which in turn reduces the impact that threats may have.
Maximize the Value of Your Security Operations Center Components
What’s the key to maximizing the value of these nine components? Integrate the data flowing among all the tools. This gives your entire security operations team a filtered view into what the information means. The more perspectives you generate, the better the team can prevent, contain, and mitigate problems.
But it’s critical to apply intelligence to all this data to be sure it doesn’t overwhelm your SOC team.
It’s also important to develop an incident response playbook so the security operations center does not have to respond to incidents on an ad-hoc basis—and under the pressure of the business needing a quick fix. The playbook should detail all the procedures and resources required for each type of security incident. It then becomes a living document that evolves as the security operations team learns new techniques, the latest security technologies become available, and as new threats come to light. Here leveraging any investments you’ve made in a SOAR platform can come into play by automating tasks and orchestrating responses for the best incident resolution outcome.
Given all the user accounts and devices that hold or have access to your organization’s data, trying to manage security operations can easily overwhelm your internal team, especially if it is small. You may want to consider outsourcing some or all the tools and services to a managed service provider. An approach that some companies take is to subscribe to a cloud service for each tool and to have an outside managed service provider monitor the information that’s generated. Any alerts that indicate a threat might be lurking can then be turned over to your internal team for investigation and mitigation.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.