The security operations (SecOps) function takes many forms. For some organizations, it is simply a incident and event management device. Others have a more elaborate concept of their SecOps strategies and technologies. But most companies I've worked with, both small and global, lack adequate clarity for SecOps objectives.
SecOps manifests in many ways, but it's likely to be administered via a cybersecurity operations center (CSOC or SOC) of some sort. For those companies that do have a clear picture of what they should be doing, execution of that vision in the immediate term and on an ongoing basis will be the next challenge. This brief description is intended to provide a picture of what fully operational security operations can do. Designing, building, and operating with ongoing optimization of performance and maturity is the program I develop fully in my SANS management course. If your organization has these functional capabilities; technology, people, and processes in place to accomplish these objectives; and an ongoing dialogue with the business for maturity: congratulations! You and your team are among the global elite.
My definition of security operations is the ongoing protection of information assets of an organization. This covers the people, systems, and data entrusted to the organization. SecOps is a support function to the business operations and it should be fully integrated with those operations. To that end, I use several functional areas to explain what complete security operations entails.
The groups below are functional areas. Some companies will combine these groups, some will have distinct organizational units. But the functional capability is what is important.
- The steering committee is a group designed to help the business provide strategic vision. This strategy is what the SOC should do to best defend the business's information assets. Via the steering committee, the SOC conveys to the business what it has done to protect the business and what it intends to do going forward. This is designed to establish and maintain ongoing, bidirectional communication between the SOC and the business. Without a formal mechanism for this alignment, there will be wasted effort.
- The command center is the directive and interactive facility of the SOC. It is how the business can request assistance from SecOps. It serves as the way to announce information to the business for situational awareness during incidents and ongoing training.
- Network security monitoring is the practice of inspecting available internal data for abnormal circumstances. This should include routine alert-based detection as well as long-tail analysis and hunting for novel threat events.
- Threat intelligence is the study of adversary operations to devise detective and responsive actions for the organization. Because the organization has limited resources to deploy defense, understanding the techniques that adversaries use allows for effective defenses to be deployed to detect, disrupt, and deceive the attacker.
- Incident response is the organization's reactive capability to deal with unwanted situations. In this functional grouping, the detection of the situation is typically performed by the network security monitoring team while the reactive attempts to contain damage from the attack and remove the attacker completely are the purview of the incident response team.
- Forensics is the specialized capability to assess information assets for details surrounding investigations and response activity. The complex array of technology used by an organization warrants specialization in this area.
- Self-assessment is the ongoing assessment of the state of systems and people within the organization. This includes change management and detection; configuration management; vulnerability assessments; penetration testing; and setting up a "red team" to promote effectiveness. These are frequently considered security tasks. But incorporating these tasks into SecOps becomes an effective way to facilitate detection and advise the operational capabilities on the status of the environment. For example, if the vulnerability scan team works with threat intelligence, rapid detection via network security monitoring can be accomplished when new threats or vulnerabilities are discovered. Coordination among these groups in mature SecOps often leads to the discovery of previously unknown threats and vulnerabilities.
People, Technology, and Processes
The tangible components of the functional areas include people performing processes with technology. Many vendor sales teams will tell you to make the technology the centerpiece of your design and build your process around it. Business alignment, then process development, then role definition, and then technology selection is the optimal sequence for building security operations. Even if there's already an existing SecOps organization, redesigning it should follow this sequence.
The details of the interactions between the functional areas, and how each area performs its work must be coordinated to feed input from one process into the next. Without this overall vision and tactical coordination, the security operations will fail to perform optimally and can't hope to mature uniformly across all functional areas.
Here is a graphic image of the processes performed by each (and a more complete visual approach to this material can be downloaded from SANS):
A SecOps team is most effective when it is closely aligned with the business and has a clear understanding of what capabilities are needed and how these functions interact with one another. The necessary functions are business alignment (the steering committee), communication (the command center), monitoring (network security monitoring), detailed analysis of threats (threat intelligence), response capability (incident response), detailed analysis of artifacts (forensics), and ongoing assessment and improvement of the security posture of the organization (self-assessment).