Operations

3/13/2017
10:30 AM
Chris Crowley
Chris Crowley
Commentary
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail vvv
50%
50%

What Your SecOps Team Can (and Should) Do

If your organization has all of these pieces in place, congratulations!

The security operations (SecOps) function takes many forms. For some organizations, it is simply a incident and event management device. Others have a more elaborate concept of their SecOps strategies and technologies. But most companies I've worked with, both small and global, lack adequate clarity for SecOps objectives.

SecOps manifests in many ways, but it's likely to be administered via a cybersecurity operations center (CSOC or SOC) of some sort. For those companies that do have a clear picture of what they should be doing, execution of that vision in the immediate term and on an ongoing basis will be the next challenge. This brief description is intended to provide a picture of what fully operational security operations can do. Designing, building, and operating with ongoing optimization of performance and maturity is the program I develop fully in my SANS management course. If your organization has these functional capabilities; technology, people, and processes in place to accomplish these objectives; and an ongoing dialogue with the business for maturity: congratulations! You and your team are among the global elite.

Security Operations
My definition of security operations is the ongoing protection of information assets of an organization. This covers the people, systems, and data entrusted to the organization. SecOps is a support function to the business operations and it should be fully integrated with those operations. To that end, I use several functional areas to explain what complete security operations entails.

Functions
The groups below are functional areas. Some companies will combine these groups, some will have distinct organizational units. But the functional capability is what is important.

  • The steering committee is a group designed to help the business provide strategic vision. This strategy is what the SOC should do to best defend the business's information assets. Via the steering committee, the SOC conveys to the business what it has done to protect the business and what it intends to do going forward. This is designed to establish and maintain ongoing, bidirectional communication between the SOC and the business. Without a formal mechanism for this alignment, there will be wasted effort.
  • The command center is the directive and interactive facility of the SOC. It is how the business can request assistance from SecOps. It serves as the way to announce information to the business for situational awareness during incidents and ongoing training.
  • Network security monitoring is the practice of inspecting available internal data for abnormal circumstances. This should include routine alert-based detection as well as long-tail analysis and hunting for novel threat events.
  • Threat intelligence is the study of adversary operations to devise detective and responsive actions for the organization. Because the organization has limited resources to deploy defense, understanding the techniques that adversaries use allows for effective defenses to be deployed to detect, disrupt, and deceive the attacker.
  • Incident response is the organization's reactive capability to deal with unwanted situations. In this functional grouping, the detection of the situation is typically performed by the network security monitoring team while the reactive attempts to contain damage from the attack and remove the attacker completely are the purview of the incident response team.
  • Forensics is the specialized capability to assess information assets for details surrounding investigations and response activity. The complex array of technology used by an organization warrants specialization in this area.
  • Self-assessment is the ongoing assessment of the state of systems and people within the organization. This includes change management and detection; configuration management; vulnerability assessments; penetration testing; and setting up a "red team" to promote effectiveness. These are frequently considered security tasks. But incorporating these tasks into SecOps becomes an effective way to facilitate detection and advise the operational capabilities on the status of the environment. For example, if the vulnerability scan team works with threat intelligence, rapid detection via network security monitoring can be accomplished when new threats or vulnerabilities are discovered. Coordination among these groups in mature SecOps often leads to the discovery of previously unknown threats and vulnerabilities.

People, Technology, and Processes
The tangible components of the functional areas include people performing processes with technology. Many vendor sales teams will tell you to make the technology the centerpiece of your design and build your process around it. Business alignment, then process development, then role definition, and then technology selection is the optimal sequence for building security operations. Even if there's already an existing SecOps organization, redesigning it should follow this sequence.

The details of the interactions between the functional areas, and how each area performs its work must be coordinated to feed input from one process into the next. Without this overall vision and tactical coordination, the security operations will fail to perform optimally and can't hope to mature uniformly across all functional areas.

Here is a graphic image of the processes performed by each (and a more complete visual approach to this material can be downloaded from SANS):

Image Source: Chris Crowley
Image Source: Chris Crowley


A SecOps team is most effective when it is closely aligned with the business and has a clear understanding of what capabilities are needed and how these functions interact with one another. The necessary functions are business alignment (the steering committee), communication (the command center), monitoring (network security monitoring), detailed analysis of threats (threat intelligence), response capability (incident response), detailed analysis of artifacts (forensics), and ongoing assessment and improvement of the security posture of the organization (self-assessment).

Related Content:

Chris Crowley is as an independent consultant at Montance, LLC, focusing on effective computer network defense. His work experience includes penetration testing, security operations, incident response, and forensic analysis. He is the course author for "SANS Management 517 - ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Julian Assange Arrested in London
Dark Reading Staff 4/11/2019
Tips for the Aftermath of a Cyberattack
Kelly Sheridan, Staff Editor, Dark Reading,  4/17/2019
The Single Cybersecurity Question Every CISO Should Ask
Arif Kareem, CEO, ExtraHop,  4/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-11320
PUBLISHED: 2019-04-18
In Motorola CX2 1.01 and M2 1.01, users can access the router's /priv_mgt.html web page to launch telnetd, as demonstrated by the 192.168.51.1 address.
CVE-2019-11321
PUBLISHED: 2019-04-18
An issue was discovered in Motorola CX2 1.01 and M2 1.01. The router opens TCP port 8010. Users can send hnap requests to this port without authentication to obtain information such as the MAC addresses of connected client devices.
CVE-2019-11322
PUBLISHED: 2019-04-18
An issue was discovered in Motorola CX2 1.01 and M2 1.01. There is a command injection in the function startRmtAssist in hnap, which leads to remote code execution via shell metacharacters in a JSON value.
CVE-2019-8999
PUBLISHED: 2019-04-18
An XML External Entity vulnerability in the UEM Core of BlackBerry UEM version(s) earlier than 12.10.1a could allow an attacker to potentially gain read access to files on any system reachable by the UEM service account.
CVE-2018-17168
PUBLISHED: 2019-04-18
PrinterOn Enterprise 4.1.4 contains multiple Cross Site Request Forgery (CSRF) vulnerabilities in the Administration page. For example, an administrator, by following a link, can be tricked into making unwanted changes to a printer (Disable, Approve, etc).