Process of monitoring through SIEM is most important within a SOC environment as many organizations have implemented a defense in depth strategy around their critical assets using firewalls and IDS/IPS at the perimeter, two-factor authentication, internal firewalls, network segmentation, HIDS, AV, etc but all implementation will stand useless if there is no proper correlation and monitoring
and all of these devices generate a huge amount of data, which is difficult to monitor. A security team cannot realistically have eight dashboards open and correlate events among several components fast enough to keep up with the packets traversing the network. SIEM technologies bring all of these controls together into a single engine, capable of continuous real-time monitoring and correlation across the breadth and depth of the enterprise. http://www.networkworld.com/article/2180119/tech-primers/5-reasons-why-siem-is-more-important-than-ever.html
Vaibhav , good post! One the one hand, it is a technical problem. Understanding and knowledge of these devices and techniques are required to put them in use. It also means poeple with enough skills are needed in place. On the other hand, it is also a economic issume. Procurements of devices and techniques as well as learning/training ask for intial and continous investments of time and money for the establishment, operations and optimization of the whole SOC environments.
Vaibhav,
I like your post. You are right about setting up a SIEM as there is no reason to set up numerous dashboards at every component. They need to understand what needs to be monitored and what is susceptible to a security threat or breach.
One of the most important processes when creating a SOC is the selection of the team members and the manager or leadership that will be responsible for motivating the SOC Team members. Selecting people to be a part of the SOC is not an easy task. A SOC is not a normal 9-5. It is an operation that runs 24-hours a day and seven days a week. Finding the right team members that can handle stress is crucial. Along with selecting team members, it is then difficult to find the correct team member to perform the right tasks, since there is such a wide range of competencies required for SOC members. “Selecting the right team members for the right tasks is a highly challenging assignment, as the range of required competences is quite wide, spacing from vulnerability management to computer forensics through malware analysis.” Good leadership is crucial when selecting SOC Members because they need to get the team motivated. The key to any SOC is retention. Also, another important thing to remember when selecting SOC Members is to keep the budget in mind, and do not underman the SOC. “Establishing the proper number of staff members is another hard and demanding charge; while no unnecessary workers should be hired and a defined level of budget will have to be respected, the risk of being undermanned – and therefore inefficient – must be avoided.” Selecting the people necessary for the SOC is definitely one of the most difficult, yet most important tasks.
Shain, I agree with your point. This is especially true under the circumstance that IT security talents has a greatest gap between talents supply against demand in history. In particular, IT security professioanls and leaders are mostly needed to be the key members for SOC for different organizations.
Shain made a number of great point. Staffing is difficult in general, but especially for an SOC. The reason is that a SOC runs usually in a 24\7 environment and usually in those off hours there is less management and the SOC needs to operate in a macro-managed setup. I work in environments were there is 24\7 monitoring for interfaces, networking, data-center and help-desk and in off hours the team is usually thin but where the team is lacking in staff, the team had expertise. That is the point about have properly trained or experienced personnel, which is up the management who can select those individuals and lead them.
Shain,
Selecting SOC members is crucial and you made some very key points in addressing the case. SOC members definitely need to work together under pressure to remediate incidents as they occur and it is constant. Having all the skills necessary to recognize or alert, reengineer, prevent, detect, and remediate attacks is also necessary to be a member of the SOC. Also A team leader with the mindset of to spearhead the mission on a continuous basis. And since it is difficult to find the members needed to support the SOC there is a lot of cost involved. Finding potential members using existing personnel to provide the training needed to become a part of the SOC is a way of cutting those costs..
Perhaps the most important and challenging process of a successful SOC, is defining normal through baselining. Centralized SIEM (Security Incident Event Management) is used for enterprise-wide data collection, aggregation, detection, analytic and management. Good SIEM collects data from a diverse technology environment; computer, firewalls, endpoints, and networks systems. The sheer volume of data makes it extremely challenging to identify ‘normal’ behavior within each system. Without having a well-defined baseline, administrators will get an onslaught of erroneous alerts that will have to be analyzed and prioritized for remedial action. With a baseline and continuously updating the baseline will enhanced alerting mechanisms to provide actionable alerts that actually pose a threat to the organization.
Nice post, Loi. A well prepared baseline will help organization to save money and time. It should be designed simple but comprehensive. Once the baseline is settled, we can find people we need, resource we need for the project more easily and accurately. So I agree that defining normal through baselining is important.
Risk assessment is the most important process within SOC environments. It the first step in the planning of SOC. Only with risk assessment conducted, subsequent processes such as incident monitor and response can be determined. At the same time, it also decide how many resources, including people and time we need to invest into SOC environments. Thus, at the starting point of buidling a SOC environment, risk assessment is most critical process among all.
Great point about Risk assessment. If the data or information withing the network is not confidential or personal in nature than there may be no point in having a SOC. Also with budgets, a small sized company may not be able to staff a 24\7 SOC and the cost outweigh the benefits.
Well-said, Zhengshu. Risk assessment is an important step in many environment, before they start SOC, they can use the assessment to see what risks they have and what solutions they should choose to do-aviod, transfer, mitigate or accept.
I believe there are many important factors in setting up a well-run SOC. A operations center can be used to monitor data-centers, connections, power, connections, etc. This being a SOC than it is security based therefore one needs to select a SIEM and more importantly decide what to monitor and configure the SIEM accordingly. Also who is staffed at the SOC and managing is just as important, this is off hours work but extremely critical and staff had to be proactive. Otherwise just reacting to a security breach defeats the purpose of the SOC.
I think creating repeatable incident management workflow is an important process in SOC environment. During preparation and identification period, once we have the repeatable incident management workflow, we can assign team members’ responsibilities and actions from the creation of an alert and initial Tier 1 evaluation to escalation to Tier 2 or Tier 3 personnel are defined. Based on the workflow, resources can also be effectively allocated. The workflow can be the most important part in SOC environment if it sets right, it will save a lot of time and cost.
I believe the most important process within a SOC is remediating an attack or intrusion once it has begun. Properly identifying an attack is highly important as well but there are other individuals within an organizaiton who have the ability to do this. System administrators, for example, may notice irregular behavior on a system or even an end user may notice connection issues. It’s one thing to identify an attack but it is another obstacle entirely to remediate it. Eliminating a threat is generally the essence of a SOC. In the event of an attack, for example, a database administrator needs to be concerned with the integrity and availability of data, a sys admin needs to be concerned with the uptime/availability of a system, and an application developer needs to be concerned with how their code might be being exploited, It would be very difficult and time consuming for all of these groups to come together and eliminate the threat while also fulfilling their job roles. It is the SOCs’ job to do this.
Vulnerability analysis and risk assessment is very important in a SOC. Being able to properly identify threats and the potential vulnerabilities within a network allows for planning and preventative action to be taken place to mitigate any potential attack. It also allows response teams to have previously found knowledge if one of these vulnerabilities is exploited. Having proper risk assessment also allows the SOC to properly delegate responsibility and target specific areas for improvement.
I think that incident tracking and reporting is one of the most important processes in a SOC. It’s critical throughout each incident that is managed and organized in the appropriate manner. An effective and efficient workflow also allows the team to respond is the quickest manner. A lot of the common incident tools within SOCs allow the team to assign task during the investigation of an incident. The reporting capabilities allow the SOC leadership to provide metrics to stakeholders that can show the overall success or pain points of a SOC.
Vaibhav Shukla says
Process of monitoring through SIEM is most important within a SOC environment as many organizations have implemented a defense in depth strategy around their critical assets using firewalls and IDS/IPS at the perimeter, two-factor authentication, internal firewalls, network segmentation, HIDS, AV, etc but all implementation will stand useless if there is no proper correlation and monitoring
and all of these devices generate a huge amount of data, which is difficult to monitor. A security team cannot realistically have eight dashboards open and correlate events among several components fast enough to keep up with the packets traversing the network. SIEM technologies bring all of these controls together into a single engine, capable of continuous real-time monitoring and correlation across the breadth and depth of the enterprise.
http://www.networkworld.com/article/2180119/tech-primers/5-reasons-why-siem-is-more-important-than-ever.html
Zhengshu Wu says
Vaibhav , good post! One the one hand, it is a technical problem. Understanding and knowledge of these devices and techniques are required to put them in use. It also means poeple with enough skills are needed in place. On the other hand, it is also a economic issume. Procurements of devices and techniques as well as learning/training ask for intial and continous investments of time and money for the establishment, operations and optimization of the whole SOC environments.
Sachin Shah says
Vaibhav,
I like your post. You are right about setting up a SIEM as there is no reason to set up numerous dashboards at every component. They need to understand what needs to be monitored and what is susceptible to a security threat or breach.
Shain R. Amzovski says
One of the most important processes when creating a SOC is the selection of the team members and the manager or leadership that will be responsible for motivating the SOC Team members. Selecting people to be a part of the SOC is not an easy task. A SOC is not a normal 9-5. It is an operation that runs 24-hours a day and seven days a week. Finding the right team members that can handle stress is crucial. Along with selecting team members, it is then difficult to find the correct team member to perform the right tasks, since there is such a wide range of competencies required for SOC members. “Selecting the right team members for the right tasks is a highly challenging assignment, as the range of required competences is quite wide, spacing from vulnerability management to computer forensics through malware analysis.” Good leadership is crucial when selecting SOC Members because they need to get the team motivated. The key to any SOC is retention. Also, another important thing to remember when selecting SOC Members is to keep the budget in mind, and do not underman the SOC. “Establishing the proper number of staff members is another hard and demanding charge; while no unnecessary workers should be hired and a defined level of budget will have to be respected, the risk of being undermanned – and therefore inefficient – must be avoided.” Selecting the people necessary for the SOC is definitely one of the most difficult, yet most important tasks.
Article: http://securityaffairs.co/wordpress/47631/breaking-news/soc-security-operations-center.html
Zhengshu Wu says
Shain, I agree with your point. This is especially true under the circumstance that IT security talents has a greatest gap between talents supply against demand in history. In particular, IT security professioanls and leaders are mostly needed to be the key members for SOC for different organizations.
Sachin Shah says
Shain made a number of great point. Staffing is difficult in general, but especially for an SOC. The reason is that a SOC runs usually in a 24\7 environment and usually in those off hours there is less management and the SOC needs to operate in a macro-managed setup. I work in environments were there is 24\7 monitoring for interfaces, networking, data-center and help-desk and in off hours the team is usually thin but where the team is lacking in staff, the team had expertise. That is the point about have properly trained or experienced personnel, which is up the management who can select those individuals and lead them.
Jimmy C. Jouthe says
Shain,
Selecting SOC members is crucial and you made some very key points in addressing the case. SOC members definitely need to work together under pressure to remediate incidents as they occur and it is constant. Having all the skills necessary to recognize or alert, reengineer, prevent, detect, and remediate attacks is also necessary to be a member of the SOC. Also A team leader with the mindset of to spearhead the mission on a continuous basis. And since it is difficult to find the members needed to support the SOC there is a lot of cost involved. Finding potential members using existing personnel to provide the training needed to become a part of the SOC is a way of cutting those costs..
Loi Van Tran says
Perhaps the most important and challenging process of a successful SOC, is defining normal through baselining. Centralized SIEM (Security Incident Event Management) is used for enterprise-wide data collection, aggregation, detection, analytic and management. Good SIEM collects data from a diverse technology environment; computer, firewalls, endpoints, and networks systems. The sheer volume of data makes it extremely challenging to identify ‘normal’ behavior within each system. Without having a well-defined baseline, administrators will get an onslaught of erroneous alerts that will have to be analyzed and prioritized for remedial action. With a baseline and continuously updating the baseline will enhanced alerting mechanisms to provide actionable alerts that actually pose a threat to the organization.
https://www.sans.org/reading-room/whitepapers/analyst/building-world-class-security-operations-center-roadmap-35907
Mengxue Ni says
Nice post, Loi. A well prepared baseline will help organization to save money and time. It should be designed simple but comprehensive. Once the baseline is settled, we can find people we need, resource we need for the project more easily and accurately. So I agree that defining normal through baselining is important.
Zhengshu Wu says
Risk assessment is the most important process within SOC environments. It the first step in the planning of SOC. Only with risk assessment conducted, subsequent processes such as incident monitor and response can be determined. At the same time, it also decide how many resources, including people and time we need to invest into SOC environments. Thus, at the starting point of buidling a SOC environment, risk assessment is most critical process among all.
Sachin Shah says
Great point about Risk assessment. If the data or information withing the network is not confidential or personal in nature than there may be no point in having a SOC. Also with budgets, a small sized company may not be able to staff a 24\7 SOC and the cost outweigh the benefits.
Mengxue Ni says
Well-said, Zhengshu. Risk assessment is an important step in many environment, before they start SOC, they can use the assessment to see what risks they have and what solutions they should choose to do-aviod, transfer, mitigate or accept.
Sachin Shah says
I believe there are many important factors in setting up a well-run SOC. A operations center can be used to monitor data-centers, connections, power, connections, etc. This being a SOC than it is security based therefore one needs to select a SIEM and more importantly decide what to monitor and configure the SIEM accordingly. Also who is staffed at the SOC and managing is just as important, this is off hours work but extremely critical and staff had to be proactive. Otherwise just reacting to a security breach defeats the purpose of the SOC.
Mengxue Ni says
I think creating repeatable incident management workflow is an important process in SOC environment. During preparation and identification period, once we have the repeatable incident management workflow, we can assign team members’ responsibilities and actions from the creation of an alert and initial Tier 1 evaluation to escalation to Tier 2 or Tier 3 personnel are defined. Based on the workflow, resources can also be effectively allocated. The workflow can be the most important part in SOC environment if it sets right, it will save a lot of time and cost.
Ryan P Boyce says
I believe the most important process within a SOC is remediating an attack or intrusion once it has begun. Properly identifying an attack is highly important as well but there are other individuals within an organizaiton who have the ability to do this. System administrators, for example, may notice irregular behavior on a system or even an end user may notice connection issues. It’s one thing to identify an attack but it is another obstacle entirely to remediate it. Eliminating a threat is generally the essence of a SOC. In the event of an attack, for example, a database administrator needs to be concerned with the integrity and availability of data, a sys admin needs to be concerned with the uptime/availability of a system, and an application developer needs to be concerned with how their code might be being exploited, It would be very difficult and time consuming for all of these groups to come together and eliminate the threat while also fulfilling their job roles. It is the SOCs’ job to do this.
Kevin Blankenship says
Vulnerability analysis and risk assessment is very important in a SOC. Being able to properly identify threats and the potential vulnerabilities within a network allows for planning and preventative action to be taken place to mitigate any potential attack. It also allows response teams to have previously found knowledge if one of these vulnerabilities is exploited. Having proper risk assessment also allows the SOC to properly delegate responsibility and target specific areas for improvement.
Marcus A. Wilson says
I think that incident tracking and reporting is one of the most important processes in a SOC. It’s critical throughout each incident that is managed and organized in the appropriate manner. An effective and efficient workflow also allows the team to respond is the quickest manner. A lot of the common incident tools within SOCs allow the team to assign task during the investigation of an incident. The reporting capabilities allow the SOC leadership to provide metrics to stakeholders that can show the overall success or pain points of a SOC.