When it comes to building a security operations center (SOC), it can be hard to know where to start. Even if you’re making sure the security operations team you already have in place has all the bases covered when it comes to protecting digital assets, ensuring you know exactly what’s going on throughout your environment can be a challenge.
To help you chart your course, here’s a quick rundown of eight essential components that should be core to your security efforts. Each one generates useful data and a unique perspective to help your team find out exactly what’s going on and determine how to best prevent, contain, and mitigate security threats.
- Log Collection can generate billions of events per day. You need a tool that lets you quickly search, visualize, and analyze them all immediately when a security event occurs. The previous 180 days are usually the most critical. But depending on your industry’s compliance regulations, you may be required to store logs for up to seven years. Considering that the average breach takes about 200 days to find, storing logs for at least a year is becoming a standard practice, and retaining a thorough log history lets you compare current activity to past activity, which can often uncover the cause of recurring incidents.
- SIEM (security information and event management) tools correlate security alerts based on rules you set and present dashboards with real-time and historical visual analysis on the logs you collect. This systematic approach can help you immediately identify strange behaviors and quickly diagnose security issues. SIEM tools also help you monitor who logs into your systems and from where. This can make it easy to identify if an attacker has infiltrated your network.
- Endpoint Detection and Response covers all servers and workstations and helps you identify processes that create security issues and domain-name system (DNS) look-ups executed by user accounts. With a sound endpoint detection and response, you can see which files were left open and which ones were saved just prior to a security incident. The data helps you know if there’s an advanced threat or malware outbreak on your network and identify precisely where it exists. That way, when you encounter a legitimate threat, you can virtually isolate any infected machines until the vulnerability is resolved.
- Threat Hunting teams find unknown or suspicious malware and network intrusions. Acting like super sleuths, they assume there’s always someone lurking on the network, trying to do harm. By utilizing a tool that scans all machines, they can determine who is currently logged in and establish whether each machine has come across any hash values that indicate an intrusion. If the SOC team discovers a suspicious process using the endpoint detection and response tool, they can then shut down the attack and quarantine any affected machine(s). Even more important, they can make sure the threat does not spread.
- User and Entity Behavior Monitoringruns continuous analysis on users and entities (workstations and servers) to establish normal baseline behaviors. The security operations center team can then compare current activity to a normal day to determine if something suspicious is going on. They can also compare user activity to peer activity. If a user or entity’s behavior changes, the risk score rises to indicate something is amiss. The level of privileges along with combinations of various activities can cause risk scores to rise, raising red flags. For example, in the case of a privileged user logging into 500 servers in eight hours, the risk score would immediately spike so the team would know it needs to investigate the matter—immediately. And when user and entity behavior monitoring systems are tied into human resources systems, the SOC team can raise the risk scores of end users who have given two weeks notices and monitor more closely if they access an abnormal amount of sensitive data, such as intellectual property and client records.
- Vulnerability Management proactively identifies and prioritizes security defense gaps, so you can quickly close them before an asset is compromised. Vulnerability management tools can actively scan every device by either loading agents on each machine or running passive scans that do not impact application performance. You can then monitor and receive alerts when a vulnerability emerges. Oftentimes, it’s simply a matter of applying a patch. But without this capability, your team may never know when one is needed. Vulnerability information should also be tied into your SIEM tool to help correlate which assets are most at risk.
- Deception Technology applies decoy devices using unassigned IP addresses to attract cybercriminals…and steer them away from your real digital assets. If a decoy is interacted with, you receive an alert and can investigate to possibly find out who the cybercriminal is. Look for decoy software that captures information on the methods used to compromise your network so your team can improve network defenses over time.
- Threat Intelligence Feeds provide information to supplement all the threat information you are collecting internally on your network and stay ahead of new types of attacks. By subscribing to the right external feeds, your team can identify threats your company has not yet encountered. The intelligence improves your contextual understanding as to what might happen inside your network, and by learning about new attacks on other businesses, you can proactively apply measures to block those threats. The information from the threat feeds can also be correlated to your SIEM, which helps uncover security incidents.
Maximize the Value of Your Security Operations Center Components
What’s the key to maximizing the value of these eight components? Integrate the data flowing among all the tools. This gives your entire security operations team a filtered view into what the information means. The more perspectives you generate, the better the team can prevent, contain, and mitigate problems.
But it’s critical to apply intelligence to all of this data to be sure it doesn’t overwhelm your SOC team.
It’s also important to develop an incident response playbook so the security operations center does not have to respond to incidents on an ad-hoc basis—and under the pressure of the business needing a quick fix. This type of playbook should detail all the procedures and resources required for each type of security incident. A closed loop system is an essential piece of this best practice, so that security analysts can use feedback to make ongoing recommendations about measures that may need to be added. The playbook then becomes a living document that evolves as the security operations team learns new techniques, as emerging security technologies become available, and as new threats come to light.
Given all the user accounts and devices on your network, trying to manage security operations can easily overwhelm your internal team, especially if it is small, so you may want to consider outsourcing some or all of the tools and services to a managed service provider. An approach that some companies take is to subscribe to a cloud service for each tool and to have an outside managed service provider monitor the information that’s generated. Any alerts that indicate a threat might be lurking can then be turned over to your internal team for investigation and mitigation.