Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

3/13/2017
10:30 AM
Chris Crowley
Chris Crowley
Commentary
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail vvv
50%
50%

What Your SecOps Team Can (and Should) Do

If your organization has all of these pieces in place, congratulations!

The security operations (SecOps) function takes many forms. For some organizations, it is simply a incident and event management device. Others have a more elaborate concept of their SecOps strategies and technologies. But most companies I've worked with, both small and global, lack adequate clarity for SecOps objectives.

SecOps manifests in many ways, but it's likely to be administered via a cybersecurity operations center (CSOC or SOC) of some sort. For those companies that do have a clear picture of what they should be doing, execution of that vision in the immediate term and on an ongoing basis will be the next challenge. This brief description is intended to provide a picture of what fully operational security operations can do. Designing, building, and operating with ongoing optimization of performance and maturity is the program I develop fully in my SANS management course. If your organization has these functional capabilities; technology, people, and processes in place to accomplish these objectives; and an ongoing dialogue with the business for maturity: congratulations! You and your team are among the global elite.

Security Operations
My definition of security operations is the ongoing protection of information assets of an organization. This covers the people, systems, and data entrusted to the organization. SecOps is a support function to the business operations and it should be fully integrated with those operations. To that end, I use several functional areas to explain what complete security operations entails.

Functions
The groups below are functional areas. Some companies will combine these groups, some will have distinct organizational units. But the functional capability is what is important.

  • The steering committee is a group designed to help the business provide strategic vision. This strategy is what the SOC should do to best defend the business's information assets. Via the steering committee, the SOC conveys to the business what it has done to protect the business and what it intends to do going forward. This is designed to establish and maintain ongoing, bidirectional communication between the SOC and the business. Without a formal mechanism for this alignment, there will be wasted effort.
  • The command center is the directive and interactive facility of the SOC. It is how the business can request assistance from SecOps. It serves as the way to announce information to the business for situational awareness during incidents and ongoing training.
  • Network security monitoring is the practice of inspecting available internal data for abnormal circumstances. This should include routine alert-based detection as well as long-tail analysis and hunting for novel threat events.
  • Threat intelligence is the study of adversary operations to devise detective and responsive actions for the organization. Because the organization has limited resources to deploy defense, understanding the techniques that adversaries use allows for effective defenses to be deployed to detect, disrupt, and deceive the attacker.
  • Incident response is the organization's reactive capability to deal with unwanted situations. In this functional grouping, the detection of the situation is typically performed by the network security monitoring team while the reactive attempts to contain damage from the attack and remove the attacker completely are the purview of the incident response team.
  • Forensics is the specialized capability to assess information assets for details surrounding investigations and response activity. The complex array of technology used by an organization warrants specialization in this area.
  • Self-assessment is the ongoing assessment of the state of systems and people within the organization. This includes change management and detection; configuration management; vulnerability assessments; penetration testing; and setting up a "red team" to promote effectiveness. These are frequently considered security tasks. But incorporating these tasks into SecOps becomes an effective way to facilitate detection and advise the operational capabilities on the status of the environment. For example, if the vulnerability scan team works with threat intelligence, rapid detection via network security monitoring can be accomplished when new threats or vulnerabilities are discovered. Coordination among these groups in mature SecOps often leads to the discovery of previously unknown threats and vulnerabilities.

People, Technology, and Processes
The tangible components of the functional areas include people performing processes with technology. Many vendor sales teams will tell you to make the technology the centerpiece of your design and build your process around it. Business alignment, then process development, then role definition, and then technology selection is the optimal sequence for building security operations. Even if there's already an existing SecOps organization, redesigning it should follow this sequence.

The details of the interactions between the functional areas, and how each area performs its work must be coordinated to feed input from one process into the next. Without this overall vision and tactical coordination, the security operations will fail to perform optimally and can't hope to mature uniformly across all functional areas.

Here is a graphic image of the processes performed by each (and a more complete visual approach to this material can be downloaded from SANS):

Image Source: Chris Crowley
Image Source: Chris Crowley


A SecOps team is most effective when it is closely aligned with the business and has a clear understanding of what capabilities are needed and how these functions interact with one another. The necessary functions are business alignment (the steering committee), communication (the command center), monitoring (network security monitoring), detailed analysis of threats (threat intelligence), response capability (incident response), detailed analysis of artifacts (forensics), and ongoing assessment and improvement of the security posture of the organization (self-assessment).

Related Content:

Chris Crowley is as an independent consultant at Montance, LLC, focusing on effective computer network defense. His work experience includes penetration testing, security operations, incident response, and forensic analysis. He is the course author for "SANS Management 517 - ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
I 'Hacked' My Accounts Using My Mobile Number: Here's What I Learned
Nicole Sette, Director in the Cyber Risk practice of Kroll, a division of Duff & Phelps,  11/19/2019
TPM-Fail: What It Means & What to Do About It
Ari Singer, CTO at TrustPhi,  11/19/2019
Americans Fed Up with Lack of Data Privacy
Robert Lemos, Contributing Writer,  11/18/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19227
PUBLISHED: 2019-11-22
In the AppleTalk subsystem in the Linux kernel before 5.1, there is a potential NULL pointer dereference because register_snap_client may return NULL. This will lead to denial of service in net/appletalk/aarp.c and net/appletalk/ddp.c, as demonstrated by unregister_snap_client, aka CID-9804501fa122.
CVE-2019-10203
PUBLISHED: 2019-11-22
PowerDNS Authoritative daemon , all versions pdns 4.1.x before pdns 4.1.10, exiting when encountering a serial between 2^31 and 2^32-1 while trying to notify a slave leads to DoS.
CVE-2019-10206
PUBLISHED: 2019-11-22
ansible-playbook -k and ansible cli tools, all versions 2.8.x before 2.8.4, all 2.7.x before 2.7.13 and all 2.6.x before 2.6.19, prompt passwords by expanding them from templates as they could contain special characters. Passwords should be wrapped to prevent templates trigger and exposing them.
CVE-2018-10854
PUBLISHED: 2019-11-22
cloudforms version, cloudforms 5.8 and cloudforms 5.9, is vulnerable to a cross-site-scripting. A flaw was found in CloudForms's v2v infrastructure mapping delete feature. A stored cross-site scripting due to improper sanitization of user input in Name field.
CVE-2019-13157
PUBLISHED: 2019-11-22
nsGreen.dll in Naver Vaccine 2.1.4 allows remote attackers to overwrite arbitary files via directory traversal sequences in a filename within nsz archive.