Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

10/22/2018
10:30 AM
Heather Hixon
Heather Hixon
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

Understanding SOCs' 4 Top Deficiencies

In most cases, the areas that rankle SANS survey respondents the most about security operations centers can be addressed with the right mix of planning, policies, and procedures.

In this year's edition of its annual security operation center (SOC) survey, the SANS Institute identified the four most common SOC deficiencies. The root of these shortcomings can be traced to a familiar source: people, processes, and proper planning and implementation of technology. Here's a look at the worst four and what security teams can do about them.

1. Automation/Orchestration
Most SOCs lag in automation and orchestration because the SOC team doesn't know what processes should be automated. An organization's employees are its first line of defense. Start by interviewing SOC personnel to understand their responsibilities and identify repeatable processes, such as evidence gathering during an incident (IP/URL reputation, whois information, etc.) that are time consuming and easily automated.

Next, use risk and security assessments to identify assets and vulnerabilities and provide metrics to monitor security-monitoring performance. These data points will help expose repeatable processes that can be automated.

Lack of integration between security tools are also a roadblock to automation and orchestration. Since organizations layer security defenses to protect against multithreaded attacks, security teams often lack a clear understanding of their product architectures and how they can work in concert with each other.

Unfortunately, there is no easy fix to this problem. Some alternatives include performing proof of concept (POC) engagements and encouraging security vendors to "lean in" and gain a better understanding of the organization's environment. By doing so, SOCs can evaluate new products, identify any gaps, and correct them before deployment.

Finally, SOCs that fall short in terms of processes and playbooks typically have a low-maturity security program. For these organizations, working with a managed security service provider or managed detection and response service are good options.

2. Asset Discovery and Inventory
Asset inventory and management is hard. Even with automated tools in place, technology teams still have some heavy lifting to perform, especially in the initial up-front investment of time and energy. In a world of instant gratification, most organizations expect that if they invest in a tool, it should accelerate business processes. Unfortunately, due to the dynamic nature of IT environments and technology, SOC teams are too often required to roll up their sleeves.

Any asset management program requires planning and a full understanding of the environment. Without these crucial steps any tool will fail to meet expectations. Risk and security assessments against your environment are a good first step. The discovery phase of vulnerability assessments will produce a baseline that can be used as a jumping-off point. It's important to bear in mind there is no "one-size-fits-all" solution, therefore organizations should expect some pain and heartache when implementing an asset management solution. However, when deployed correctly, it will pay dividends in the long run.

3. Manual Event Correlation
This seems counterintuitive, but there's a good explanation. Deploying a SIEM is not as simple as turning it on and pointing log sources to it. Organizations must understand their log sources and the overall visibility they provide into the environment.

To achieve this visibility, a network audit is required. The findings will identify where network taps should be located, which devices consistently communicate with each other, and any gaps or obstacles that must be overcome. Obstacles such as web proxies masking a true source or short DHCP leases may prevent an investigator from locating a potential victim and limit an organization's SIEM from conducting the proper correlation between events. Understanding these gaps and the limitations of the SIEM can help SOCs better understand where manual correlation may still be necessary.

4. SOC/NOC Integration
This deficiency is a cultural problem. SOC teams have one agenda (detection and protection), while Network Operations Teams (NOCs) have another (maintaining uptime and availability). These two are often at odds with each other. Take, for example, the age-old conflict of least privilege. NOC teams want to have the keys to the castle and be able to move freely about the environment. SOC teams are focused on locking down the environment to better identify anomalies that may indicate malicious activity.

To complicate matters, both groups are usually under-resourced and overworked due to the lack of qualified candidates and the continuously mounting responsibilities associated with maintaining and securing a network. To bridge the gap, organizations can institute processes and procedures that outline rules of engagement between the SOC and NOC teams. These will provide both departments with clear guidelines for their interactions and how the partnership should function.

With proper planning and deployment, and with the right processes and procedures in place, overcoming these SOC deficiencies is within reach of most organizations. For those that lack the appropriate resources or security program maturity, a managed security service provider or managed detection and response service is a good alternative.

Related Content:

 

Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Heather Hixon is a senior solutions architect for security orchestration, automation and response vendor DFLabs. She has been a SOC team leader, SOC analyst and SIEM engineer with NTT Security, and served in IT management roles with several other organizations. Heather is ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Aviation Faces Increasing Cybersecurity Scrutiny
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/22/2019
Microsoft Tops Phishers' Favorite Brands as Facebook Spikes
Kelly Sheridan, Staff Editor, Dark Reading,  8/22/2019
Capital One Breach: What Security Teams Can Do Now
Dr. Richard Gold, Head of Security Engineering at Digital Shadows,  8/23/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-15540
PUBLISHED: 2019-08-25
filters/filter-cso/filter-stream.c in the CSO filter in libMirage 3.2.2 in CDemu does not validate the part size, triggering a heap-based buffer overflow that can lead to root access by a local Linux user.
CVE-2019-15538
PUBLISHED: 2019-08-25
An issue was discovered in xfs_setattr_nonsize in fs/xfs/xfs_iops.c in the Linux kernel through 5.2.9. XFS partially wedges when a chgrp fails on account of being out of disk quota. xfs_setattr_nonsize is failing to unlock the ILOCK after the xfs_qm_vop_chown_reserve call fails. This is primarily a ...
CVE-2016-6154
PUBLISHED: 2019-08-23
The authentication applet in Watchguard Fireware 11.11 Operating System has reflected XSS (this can also cause an open redirect).
CVE-2019-5594
PUBLISHED: 2019-08-23
An Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") in Fortinet FortiNAC 8.3.0 to 8.3.6 and 8.5.0 admin webUI may allow an unauthenticated attacker to perform a reflected XSS attack via the search field in the webUI.
CVE-2019-6695
PUBLISHED: 2019-08-23
Lack of root file system integrity checking in Fortinet FortiManager VM application images of all versions below 6.2.1 may allow an attacker to implant third-party programs by recreating the image through specific methods.