Comments
Newest First | Oldest First | Threaded View
Re: Centralized planning &decentralized execution
Great commentary. At FireHost, we subscribe to the OODA Targeting process (Obeserve, Orient, Decide, Act). Think of these as swim lane processes that are constantly in motion on a perpetual basis. We have twice daily OODA huddles where our Incident Management team goes over tactical infomation exchange to ensure synchronizaiton between the Incident managment team, Security Device managment and the Vulnerability Threat Management team. Then our weekly OODA Targeting meeting is what I would describe more of a "week in reveiw" and gets into the first stages of problem management if you follow the ITILv3 process. Our Audit and compliance team manages our GRC process that our weekly OODA meetings feed problems to the risk register for more complex problem resoultation. In other words, the secruity issue which require more than the folks that work for me to solve.
Re: Centralized planning &decentralized execution
@Jeff.schilling,... THANK YOU FOR YOUR SERVICE. I'M also U.S. Army, retired... although my day-to-day was not information security or even technology, I got into this after I retired. What you described as a centralized plan development and decentralized execution is at a high level exactly how I was expected to do my job. Sure, the strategic thinking\planning is always done at a higher level, but if I'm the guy on the ground, you have to give me the leeway to make decisions based on what I see locally, not how you see in from the comfort of your "Press Box" (I like that). Also, I find "the military mind" is a perfectthing for InfoSec, we've already been conditioned not to trust anyone :-).
One thing I think people should know and understand about a SOC, it's first role is totally reactionary for the purpose or monitoring, unless it's been designed with some kind of offensive capability. And the response to any emergency is only as good as the preparations, operational policy and procedure... standards, guidelines and how well these defences were prepared and maintained. And the folks of the SOC need to understand those same things because it will give them a better view of the big picture if they know for instance what exactly is being fed into the SIEM or when\what was the last FW rules change and does that CVE just released contain anything that can be used to exploit any critical or user systems.
One question, I just finished a SIEM integration, we cannot afford a SOC, but I'm trying to build a "poor man's SOC", if you will. I want to plug our IR-Teams into the SIEM, get them training on that so they can have that situational awareness on a day-to-day. What else would you recommend?
Thanks again!
One thing I think people should know and understand about a SOC, it's first role is totally reactionary for the purpose or monitoring, unless it's been designed with some kind of offensive capability. And the response to any emergency is only as good as the preparations, operational policy and procedure... standards, guidelines and how well these defences were prepared and maintained. And the folks of the SOC need to understand those same things because it will give them a better view of the big picture if they know for instance what exactly is being fed into the SIEM or when\what was the last FW rules change and does that CVE just released contain anything that can be used to exploit any critical or user systems.
One question, I just finished a SIEM integration, we cannot afford a SOC, but I'm trying to build a "poor man's SOC", if you will. I want to plug our IR-Teams into the SIEM, get them training on that so they can have that situational awareness on a day-to-day. What else would you recommend?
Thanks again!
Re: Centralized planning &decentralized execution
Great article Jeff!
As a retired military member, I can relate to all you provided.
My management of regional or field level security teams has always started with communications effort. LOTS of communications effort.
I have established an ops-tempo for security services around a morning "stand-up" conference call with all of the security team leads. During this meeting, we discuss the following items:
The meeting is limited to 30 min. Anything I think is too complex to resolved quickly is promptly offboarded to separate discussions/communications after the meeting. The general idea is to establish a constant presence with those people who are in distant locations, even for a few moments.
The real benefits of this daily stand-up are
Some would say that an every day meeting is too much.
I say it is not enough. Too often I have seen things that could have been quickly resolved if they were bought to the fore as soon as they were identified. The old addage "that will have to wait until our next meeting" has lesser associated risk.
The perception of the entire team by our customers is "efficient and effective" service. That will always be a goal.
As a retired military member, I can relate to all you provided.
My management of regional or field level security teams has always started with communications effort. LOTS of communications effort.
I have established an ops-tempo for security services around a morning "stand-up" conference call with all of the security team leads. During this meeting, we discuss the following items:
- Status of operations including any personnel shortages
- Current issues and alerts
- Operational hurdles that need my interaction/intervention
- Quick lessons learned
- Project/tasker statuses
The meeting is limited to 30 min. Anything I think is too complex to resolved quickly is promptly offboarded to separate discussions/communications after the meeting. The general idea is to establish a constant presence with those people who are in distant locations, even for a few moments.
The real benefits of this daily stand-up are
- Dramatically improved situational awareness of security and operations status.
There are times that I know about things going on that other executives are not even in tune with. - Established esprit-de-corps and cross-domain team mindset among all members of the security teams.
- Stronger establishment of policy and standards practices among all teams.
- Ramped up knowledge sharing and synergistic activity among all security team members.
- Biggest win: a demonstrated effort to let other security teams know that I/we are there to help sort thought tough challenges. Every day, team leads have a chance to bring concerns to the table and I/we always make an effort to give prompt response.
- Very few timeline "misses". We still have timeline pushes, but we usually identify those situations early enough to manage them.
Some would say that an every day meeting is too much.
I say it is not enough. Too often I have seen things that could have been quickly resolved if they were bought to the fore as soon as they were identified. The old addage "that will have to wait until our next meeting" has lesser associated risk.
The perception of the entire team by our customers is "efficient and effective" service. That will always be a goal.
Re: Centralized planning &decentralized execution
Marilyn, thank you for your question. The connectivity between a Global SOC and regional SOC is a tough problem, but not insurmountable with a good network engineer and a platform integration team who understands how the information flow needs to happen between the organizations. Believe or not, the bigger challenge is establishing governance and business processes that dictate how you manage this construct. That is an article in and of itself. It really comes down to building a common set of security values across the global organization, grounded in policy, procedures and standards. Once you get that in place, making the electrons flow is less of a problem.
Centralized planning &decentralized execution
Jeff, Great insights. But I wonder what kind of communication exists between the central and regional teams. Can you elaborate?
White Papers
Video
1 Comments
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "Well, if you hadn't made us skip the Lockpicking Village at DEF CON this year, MAYBE this wouldn't be an issue!"
Latest Comment: "Well, if you hadn't made us skip the Lockpicking Village at DEF CON this year, MAYBE this wouldn't be an issue!"
Current Issue
Building and Managing an IT Security Operations ProgramAs cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
How Enterprises Are Developing Secure Applications
IT security and application development are disparate processes that are increasingly coming together. Here's a look at how that's happening.
Twitter Feed
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database CVE-2019-7068
PUBLISHED: 2019-05-24
PUBLISHED: 2019-05-24
PUBLISHED: 2019-05-24
PUBLISHED: 2019-05-24
PUBLISHED: 2019-05-24
From DHS/US-CERT's National Vulnerability Database CVE-2019-7068
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .
CVE-2019-7069PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have a type confusion vulnerability. Successful exploitation could lead to arbitrary code execution .
CVE-2019-7070PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .
CVE-2019-7071PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure.
CVE-2019-7072PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .
- Terms of Service
- Privacy Statement
- Legal Entities
- Copyright © 2019 UBM, All rights reserved
Tweet This
User Rank: Author
12/22/2014 | 3:26:07 PM
To answer your question, I think I am on the same track as you with my SOC, though I don't see it as a "poor man's" SOC. I think you have and brilliant idea. Most SOCs have Security Analysts with basic security experience and skills that track incident handling. I am filling my SOC positions with people with an Incident Response background, who understand how to do host level and network forensics. I am in a unique position in that my SOC protects our cloud environment. Our SOC analysts routinely work with customers to examine their servers they host with us as we discover indicators of compromise. For me these IR skills are required for my SOC Incident Management team.
As I mentioned in a previous response, recommend you set up an operational process that allows you to daily review the tactical information you receive from your security operations and controls. We use the OODA targeting process (Observer, Orient, Decide Act). We do both Daily and weekly OODA huddles and targeting meetings to ensure we are actioning anything we learn through Threat intelligence or discover/detect through security operations.