Endpoint

10/22/2018
10:30 AM
Heather Hixon
Heather Hixon
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

Understanding SOCs' 4 Top Deficiencies

In most cases, the areas that rankle SANS survey respondents the most about security operations centers can be addressed with the right mix of planning, policies, and procedures.

In this year's edition of its annual security operation center (SOC) survey, the SANS Institute identified the four most common SOC deficiencies. The root of these shortcomings can be traced to a familiar source: people, processes, and proper planning and implementation of technology. Here's a look at the worst four and what security teams can do about them.

1. Automation/Orchestration
Most SOCs lag in automation and orchestration because the SOC team doesn't know what processes should be automated. An organization's employees are its first line of defense. Start by interviewing SOC personnel to understand their responsibilities and identify repeatable processes, such as evidence gathering during an incident (IP/URL reputation, whois information, etc.) that are time consuming and easily automated.

Next, use risk and security assessments to identify assets and vulnerabilities and provide metrics to monitor security-monitoring performance. These data points will help expose repeatable processes that can be automated.

Lack of integration between security tools are also a roadblock to automation and orchestration. Since organizations layer security defenses to protect against multithreaded attacks, security teams often lack a clear understanding of their product architectures and how they can work in concert with each other.

Unfortunately, there is no easy fix to this problem. Some alternatives include performing proof of concept (POC) engagements and encouraging security vendors to "lean in" and gain a better understanding of the organization's environment. By doing so, SOCs can evaluate new products, identify any gaps, and correct them before deployment.

Finally, SOCs that fall short in terms of processes and playbooks typically have a low-maturity security program. For these organizations, working with a managed security service provider or managed detection and response service are good options.

2. Asset Discovery and Inventory
Asset inventory and management is hard. Even with automated tools in place, technology teams still have some heavy lifting to perform, especially in the initial up-front investment of time and energy. In a world of instant gratification, most organizations expect that if they invest in a tool, it should accelerate business processes. Unfortunately, due to the dynamic nature of IT environments and technology, SOC teams are too often required to roll up their sleeves.

Any asset management program requires planning and a full understanding of the environment. Without these crucial steps any tool will fail to meet expectations. Risk and security assessments against your environment are a good first step. The discovery phase of vulnerability assessments will produce a baseline that can be used as a jumping-off point. It's important to bear in mind there is no "one-size-fits-all" solution, therefore organizations should expect some pain and heartache when implementing an asset management solution. However, when deployed correctly, it will pay dividends in the long run.

3. Manual Event Correlation
This seems counterintuitive, but there's a good explanation. Deploying a SIEM is not as simple as turning it on and pointing log sources to it. Organizations must understand their log sources and the overall visibility they provide into the environment.

To achieve this visibility, a network audit is required. The findings will identify where network taps should be located, which devices consistently communicate with each other, and any gaps or obstacles that must be overcome. Obstacles such as web proxies masking a true source or short DHCP leases may prevent an investigator from locating a potential victim and limit an organization's SIEM from conducting the proper correlation between events. Understanding these gaps and the limitations of the SIEM can help SOCs better understand where manual correlation may still be necessary.

4. SOC/NOC Integration
This deficiency is a cultural problem. SOC teams have one agenda (detection and protection), while Network Operations Teams (NOCs) have another (maintaining uptime and availability). These two are often at odds with each other. Take, for example, the age-old conflict of least privilege. NOC teams want to have the keys to the castle and be able to move freely about the environment. SOC teams are focused on locking down the environment to better identify anomalies that may indicate malicious activity.

To complicate matters, both groups are usually under-resourced and overworked due to the lack of qualified candidates and the continuously mounting responsibilities associated with maintaining and securing a network. To bridge the gap, organizations can institute processes and procedures that outline rules of engagement between the SOC and NOC teams. These will provide both departments with clear guidelines for their interactions and how the partnership should function.

With proper planning and deployment, and with the right processes and procedures in place, overcoming these SOC deficiencies is within reach of most organizations. For those that lack the appropriate resources or security program maturity, a managed security service provider or managed detection and response service is a good alternative.

Related Content:

 

Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Heather Hixon is a senior solutions architect for security orchestration, automation and response vendor DFLabs. She has been a SOC team leader, SOC analyst and SIEM engineer with NTT Security, and served in IT management roles with several other organizations. Heather is ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
New Free Tool Scans for Chrome Extension Safety
Dark Reading Staff 2/21/2019
Making the Case for a Cybersecurity Moon Shot
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  2/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-6485
PUBLISHED: 2019-02-22
Citrix NetScaler Gateway 12.1 before build 50.31, 12.0 before build 60.9, 11.1 before build 60.14, 11.0 before build 72.17, and 10.5 before build 69.5 and Application Delivery Controller (ADC) 12.1 before build 50.31, 12.0 before build 60.9, 11.1 before build 60.14, 11.0 before build 72.17, and 10.5...
CVE-2019-9020
PUBLISHED: 2019-02-22
An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1. Invalid input to the function xmlrpc_decode() can lead to an invalid memory access (heap out of bounds read or read after free). This is related to xml_elem_parse_buf in ext/xmlrpc/libxmlrpc...
CVE-2019-9021
PUBLISHED: 2019-02-22
An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1. A heap-based buffer over-read in PHAR reading functions in the PHAR extension may allow an attacker to read allocated or unallocated memory past the actual data when trying to parse the file...
CVE-2019-9022
PUBLISHED: 2019-02-22
An issue was discovered in PHP 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.2. dns_get_record misparses a DNS response, which can allow a hostile DNS server to cause PHP to misuse memcpy, leading to read operations going past the buffer allocated for DNS data. This affects php_parser...
CVE-2019-9023
PUBLISHED: 2019-02-22
An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1. A number of heap-based buffer over-read instances are present in mbstring regular expression functions when supplied with invalid multibyte data. These occur in ext/mbstring/oniguruma/regcom...