Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

10/22/2018
10:30 AM
Heather Hixon
Heather Hixon
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

Understanding SOCs' 4 Top Deficiencies

In most cases, the areas that rankle SANS survey respondents the most about security operations centers can be addressed with the right mix of planning, policies, and procedures.

In this year's edition of its annual security operation center (SOC) survey, the SANS Institute identified the four most common SOC deficiencies. The root of these shortcomings can be traced to a familiar source: people, processes, and proper planning and implementation of technology. Here's a look at the worst four and what security teams can do about them.

1. Automation/Orchestration
Most SOCs lag in automation and orchestration because the SOC team doesn't know what processes should be automated. An organization's employees are its first line of defense. Start by interviewing SOC personnel to understand their responsibilities and identify repeatable processes, such as evidence gathering during an incident (IP/URL reputation, whois information, etc.) that are time consuming and easily automated.

Next, use risk and security assessments to identify assets and vulnerabilities and provide metrics to monitor security-monitoring performance. These data points will help expose repeatable processes that can be automated.

Lack of integration between security tools are also a roadblock to automation and orchestration. Since organizations layer security defenses to protect against multithreaded attacks, security teams often lack a clear understanding of their product architectures and how they can work in concert with each other.

Unfortunately, there is no easy fix to this problem. Some alternatives include performing proof of concept (POC) engagements and encouraging security vendors to "lean in" and gain a better understanding of the organization's environment. By doing so, SOCs can evaluate new products, identify any gaps, and correct them before deployment.

Finally, SOCs that fall short in terms of processes and playbooks typically have a low-maturity security program. For these organizations, working with a managed security service provider or managed detection and response service are good options.

2. Asset Discovery and Inventory
Asset inventory and management is hard. Even with automated tools in place, technology teams still have some heavy lifting to perform, especially in the initial up-front investment of time and energy. In a world of instant gratification, most organizations expect that if they invest in a tool, it should accelerate business processes. Unfortunately, due to the dynamic nature of IT environments and technology, SOC teams are too often required to roll up their sleeves.

Any asset management program requires planning and a full understanding of the environment. Without these crucial steps any tool will fail to meet expectations. Risk and security assessments against your environment are a good first step. The discovery phase of vulnerability assessments will produce a baseline that can be used as a jumping-off point. It's important to bear in mind there is no "one-size-fits-all" solution, therefore organizations should expect some pain and heartache when implementing an asset management solution. However, when deployed correctly, it will pay dividends in the long run.

3. Manual Event Correlation
This seems counterintuitive, but there's a good explanation. Deploying a SIEM is not as simple as turning it on and pointing log sources to it. Organizations must understand their log sources and the overall visibility they provide into the environment.

To achieve this visibility, a network audit is required. The findings will identify where network taps should be located, which devices consistently communicate with each other, and any gaps or obstacles that must be overcome. Obstacles such as web proxies masking a true source or short DHCP leases may prevent an investigator from locating a potential victim and limit an organization's SIEM from conducting the proper correlation between events. Understanding these gaps and the limitations of the SIEM can help SOCs better understand where manual correlation may still be necessary.

4. SOC/NOC Integration
This deficiency is a cultural problem. SOC teams have one agenda (detection and protection), while Network Operations Teams (NOCs) have another (maintaining uptime and availability). These two are often at odds with each other. Take, for example, the age-old conflict of least privilege. NOC teams want to have the keys to the castle and be able to move freely about the environment. SOC teams are focused on locking down the environment to better identify anomalies that may indicate malicious activity.

To complicate matters, both groups are usually under-resourced and overworked due to the lack of qualified candidates and the continuously mounting responsibilities associated with maintaining and securing a network. To bridge the gap, organizations can institute processes and procedures that outline rules of engagement between the SOC and NOC teams. These will provide both departments with clear guidelines for their interactions and how the partnership should function.

With proper planning and deployment, and with the right processes and procedures in place, overcoming these SOC deficiencies is within reach of most organizations. For those that lack the appropriate resources or security program maturity, a managed security service provider or managed detection and response service is a good alternative.

Related Content:

 

Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Heather Hixon is a senior solutions architect for security orchestration, automation and response vendor DFLabs. She has been a SOC team leader, SOC analyst and SIEM engineer with NTT Security, and served in IT management roles with several other organizations. Heather is ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
The Cold Truth about Cyber Insurance
Chris Kennedy, CISO & VP Customer Success, AttackIQ,  11/7/2019
Black Hat Q&A: Hacking a '90s Sports Car
Black Hat Staff, ,  11/7/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5230
PUBLISHED: 2019-11-13
P20 Pro, P20, Mate RS smartphones with versions earlier than Charlotte-AL00A 9.1.0.321(C00E320R1P1T8), versions earlier than Emily-AL00A 9.1.0.321(C00E320R1P1T8), versions earlier than NEO-AL00D NEO-AL00 9.1.0.321(C786E320R1P1T8) have an improper validation vulnerability. The system does not perform...
CVE-2019-5231
PUBLISHED: 2019-11-13
P30 smartphones with versions earlier than ELLE-AL00B 9.1.0.186(C00E180R2P1) have an improper authorization vulnerability. The software incorrectly performs an authorization check when a user attempts to perform certain action. Successful exploit could allow the attacker to update a crafted package.
CVE-2019-5233
PUBLISHED: 2019-11-13
Huawei smartphones with versions earlier than Taurus-AL00B 10.0.0.41(SP2C00E41R3P2) have an improper authentication vulnerability. Successful exploitation may cause the attacker to access specific components.
CVE-2019-5246
PUBLISHED: 2019-11-13
Smartphones with software of ELLE-AL00B 9.1.0.109(C00E106R1P21), 9.1.0.113(C00E110R1P21), 9.1.0.125(C00E120R1P21), 9.1.0.135(C00E130R1P21), 9.1.0.153(C00E150R1P21), 9.1.0.155(C00E150R1P21), 9.1.0.162(C00E160R2P1) have an insufficient verification vulnerability. The system does not verify certain par...
CVE-2010-4177
PUBLISHED: 2019-11-12
mysql-gui-tools (mysql-query-browser and mysql-admin) before 5.0r14+openSUSE-2.3 exposes the password of a user connected to the MySQL server in clear text form via the list of running processes.