Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics //

Security Monitoring

03:54 PM

Do You Need A Security Operations Center?

When a company starts to worry about losing data to attack, it could be time to create a simple SOC. Following are the most important steps to evaluating the need for an effective operations center

Seven years ago, European communications provider Colt Telecom Services embarked on a project to build its own operations center to manage the company's security and that of its clients.

Up until that point, the company did not have good visibility into the security of its systems because several internal groups had at least some responsibility for security, says Nicolas Fischbach, director of network strategy and architecture for Colt's infrastructure services unit.

"We were at the point in the company where security was distributed over many teams -- IT, the network guys, some dedicated network engineers, corporate security, and so on," Fischbach says. "We didn't have a single view into our assets."

Over the next two years, the company built a security operations center (SOC) to manage its data and operations in a score of countries. Colt also found a number of security problems that had gone unnoticed in its network, including back doors and other code that workers had put in and then forgot about, Fischbach says.

The decision to centralize security in an operations center is not an easy one. Fischbach stresses that a security operations center, even a small one, can be expensive. Yet, for companies worried about their data being stolen by digital thieves or their operations interrupted by online adversaries, it's likely time to build a simple security operations center.

The first step to deciding whether a SOC is necessary is for a company to assess the damage an attacker could do to its business, says Nick Bradley, senior operations manager for IBM.

"Think worse-case scenario -- what type of data would be accessed if you were breached, and would you have the resources to recover, or could you recover?" says Bradley. "If the answer is terrifying and keeping you up at night, then the answer is yes, you need a security operations center."

[Building blocks for developing the most effective security operations center. See Tech Insight: Building A SOC, From Outsourcing To DIY.]

A good next step is to create the position of chief security officer or chief information security officer to place responsibility in a single executive-level employee, says Doug Graham, a senior director of information risk management for data storage and security giant EMC. Putting the responsibility for security in a single position can help focus an organization's security efforts.

"I think if you are starting out as a new CSO in an organization, and you cannot answer the question, "How many times have I been attacked today?" then you should be very frightened," Graham says.

As the security initiative develops, a company will typically seek out better visibility into what is going on in its network. Many companies do not have a full inventory of their information assets, and embarking on a program to create a security operations center can be enlightening, Colt's Fischbach says.

"The first reason to have a SOC is not to do security enforcement, but to get visibility into your environment," he says.

Companies generally start by focusing on managing the operations of network perimeter devices, such as firewalls and intrusion prevention and detection systems. At that point, the company will have to determine how much it wants to do internally and to what degree it will outsource its security management.

Another caveat: When planning a program to better monitor and manage information security systems, companies should be careful to develop a plan based on what data and system need to be protected, not trying to mix and match security products, EMC's Graham says.

"Unfortunately, what some people will do is figure out what a product can do and then build their program around that, and that is the tail wagging the dog," he says.

Finally, companies should seek to maximize the amount of security information they are collecting and storing, even if their small SOC has no means to analyze it. If a company detects a breach, the first thing an analyst will need is data to sift through to find out what happened, says Graham.

"When you investigate an attack, you sometimes don't know what you are looking for and ... if you run out of evidence, you have a cold trail," he says. "We always say collect as much as you can, even if you don't have the capacity to analyze it in real time. Because if you store it, it may become useful to you later on."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
1/29/2012 | 12:11:24 PM
re: Do You Need A Security Operations Center?
There should be two types of computers : Commercial and Experimental.- The experimental computer you can update; the commercial one updates are controlled by policy; the software is audited; and the computer has a Commercial Certification on its x.509 certificate . customers should know the difference in these two types of computers and be allowed to make their own choice
User Rank: Ninja
1/29/2012 | 12:08:13 PM
re: Do You Need A Security Operations Center?
Everyone needs a Security Policy: How am I going to secure my computers and demonstrate the effectiveness of my- policy in a convincing manner?- You MUST control software updates and to demonstrate that your policy is effective you must perform a software inventory audit.- Get after your OEM for this critical missing tool.
User Rank: Ninja
1/29/2012 | 12:04:58 PM
re: Do You Need A Security Operations Center?
C'Mon DR --get DISQUS!!
Cyberattacks Are Tailored to Employees ... Why Isn't Security Training?
Tim Sadler, CEO and co-founder of Tessian,  6/17/2021
7 Powerful Cybersecurity Skills the Energy Sector Needs Most
Pam Baker, Contributing Writer,  6/22/2021
Microsoft Disrupts Large-Scale BEC Campaign Across Web Services
Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-22
Trusty TLK contains a vulnerability in the NVIDIA TLK kernel function where a lack of checks allows the exploitation of an integer overflow on the size parameter of the tz_map_shared_mem function.
PUBLISHED: 2021-06-22
Trusty TLK contains a vulnerability in the NVIDIA TLK kernel�s tz_handle_trusted_app_smc function where a lack of integer overflow checks on the req_off and param_ofs variables leads to memory corruption of critical kernel structures.
PUBLISHED: 2021-06-22
Trusty TLK contains a vulnerability in the NVIDIA TLK kernel where an integer overflow in the tz_map_shared_mem function can bypass boundary checks, which might lead to denial of service.
PUBLISHED: 2021-06-22
Trusty contains a vulnerability in TSEC TA which deserializes the incoming messages even though the TSEC TA does not expose any command. This vulnerability might allow an attacker to exploit the deserializer to impact code execution, causing information disclosure.
PUBLISHED: 2021-06-22
Trusty contains a vulnerability in all TAs whose deserializer does not reject messages with multiple occurrences of the same parameter. The deserialization of untrusted data might allow an attacker to exploit the deserializer to impact code execution.