Rajeev Raj, Delivery Manager – SOC services at Paladion Networks explains 5 steps that are required to implement a successful Security Operations Center
With businesses growing significantly fast in today’s marketplace, the ability to monitor risks, whether for compliance purposes or security purposes, is critical. When an organization is small, information is safe and secure because there is a limited set of people who may access it. While organizational growth and increased revenue is always the goal, growth of any kind breeds risk. How do we start managing these risks? The answer is simple–we start monitoring our environment, and one of the well accepted ways to do this is to implement a Security Incident and Event Monitoring (SIEM) tool and operationalize it as a Security Operations Center (SOC).
However, implementing high end SIEM technology does not guarantee we will reach our goals–we must ensure we implement this technology correctly. The following are some of the important factors that will help set up the right monitoring mechanism.
1. Know your assets
It is important to know what assets to monitor. Choosing every asset in the organization is impractical. Not all of the assets in an organization are critical and not every asset has critical information. Identify the high value assets and start with these, but this doesn’t mean that we don’t monitor medium and low value assets. When I say High/Medium/Low value assets, I don’t mean their price tags but the extent of information they carry and how much its integrity and availability matters to your business. The famous CIA (Confidentiality Integrity and Availability) triad should help you categorize them to these 3 categories. If we have done this then we have not missed any assets which should come in the risk radar.
2. Know what to monitor
Once you have identified the boundaries and assets it is time to deploy right use cases or business cases to detect threats. A use case is nothing but a scenario, situation, or a condition when a threat is observed. Creating and enabling the right use case benefits business owners to monitor the threats. Use cases play a vital role. Deploying 100 use cases will not ensure a risk free environment, but implementing 10 precise use cases can bring you one step closer. Without this precision you could miss out on a genuine alert in a huge pile of false alerts, and no one wants to be in that situation. One should take as much time as is needed to set the right conditions for detecting threats so that no stone goes unturned. The overall goal here should not be to reduce the number of alerts but to have the right alert for the right situation.
3. Don’s stop at detection, plan for mitigation
It is extremely important to act upon the incident alerts raised by your SOC immediately. Receiving security monitoring alerts is very different from receiving an email which lands in your inbox. Investigate the alert as soon as possible and mitigate the threat and vulnerability which caused it. Define responsibilities, assign ownership and chase down the alert or incident with a proper incident management process.
4. Select the Right Tool to Track Mitigation Status
Losing track on alerts raised by SOC can be an area of serious concern. Not many organizations pay much attention in chasing down security incidents because they feel that they have monitored it and their job is done. But we should understand it is very important to track the closures. Likewise it is important to deploy the right people and technology for tracking such incidents, and procuring the right tool, even your existing service desk tools, will make the job easier. There can be advanced tools and techniques which can be implemented, but starting off with a service desk tool is a step in the right direction.
5. Verify Incident Closure
Do you double check that you’ve locked all of your doors and windows before leaving your house? Most people, even if they have the best security system on the planet double check and confirm those doors are locked. The same thing would apply here. For each and every security incident the business owner should be able to confidently say, “Yes, we have closed the incident.” A lot of times it is the old incident which repeats and creates disturbances, because the root cause of the incident was not addressed properly. Hence, a double check after closing the incident is a good step.