Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

10/22/2018
10:30 AM
Heather Hixon
Heather Hixon
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

Understanding SOCs' 4 Top Deficiencies

In most cases, the areas that rankle SANS survey respondents the most about security operations centers can be addressed with the right mix of planning, policies, and procedures.

In this year's edition of its annual security operation center (SOC) survey, the SANS Institute identified the four most common SOC deficiencies. The root of these shortcomings can be traced to a familiar source: people, processes, and proper planning and implementation of technology. Here's a look at the worst four and what security teams can do about them.

1. Automation/Orchestration
Most SOCs lag in automation and orchestration because the SOC team doesn't know what processes should be automated. An organization's employees are its first line of defense. Start by interviewing SOC personnel to understand their responsibilities and identify repeatable processes, such as evidence gathering during an incident (IP/URL reputation, whois information, etc.) that are time consuming and easily automated.

Next, use risk and security assessments to identify assets and vulnerabilities and provide metrics to monitor security-monitoring performance. These data points will help expose repeatable processes that can be automated.

Lack of integration between security tools are also a roadblock to automation and orchestration. Since organizations layer security defenses to protect against multithreaded attacks, security teams often lack a clear understanding of their product architectures and how they can work in concert with each other.

Unfortunately, there is no easy fix to this problem. Some alternatives include performing proof of concept (POC) engagements and encouraging security vendors to "lean in" and gain a better understanding of the organization's environment. By doing so, SOCs can evaluate new products, identify any gaps, and correct them before deployment.

Finally, SOCs that fall short in terms of processes and playbooks typically have a low-maturity security program. For these organizations, working with a managed security service provider or managed detection and response service are good options.

2. Asset Discovery and Inventory
Asset inventory and management is hard. Even with automated tools in place, technology teams still have some heavy lifting to perform, especially in the initial up-front investment of time and energy. In a world of instant gratification, most organizations expect that if they invest in a tool, it should accelerate business processes. Unfortunately, due to the dynamic nature of IT environments and technology, SOC teams are too often required to roll up their sleeves.

Any asset management program requires planning and a full understanding of the environment. Without these crucial steps any tool will fail to meet expectations. Risk and security assessments against your environment are a good first step. The discovery phase of vulnerability assessments will produce a baseline that can be used as a jumping-off point. It's important to bear in mind there is no "one-size-fits-all" solution, therefore organizations should expect some pain and heartache when implementing an asset management solution. However, when deployed correctly, it will pay dividends in the long run.

3. Manual Event Correlation
This seems counterintuitive, but there's a good explanation. Deploying a SIEM is not as simple as turning it on and pointing log sources to it. Organizations must understand their log sources and the overall visibility they provide into the environment.

To achieve this visibility, a network audit is required. The findings will identify where network taps should be located, which devices consistently communicate with each other, and any gaps or obstacles that must be overcome. Obstacles such as web proxies masking a true source or short DHCP leases may prevent an investigator from locating a potential victim and limit an organization's SIEM from conducting the proper correlation between events. Understanding these gaps and the limitations of the SIEM can help SOCs better understand where manual correlation may still be necessary.

4. SOC/NOC Integration
This deficiency is a cultural problem. SOC teams have one agenda (detection and protection), while Network Operations Teams (NOCs) have another (maintaining uptime and availability). These two are often at odds with each other. Take, for example, the age-old conflict of least privilege. NOC teams want to have the keys to the castle and be able to move freely about the environment. SOC teams are focused on locking down the environment to better identify anomalies that may indicate malicious activity.

To complicate matters, both groups are usually under-resourced and overworked due to the lack of qualified candidates and the continuously mounting responsibilities associated with maintaining and securing a network. To bridge the gap, organizations can institute processes and procedures that outline rules of engagement between the SOC and NOC teams. These will provide both departments with clear guidelines for their interactions and how the partnership should function.

With proper planning and deployment, and with the right processes and procedures in place, overcoming these SOC deficiencies is within reach of most organizations. For those that lack the appropriate resources or security program maturity, a managed security service provider or managed detection and response service is a good alternative.

Related Content:

 

Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Heather Hixon is a senior solutions architect for security orchestration, automation and response vendor DFLabs. She has been a SOC team leader, SOC analyst and SIEM engineer with NTT Security, and served in IT management roles with several other organizations. Heather is ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/10/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7029
PUBLISHED: 2020-08-11
A Cross-Site Request Forgery (CSRF) vulnerability was discovered in the System Management Interface Web component of Avaya Aura Communication Manager and Avaya Aura Messaging. This vulnerability could allow an unauthenticated remote attacker to perform Web administration actions with the privileged ...
CVE-2020-17489
PUBLISHED: 2020-08-11
An issue was discovered in certain configurations of GNOME gnome-shell through 3.36.4. When logging out of an account, the password box from the login dialog reappears with the password still visible. If the user had decided to have the password shown in cleartext at login time, it is then visible f...
CVE-2020-17495
PUBLISHED: 2020-08-11
django-celery-results through 1.2.1 stores task results in the database. Among the data it stores are the variables passed into the tasks. The variables may contain sensitive cleartext information that does not belong unencrypted in the database.
CVE-2020-0260
PUBLISHED: 2020-08-11
There is a possible out of bounds read due to an incorrect bounds check.Product: AndroidVersions: Android SoCAndroid ID: A-152225183
CVE-2020-16170
PUBLISHED: 2020-08-11
The Temi application 1.3.3 through 1.3.7931 for Android has hard-coded credentials.