Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics //

Security Monitoring

1/28/2012
03:54 PM
50%
50%

Do You Need A Security Operations Center?

When a company starts to worry about losing data to attack, it could be time to create a simple SOC. Following are the most important steps to evaluating the need for an effective operations center

Seven years ago, European communications provider Colt Telecom Services embarked on a project to build its own operations center to manage the company's security and that of its clients.

Up until that point, the company did not have good visibility into the security of its systems because several internal groups had at least some responsibility for security, says Nicolas Fischbach, director of network strategy and architecture for Colt's infrastructure services unit.

"We were at the point in the company where security was distributed over many teams -- IT, the network guys, some dedicated network engineers, corporate security, and so on," Fischbach says. "We didn't have a single view into our assets."

Over the next two years, the company built a security operations center (SOC) to manage its data and operations in a score of countries. Colt also found a number of security problems that had gone unnoticed in its network, including back doors and other code that workers had put in and then forgot about, Fischbach says.

The decision to centralize security in an operations center is not an easy one. Fischbach stresses that a security operations center, even a small one, can be expensive. Yet, for companies worried about their data being stolen by digital thieves or their operations interrupted by online adversaries, it's likely time to build a simple security operations center.

The first step to deciding whether a SOC is necessary is for a company to assess the damage an attacker could do to its business, says Nick Bradley, senior operations manager for IBM.

"Think worse-case scenario -- what type of data would be accessed if you were breached, and would you have the resources to recover, or could you recover?" says Bradley. "If the answer is terrifying and keeping you up at night, then the answer is yes, you need a security operations center."

[Building blocks for developing the most effective security operations center. See Tech Insight: Building A SOC, From Outsourcing To DIY.]

A good next step is to create the position of chief security officer or chief information security officer to place responsibility in a single executive-level employee, says Doug Graham, a senior director of information risk management for data storage and security giant EMC. Putting the responsibility for security in a single position can help focus an organization's security efforts.

"I think if you are starting out as a new CSO in an organization, and you cannot answer the question, "How many times have I been attacked today?" then you should be very frightened," Graham says.

As the security initiative develops, a company will typically seek out better visibility into what is going on in its network. Many companies do not have a full inventory of their information assets, and embarking on a program to create a security operations center can be enlightening, Colt's Fischbach says.

"The first reason to have a SOC is not to do security enforcement, but to get visibility into your environment," he says.

Companies generally start by focusing on managing the operations of network perimeter devices, such as firewalls and intrusion prevention and detection systems. At that point, the company will have to determine how much it wants to do internally and to what degree it will outsource its security management.

Another caveat: When planning a program to better monitor and manage information security systems, companies should be careful to develop a plan based on what data and system need to be protected, not trying to mix and match security products, EMC's Graham says.

"Unfortunately, what some people will do is figure out what a product can do and then build their program around that, and that is the tail wagging the dog," he says.

Finally, companies should seek to maximize the amount of security information they are collecting and storing, even if their small SOC has no means to analyze it. If a company detects a breach, the first thing an analyst will need is data to sift through to find out what happened, says Graham.

"When you investigate an attack, you sometimes don't know what you are looking for and ... if you run out of evidence, you have a cold trail," he says. "We always say collect as much as you can, even if you don't have the capacity to analyze it in real time. Because if you store it, it may become useful to you later on."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
macker490
50%
50%
macker490,
User Rank: Ninja
1/29/2012 | 12:04:58 PM
re: Do You Need A Security Operations Center?
C'Mon DR --get DISQUS!!
macker490
50%
50%
macker490,
User Rank: Ninja
1/29/2012 | 12:08:13 PM
re: Do You Need A Security Operations Center?
Everyone needs a Security Policy: How am I going to secure my computers and demonstrate the effectiveness of my- policy in a convincing manner?- You MUST control software updates and to demonstrate that your policy is effective you must perform a software inventory audit.- Get after your OEM for this critical missing tool.
macker490
50%
50%
macker490,
User Rank: Ninja
1/29/2012 | 12:11:24 PM
re: Do You Need A Security Operations Center?
There should be two types of computers : Commercial and Experimental.- The experimental computer you can update; the commercial one updates are controlled by policy; the software is audited; and the computer has a Commercial Certification on its x.509 certificate . customers should know the difference in these two types of computers and be allowed to make their own choice
Edge-DRsplash-10-edge-articles
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
News
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Commentary
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-36197
PUBLISHED: 2021-05-13
An improper access control vulnerability has been reported to affect earlier versions of Music Station. If exploited, this vulnerability allows attackers to compromise the security of the software by gaining privileges, reading sensitive information, executing commands, evading detection, etc. This ...
CVE-2020-36198
PUBLISHED: 2021-05-13
A command injection vulnerability has been reported to affect certain versions of Malware Remover. If exploited, this vulnerability allows remote attackers to execute arbitrary commands. This issue affects: QNAP Systems Inc. Malware Remover versions prior to 4.6.1.0. This issue does not affect: QNAP...
CVE-2021-28799
PUBLISHED: 2021-05-13
An improper authorization vulnerability has been reported to affect QNAP NAS running HBS 3 (Hybrid Backup Sync. ) If exploited, the vulnerability allows remote attackers to log in to a device. This issue affects: QNAP Systems Inc. HBS 3 versions prior to v16.0.0415 on QTS 4.5.2; versions prior to v3...
CVE-2021-22155
PUBLISHED: 2021-05-13
An Authentication Bypass vulnerability in the SAML Authentication component of BlackBerry Workspaces Server (deployed with Appliance-X) version(s) 10.1, 9.1 and earlier could allow an attacker to potentially gain access to the application in the context of the targeted user’s acco...
CVE-2021-23134
PUBLISHED: 2021-05-12
Use After Free vulnerability in nfc sockets in the Linux Kernel before 5.12.2 allows local attackers to elevate their privileges. In typical configurations, the issue can only be triggered by a privileged local user with the CAP_NET_RAW capability.