Operations
3/13/2017
10:30 AM
Chris Crowley
Chris Crowley
Commentary
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail vvv
50%
50%

What Your SecOps Team Can (and Should) Do

If your organization has all of these pieces in place, congratulations!

The security operations (SecOps) function takes many forms. For some organizations, it is simply a incident and event management device. Others have a more elaborate concept of their SecOps strategies and technologies. But most companies I've worked with, both small and global, lack adequate clarity for SecOps objectives.

SecOps manifests in many ways, but it's likely to be administered via a cybersecurity operations center (CSOC or SOC) of some sort. For those companies that do have a clear picture of what they should be doing, execution of that vision in the immediate term and on an ongoing basis will be the next challenge. This brief description is intended to provide a picture of what fully operational security operations can do. Designing, building, and operating with ongoing optimization of performance and maturity is the program I develop fully in my SANS management course. If your organization has these functional capabilities; technology, people, and processes in place to accomplish these objectives; and an ongoing dialogue with the business for maturity: congratulations! You and your team are among the global elite.

Security Operations
My definition of security operations is the ongoing protection of information assets of an organization. This covers the people, systems, and data entrusted to the organization. SecOps is a support function to the business operations and it should be fully integrated with those operations. To that end, I use several functional areas to explain what complete security operations entails.

Functions
The groups below are functional areas. Some companies will combine these groups, some will have distinct organizational units. But the functional capability is what is important.

  • The steering committee is a group designed to help the business provide strategic vision. This strategy is what the SOC should do to best defend the business's information assets. Via the steering committee, the SOC conveys to the business what it has done to protect the business and what it intends to do going forward. This is designed to establish and maintain ongoing, bidirectional communication between the SOC and the business. Without a formal mechanism for this alignment, there will be wasted effort.
  • The command center is the directive and interactive facility of the SOC. It is how the business can request assistance from SecOps. It serves as the way to announce information to the business for situational awareness during incidents and ongoing training.
  • Network security monitoring is the practice of inspecting available internal data for abnormal circumstances. This should include routine alert-based detection as well as long-tail analysis and hunting for novel threat events.
  • Threat intelligence is the study of adversary operations to devise detective and responsive actions for the organization. Because the organization has limited resources to deploy defense, understanding the techniques that adversaries use allows for effective defenses to be deployed to detect, disrupt, and deceive the attacker.
  • Incident response is the organization's reactive capability to deal with unwanted situations. In this functional grouping, the detection of the situation is typically performed by the network security monitoring team while the reactive attempts to contain damage from the attack and remove the attacker completely are the purview of the incident response team.
  • Forensics is the specialized capability to assess information assets for details surrounding investigations and response activity. The complex array of technology used by an organization warrants specialization in this area.
  • Self-assessment is the ongoing assessment of the state of systems and people within the organization. This includes change management and detection; configuration management; vulnerability assessments; penetration testing; and setting up a "red team" to promote effectiveness. These are frequently considered security tasks. But incorporating these tasks into SecOps becomes an effective way to facilitate detection and advise the operational capabilities on the status of the environment. For example, if the vulnerability scan team works with threat intelligence, rapid detection via network security monitoring can be accomplished when new threats or vulnerabilities are discovered. Coordination among these groups in mature SecOps often leads to the discovery of previously unknown threats and vulnerabilities.

People, Technology, and Processes
The tangible components of the functional areas include people performing processes with technology. Many vendor sales teams will tell you to make the technology the centerpiece of your design and build your process around it. Business alignment, then process development, then role definition, and then technology selection is the optimal sequence for building security operations. Even if there's already an existing SecOps organization, redesigning it should follow this sequence.

The details of the interactions between the functional areas, and how each area performs its work must be coordinated to feed input from one process into the next. Without this overall vision and tactical coordination, the security operations will fail to perform optimally and can't hope to mature uniformly across all functional areas.

Here is a graphic image of the processes performed by each (and a more complete visual approach to this material can be downloaded from SANS):

Image Source: Chris Crowley
Image Source: Chris Crowley


A SecOps team is most effective when it is closely aligned with the business and has a clear understanding of what capabilities are needed and how these functions interact with one another. The necessary functions are business alignment (the steering committee), communication (the command center), monitoring (network security monitoring), detailed analysis of threats (threat intelligence), response capability (incident response), detailed analysis of artifacts (forensics), and ongoing assessment and improvement of the security posture of the organization (self-assessment).

Related Content:

Chris Crowley is as an independent consultant at Montance, LLC, focusing on effective computer network defense. His work experience includes penetration testing, security operations, incident response, and forensic analysis. He is the course author for "SANS Management 517 - ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
The Dark Reading Security Spending Survey
The Dark Reading Security Spending Survey
Enterprises are spending an unprecedented amount of money on IT security where does it all go? In this survey, Dark Reading polled senior IT management on security budgets and spending plans, and their priorities for the coming year. Download the report and find out what they had to say.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.