Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics //

Security Monitoring

1/28/2012
03:54 PM
50%
50%

Do You Need A Security Operations Center?

When a company starts to worry about losing data to attack, it could be time to create a simple SOC. Following are the most important steps to evaluating the need for an effective operations center

Seven years ago, European communications provider Colt Telecom Services embarked on a project to build its own operations center to manage the company's security and that of its clients.

Up until that point, the company did not have good visibility into the security of its systems because several internal groups had at least some responsibility for security, says Nicolas Fischbach, director of network strategy and architecture for Colt's infrastructure services unit.

"We were at the point in the company where security was distributed over many teams -- IT, the network guys, some dedicated network engineers, corporate security, and so on," Fischbach says. "We didn't have a single view into our assets."

Over the next two years, the company built a security operations center (SOC) to manage its data and operations in a score of countries. Colt also found a number of security problems that had gone unnoticed in its network, including back doors and other code that workers had put in and then forgot about, Fischbach says.

The decision to centralize security in an operations center is not an easy one. Fischbach stresses that a security operations center, even a small one, can be expensive. Yet, for companies worried about their data being stolen by digital thieves or their operations interrupted by online adversaries, it's likely time to build a simple security operations center.

The first step to deciding whether a SOC is necessary is for a company to assess the damage an attacker could do to its business, says Nick Bradley, senior operations manager for IBM.

"Think worse-case scenario -- what type of data would be accessed if you were breached, and would you have the resources to recover, or could you recover?" says Bradley. "If the answer is terrifying and keeping you up at night, then the answer is yes, you need a security operations center."

[Building blocks for developing the most effective security operations center. See Tech Insight: Building A SOC, From Outsourcing To DIY.]

A good next step is to create the position of chief security officer or chief information security officer to place responsibility in a single executive-level employee, says Doug Graham, a senior director of information risk management for data storage and security giant EMC. Putting the responsibility for security in a single position can help focus an organization's security efforts.

"I think if you are starting out as a new CSO in an organization, and you cannot answer the question, "How many times have I been attacked today?" then you should be very frightened," Graham says.

As the security initiative develops, a company will typically seek out better visibility into what is going on in its network. Many companies do not have a full inventory of their information assets, and embarking on a program to create a security operations center can be enlightening, Colt's Fischbach says.

"The first reason to have a SOC is not to do security enforcement, but to get visibility into your environment," he says.

Companies generally start by focusing on managing the operations of network perimeter devices, such as firewalls and intrusion prevention and detection systems. At that point, the company will have to determine how much it wants to do internally and to what degree it will outsource its security management.

Another caveat: When planning a program to better monitor and manage information security systems, companies should be careful to develop a plan based on what data and system need to be protected, not trying to mix and match security products, EMC's Graham says.

"Unfortunately, what some people will do is figure out what a product can do and then build their program around that, and that is the tail wagging the dog," he says.

Finally, companies should seek to maximize the amount of security information they are collecting and storing, even if their small SOC has no means to analyze it. If a company detects a breach, the first thing an analyst will need is data to sift through to find out what happened, says Graham.

"When you investigate an attack, you sometimes don't know what you are looking for and ... if you run out of evidence, you have a cold trail," he says. "We always say collect as much as you can, even if you don't have the capacity to analyze it in real time. Because if you store it, it may become useful to you later on."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
macker490
50%
50%
macker490,
User Rank: Ninja
1/29/2012 | 12:11:24 PM
re: Do You Need A Security Operations Center?
There should be two types of computers : Commercial and Experimental.- The experimental computer you can update; the commercial one updates are controlled by policy; the software is audited; and the computer has a Commercial Certification on its x.509 certificate . customers should know the difference in these two types of computers and be allowed to make their own choice
macker490
50%
50%
macker490,
User Rank: Ninja
1/29/2012 | 12:08:13 PM
re: Do You Need A Security Operations Center?
Everyone needs a Security Policy: How am I going to secure my computers and demonstrate the effectiveness of my- policy in a convincing manner?- You MUST control software updates and to demonstrate that your policy is effective you must perform a software inventory audit.- Get after your OEM for this critical missing tool.
macker490
50%
50%
macker490,
User Rank: Ninja
1/29/2012 | 12:04:58 PM
re: Do You Need A Security Operations Center?
C'Mon DR --get DISQUS!!
News
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
Slideshows
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
Commentary
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-31755
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setmac allows attackers to execute arbitrary code on the system via a crafted post request.
CVE-2021-31756
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /gofrom/setwanType allows attackers to execute arbitrary code on the system via a crafted post request. This occurs when input vector controlled by malicious attack get copie...
CVE-2021-31757
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setVLAN allows attackers to execute arbitrary code on the system via a crafted post request.
CVE-2021-31758
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setportList allows attackers to execute arbitrary code on the system via a crafted post request.
CVE-2021-31458
PUBLISHED: 2021-05-07
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader 10.1.1.37576. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handlin...