Endpoint

10/22/2018
10:30 AM
Heather Hixon
Heather Hixon
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

Understanding SOCs' 4 Top Deficiencies

In most cases, the areas that rankle SANS survey respondents the most about security operations centers can be addressed with the right mix of planning, policies, and procedures.

In this year's edition of its annual security operation center (SOC) survey, the SANS Institute identified the four most common SOC deficiencies. The root of these shortcomings can be traced to a familiar source: people, processes, and proper planning and implementation of technology. Here's a look at the worst four and what security teams can do about them.

1. Automation/Orchestration
Most SOCs lag in automation and orchestration because the SOC team doesn't know what processes should be automated. An organization's employees are its first line of defense. Start by interviewing SOC personnel to understand their responsibilities and identify repeatable processes, such as evidence gathering during an incident (IP/URL reputation, whois information, etc.) that are time consuming and easily automated.

Next, use risk and security assessments to identify assets and vulnerabilities and provide metrics to monitor security-monitoring performance. These data points will help expose repeatable processes that can be automated.

Lack of integration between security tools are also a roadblock to automation and orchestration. Since organizations layer security defenses to protect against multithreaded attacks, security teams often lack a clear understanding of their product architectures and how they can work in concert with each other.

Unfortunately, there is no easy fix to this problem. Some alternatives include performing proof of concept (POC) engagements and encouraging security vendors to "lean in" and gain a better understanding of the organization's environment. By doing so, SOCs can evaluate new products, identify any gaps, and correct them before deployment.

Finally, SOCs that fall short in terms of processes and playbooks typically have a low-maturity security program. For these organizations, working with a managed security service provider or managed detection and response service are good options.

2. Asset Discovery and Inventory
Asset inventory and management is hard. Even with automated tools in place, technology teams still have some heavy lifting to perform, especially in the initial up-front investment of time and energy. In a world of instant gratification, most organizations expect that if they invest in a tool, it should accelerate business processes. Unfortunately, due to the dynamic nature of IT environments and technology, SOC teams are too often required to roll up their sleeves.

Any asset management program requires planning and a full understanding of the environment. Without these crucial steps any tool will fail to meet expectations. Risk and security assessments against your environment are a good first step. The discovery phase of vulnerability assessments will produce a baseline that can be used as a jumping-off point. It's important to bear in mind there is no "one-size-fits-all" solution, therefore organizations should expect some pain and heartache when implementing an asset management solution. However, when deployed correctly, it will pay dividends in the long run.

3. Manual Event Correlation
This seems counterintuitive, but there's a good explanation. Deploying a SIEM is not as simple as turning it on and pointing log sources to it. Organizations must understand their log sources and the overall visibility they provide into the environment.

To achieve this visibility, a network audit is required. The findings will identify where network taps should be located, which devices consistently communicate with each other, and any gaps or obstacles that must be overcome. Obstacles such as web proxies masking a true source or short DHCP leases may prevent an investigator from locating a potential victim and limit an organization's SIEM from conducting the proper correlation between events. Understanding these gaps and the limitations of the SIEM can help SOCs better understand where manual correlation may still be necessary.

4. SOC/NOC Integration
This deficiency is a cultural problem. SOC teams have one agenda (detection and protection), while Network Operations Teams (NOCs) have another (maintaining uptime and availability). These two are often at odds with each other. Take, for example, the age-old conflict of least privilege. NOC teams want to have the keys to the castle and be able to move freely about the environment. SOC teams are focused on locking down the environment to better identify anomalies that may indicate malicious activity.

To complicate matters, both groups are usually under-resourced and overworked due to the lack of qualified candidates and the continuously mounting responsibilities associated with maintaining and securing a network. To bridge the gap, organizations can institute processes and procedures that outline rules of engagement between the SOC and NOC teams. These will provide both departments with clear guidelines for their interactions and how the partnership should function.

With proper planning and deployment, and with the right processes and procedures in place, overcoming these SOC deficiencies is within reach of most organizations. For those that lack the appropriate resources or security program maturity, a managed security service provider or managed detection and response service is a good alternative.

Related Content:

 

Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Heather Hixon is a senior solutions architect for security orchestration, automation and response vendor DFLabs. She has been a SOC team leader, SOC analyst and SIEM engineer with NTT Security, and served in IT management roles with several other organizations. Heather is ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Russia Hacked Clinton's Computers Five Hours After Trump's Call
Robert Lemos, Technology Journalist/Data Researcher,  4/19/2019
Tips for the Aftermath of a Cyberattack
Kelly Sheridan, Staff Editor, Dark Reading,  4/17/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-11378
PUBLISHED: 2019-04-20
An issue was discovered in ProjectSend r1053. upload-process-form.php allows finished_files[]=../ directory traversal. It is possible for users to read arbitrary files and (potentially) access the supporting database, delete arbitrary files, access user passwords, or run arbitrary code.
CVE-2019-11372
PUBLISHED: 2019-04-20
An out-of-bounds read in MediaInfoLib::File__Tags_Helper::Synched_Test in Tag/File__Tags.cpp in MediaInfoLib in MediaArea MediaInfo 18.12 leads to a crash.
CVE-2019-11373
PUBLISHED: 2019-04-20
An out-of-bounds read in File__Analyze::Get_L8 in File__Analyze_Buffer.cpp in MediaInfoLib in MediaArea MediaInfo 18.12 leads to a crash.
CVE-2019-11374
PUBLISHED: 2019-04-20
74CMS v5.0.1 has a CSRF vulnerability to add a new admin user via the index.php?m=Admin&c=admin&a=add URI.
CVE-2019-11375
PUBLISHED: 2019-04-20
Msvod v10 has a CSRF vulnerability to change user information via the admin/member/edit.html URI.