When we talk to CTOs about their strategy for rolling out a security operations centre, there are 2 common responses:
- Self-deprecating laugh: We have issues running VPNs properly and still didn’t get to encryption of all endpoints. What SOC?!
- Sad and slightly angry frown: There is no way I would get enough money for the technology stack which is required to set up a proper SOC unless we had a serious incident. But then I would probably also lose my job, so I try to make do with what I have.
Both responses are conveying a deep-seated frustration with two things: complexity and costs. The latter can be especially confusing, since it may feel like you have to invest in ATD, EDR, WAF, UTM, EPO, CAS, WTF, NGFW, CARTA, SIEM, BDSM, SOAR, UEBA and many other acronyms.
But the reality, at least based on our experience with SOC projects, is vastly different. Because first and foremost:
You are setting up a security operations centre to be able to have a consolidated real-time insight into security-related incidents and to be able to react to them within minutes.
Not to stack as many acronyms on top of each other as possible. In fact, for clarity, we will ignore most of the aforementioned security products here and give you an overview of the 4 principal technologies required for a successful SOC. And a glance into the future you can work towards, once you have the basics done.
The brain of the operation – SIEM
Just like in the movies, the central part of the SOC is a panel that provides you with consolidated information on all security events. The technology marvel used for this is called SIEM (Security Information and Event Management). Just like our human brain, it is designed to gather signals and information from other parts of the system and form patterns and reactions.
This technology is roughly 20 years old and does exactly what the name implies – helps you manage security events (by chewing through logs). Initially, it was prohibitively expensive and difficult: hardware to handle millions of events cost a lot and very few vendors supplied it. There were also very few people with hands-on experience.
Today, the situation is better and there are tens of vendors offering SIEM or SIEM-like solutions: IBM qRadar, McAfee SIEM, Splunk and Microsoft Sentinel to name but a few larger ones. Most of them have physical and cloud-based versions, ensuring that you can easily scale the solution as you go.
Here are 3 things to keep in mind, when picking the right SIEM for your organization.
1. Out of the box connector library
For SIEM to work with other security products it needs to be able to access respective events/logs. To make the rollout of SIEM as efficient as possible, you want to make sure that it comes with the ability to connect to your other systems out of the box. This will save significantly on integration costs.
2. Out of the box scenarios/playbooks
During your POC of a SOC have a close look at the quality of the available event analysis scenarios. The better they reflect your “typical” security incidents and processes – the better. This ensures that the adoption of the SOC will move smoother and with minimal resistance from colleagues.
3. Availability of qualified partner(s)
While implementing a SIEM solution has become much easier, it’s still not exactly a walk in the park. Having a qualified partner (or several competing ones) with hands-on expertise for a particular product in your country is extremely important. Otherwise, you can easily end up in a situation, where you need help, vendor customer support is as helpful as it can be (not very) and ordering “professional services” will cost tens of thousands.
Also, we advise customers to try several vendors before proceeding. While SIEM investment is no longer monstrously expensive, it is still a significant commitment of both money and time. Running 2-3 proof of concept projects in parallel could save you some grief down the line.
So, let’s assume that you have your SOC brain in place and working with your firewalls, endpoint protection, email and web gateways etc. The next step – make it even smarter!
Head in the clouds
Remember all those wonderful acronyms? Well, many of them disregard fully or partially the biggest security issue we have today: human behaviour. Or, to be more precise, the tendencies of humans to ignore the basics of security, especially when it comes to the cloud.
It is now mostly universally known that “cloud” environments are much more secure than what you have on-premise. With some exceptions, storing and processing your data in the “cloud” means accessing a secure data centre location, built using millions of euros by DC experts.
However, there is one potentially huge glaring hole in that otherwise solid cyber defence strategy: credentials. If your user’s account (login/password) is compromised or, even worse, one of their gadgets is stolen/hacked then there is no end to potential breaches. Essentially, you can view it as handing over the keys to everything that a particular user could access to a cybercriminal.
Besides the highly advised usage of two-factor authentication for nearly everything (2FA), it is worth supporting your SOC with a CAS/B tool. CASB stands for Cloud Access Security Broker and is extremely helpful for both monitoring and remediation.
In short, CASB solutions can enrich your SOC by providing:
- Insights into user access patterns to system
- Movement of data between clouds
- Adaptive access control
- Additional logs for analysis
- Additional compliance visibility
- Capability to cut off the entire account
There are more upsides to using CASB but from your security operations perspective – it’s the speed, with which you can shut off access in case of a breach.
Zero trust policy and regular security sweeps
Another human-based issue, which many security teams face is the fact that work from home and BYOD has blown up. The number of devices, which get access to corporate networks and systems has gone through the roof. It is also common to see that users “get what they need to work” and security precautions are non-existent.
The same situation has also given a boost to shadow IT, where new systems and solutions are being used by various teams completely circumventing the security team’s radar. Those systems are then being populated by data and often forgotten about, left unpatched and poorly configured.
From a security health perspective, besides user training, which we touch on in the following point, the only way to keep things resembling order is regular security scans. Also known as vulnerability scans, these simple non-invasive tools will sweep your network for any known issues. Better solutions for this job come equipped with knowledge of thousands of “known” issues.
By running such a scan on a monthly (ideally – weekly) basis, your team will be able to discover new and old vulnerabilities and address those accordingly. This data can be then correlated by your SOC’s brain, SIEM, to give you even more insights into incidents and potential problems.
Fighting security A.D.D. with continuous learning
Last but not least, it’s worth considering connecting your SOC with a learning management solution equipped with a good security awareness module. These tools are designed to test and educate users on cybersecurity risks and practices, focused on particular topics, like phishing, ransomware, phone scams etc.
The way we normally set this up is by creating a logical link between incidents in SIEM and the security awareness platform. E.g. when a user has been a target of a phishing attack (successful or not) SOC team sends this user an invitation to take phishing training.
There is, of course, a small organizational issue with this approach – some people will adamantly abstain from taking the security training. Some – because they are afraid to fail, others – because they are certain that they will fail. But this can and should be solved by management support. After all, if the same person regularly becomes a cause for security concerns – one day they might become a source of a major breach.
Security training and awareness tools are also useful meters for the general level of security awareness in the organization. By conducting regular general tests/surveys, your security team will be able to better anticipate potential problems and add new defence angles to your SOC.
What the SOC future holds
SOC 1.0 was incredibly manual and non-intuitive, relying almost fully on the eyes and minds of security analysts. SOC 2.0 is the current state of the World for most companies: incredibly detailed and customizable dashboards make it easier to see what’s what and the aforementioned pre-configured connectors and playbooks make setting things up much less manual.
SOC 3.0, which we are slowly moving towards, is all about automation. While there are many nuances and options in the bright future with AI/ML, there are 2 very real technologies, which you should consider for your SOC once you have the basics done: SOAR and UEBA.
SOAR, which stands for Security, Orchestration, Automation and Response, is a faster and smarter brain for your SOC. While at the moment we see it more as a complementary solution to SIEM, reducing the response time to minutes or seconds, in the future, it might take over SIEM functions altogether.
UEBA, which stands for User and Event Behavioural Analytics is using machine learning and deep learning to understand patterns in user and intruder behaviour. Meaning that while at the moment we have to tell the security systems what the suspicious behaviour is, UEBA is capable of determining it on its own.
It will still take a few years before those two excellent technologies become used more widely, but we already had a few cases and customers were truly impressed.
I hope that you feel more confident about looking into setting up a proper Security Operations Centre for your organization. Contact us to get more personal insight and suggestions.