Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics //

Security Monitoring

03:54 PM

Do You Need A Security Operations Center?

When a company starts to worry about losing data to attack, it could be time to create a simple SOC. Following are the most important steps to evaluating the need for an effective operations center

Seven years ago, European communications provider Colt Telecom Services embarked on a project to build its own operations center to manage the company's security and that of its clients.

Up until that point, the company did not have good visibility into the security of its systems because several internal groups had at least some responsibility for security, says Nicolas Fischbach, director of network strategy and architecture for Colt's infrastructure services unit.

"We were at the point in the company where security was distributed over many teams -- IT, the network guys, some dedicated network engineers, corporate security, and so on," Fischbach says. "We didn't have a single view into our assets."

Over the next two years, the company built a security operations center (SOC) to manage its data and operations in a score of countries. Colt also found a number of security problems that had gone unnoticed in its network, including back doors and other code that workers had put in and then forgot about, Fischbach says.

The decision to centralize security in an operations center is not an easy one. Fischbach stresses that a security operations center, even a small one, can be expensive. Yet, for companies worried about their data being stolen by digital thieves or their operations interrupted by online adversaries, it's likely time to build a simple security operations center.

The first step to deciding whether a SOC is necessary is for a company to assess the damage an attacker could do to its business, says Nick Bradley, senior operations manager for IBM.

"Think worse-case scenario -- what type of data would be accessed if you were breached, and would you have the resources to recover, or could you recover?" says Bradley. "If the answer is terrifying and keeping you up at night, then the answer is yes, you need a security operations center."

[Building blocks for developing the most effective security operations center. See Tech Insight: Building A SOC, From Outsourcing To DIY.]

A good next step is to create the position of chief security officer or chief information security officer to place responsibility in a single executive-level employee, says Doug Graham, a senior director of information risk management for data storage and security giant EMC. Putting the responsibility for security in a single position can help focus an organization's security efforts.

"I think if you are starting out as a new CSO in an organization, and you cannot answer the question, "How many times have I been attacked today?" then you should be very frightened," Graham says.

As the security initiative develops, a company will typically seek out better visibility into what is going on in its network. Many companies do not have a full inventory of their information assets, and embarking on a program to create a security operations center can be enlightening, Colt's Fischbach says.

"The first reason to have a SOC is not to do security enforcement, but to get visibility into your environment," he says.

Companies generally start by focusing on managing the operations of network perimeter devices, such as firewalls and intrusion prevention and detection systems. At that point, the company will have to determine how much it wants to do internally and to what degree it will outsource its security management.

Another caveat: When planning a program to better monitor and manage information security systems, companies should be careful to develop a plan based on what data and system need to be protected, not trying to mix and match security products, EMC's Graham says.

"Unfortunately, what some people will do is figure out what a product can do and then build their program around that, and that is the tail wagging the dog," he says.

Finally, companies should seek to maximize the amount of security information they are collecting and storing, even if their small SOC has no means to analyze it. If a company detects a breach, the first thing an analyst will need is data to sift through to find out what happened, says Graham.

"When you investigate an attack, you sometimes don't know what you are looking for and ... if you run out of evidence, you have a cold trail," he says. "We always say collect as much as you can, even if you don't have the capacity to analyze it in real time. Because if you store it, it may become useful to you later on."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
1/29/2012 | 12:11:24 PM
re: Do You Need A Security Operations Center?
There should be two types of computers : Commercial and Experimental.- The experimental computer you can update; the commercial one updates are controlled by policy; the software is audited; and the computer has a Commercial Certification on its x.509 certificate . customers should know the difference in these two types of computers and be allowed to make their own choice
User Rank: Ninja
1/29/2012 | 12:08:13 PM
re: Do You Need A Security Operations Center?
Everyone needs a Security Policy: How am I going to secure my computers and demonstrate the effectiveness of my- policy in a convincing manner?- You MUST control software updates and to demonstrate that your policy is effective you must perform a software inventory audit.- Get after your OEM for this critical missing tool.
User Rank: Ninja
1/29/2012 | 12:04:58 PM
re: Do You Need A Security Operations Center?
C'Mon DR --get DISQUS!!
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-13
Eaton Intelligent Power Manager (IPM) prior to 1.69 is vulnerable to unauthenticated remote code execution vulnerability. IPM software does not sanitize the date provided via coverterCheckList action in meta_driver_srv.js class. Attackers can send a specially crafted packet to make IPM connect to ro...
PUBLISHED: 2021-04-13
SAP NetWeaver AS JAVA (Customer Usage Provisioning Servlet), versions - 7.31, 7.40, 7.50, allows an attacker to read some statistical data like product version, traffic, timestamp etc. because of missing authorization check in the servlet.
PUBLISHED: 2021-04-13
SAP Manufacturing Execution (System Rules), versions - 15.1, 15.2, 15.3, 15.4, allows an authorized attacker to embed malicious code into HTTP parameter and send it to the server because SAP Manufacturing Execution (System Rules) tab does not sufficiently encode some parameters, resulting in Stored ...
PUBLISHED: 2021-04-13
SAP NetWeaver AS Java (Applications based on HTMLB for Java) allows a basic-level authorized attacker to store a malicious file on the server. When a victim tries to open this file, it results in a Cross-Site Scripting (XSS) vulnerability and the attacker can read and modify data. However, the attac...
PUBLISHED: 2021-04-13
SAP Commerce, versions - 1808, 1811, 1905, 2005, 2011, Backoffice application allows certain authorized users to create source rules which are translated to drools rule when published to certain modules within the application. An attacker with this authorization can inject malicious code in the sour...