[BreachExchange] How to build a security operations centre that defeats hackers

Audrey McNeil audrey at riskbasedsecurity.com
Mon Jun 13 18:20:38 EDT 2016


http://www.information-age.com/technology/security/123461597/how-build-security-operations-centre-defeats-hackers

Nine in ten large organisations reported suffering a breach in the 12
months preceding the Department of Business, Innovation & Skills’ 2015
information security survey. The cyber attacks that make national headlines
are just the tip of the iceberg – and the perpetrators are getting ever
more persistent and sophisticated.

Every organisation is at risk and every board knows that battening down the
virtual hatches is essential. CxOs are committed to investing in IT
security but quite rightly want to know that they will get value from this
investment. Adopting the right security operations centre (SOC) strategy is
key.

Not all SOCs are created equal. Here are six tips for organisations looking
to adopt or adapt a SOC strategy.

1. Decide which model is best

Start by weighing up the pros and cons of outsourcing your SOC to a managed
security service provider (MSSP), building it in-house, or adopting a
hybrid model.

A typical MSSP’s approach allows organisations to outsource the
establishment and maintenance of certain specialist skills sets and
processes.

While this model can be cost-effective, the downsides are a lack of
organisational context and personalisation.

Because these SOCs are based on shared resources, they are designed to
operate most effectively using standardised interfaces to accomplish
economies of scale.

Installing your own SOC avoids many of these problems, but represents a
major investment. And costs can increase rapidly.

The in-house team might also end up being consumed by compliance-based
tasks and other low-value work usually deemed as appropriate for an
operations team.

A hybrid approach addresses many of the customisation and skill-set
challenges. It typically involves a MSSP supplying staff and providing
process and service management capabilities, with the actual SOC based on
the customer’s premises and using its systems – or at least dedicated to
the customer if off-site.

2. Build a SOC that works for your business

Take time at the outset to ensure that the SOC interface is right for your
organisation. Detail and approach your specific requirements carefully
because integrating with a SOC that will not adapt its customer interfaces
or task-tracking approaches to meet your needs will result in a SOC that
lacks business commitment and engagement. Glossing over this important step
could cost you dear in the run phase.

3. Treat compliance as a subset of threat management

An organisation’s information security policy/scheme or regulatory
requirements should therefore clearly document the control objectives of
your organisation.

Compliance alone will not provide the SOC with the capabilities needed to
prevent threat agents, which will attempt to work around the general
controls that you put in place.

A robust SOC will regularly assess threats to the organisation and adapt or
augment controls appropriately to ensure that it retains a relevant
capability as threats, and the parent organisation, evolve. Control
requirements should be fulfilled – but only as a subset of threat
management.

4. Ensure your sourcing model effectively addresses your requirements

Choosing a sourcing model involves consideration of different staffing and
location options. Each element of a SOC could potentially be sourced
separately, resulting in different costs and benefits.

For example, a service could be provided using permanent staff, contract
staff, service provider staff or a blend of all three. A service could be
located on your premises, the service provider’s premises, on-shore,
off-shore or near-shore – or a blend of all of these.

Each of these has consequences: what does this mean for my data; what does
this mean to the IP that the SOC establishes (your tuning should be
considered part of your IP); and what does this mean to my long-term costs
and service?

It is important to consider each of these individually and apply the test
of how this would survive a transition from one model to another.

Whatever model is chosen, it should specifically address your problem and
not be limited to the point of failure by constraints in the sourcing
approach.

5. Standardise on processes where possible

To a point, it is possible to fire-fight emerging threats using the latest
tools and a few cyber-security experts, but good process and service
management will always win out.

It is far better to create a sustainable service that will earn the respect
of the business and establish the SOC as a core part of the organisation’s
risk controls.

Focus initially on creating strong processes that embrace agility and
consistency. By standardising these processes, more of this activity can be
automated. This will ultimately free up your teams to manage emerging
threats in a more dependable and robust fashion.

6. Ahead of the enemy

As Andy Grove, former CEO of Intel, famously said, “There are only two
types of organisations: the quick and the dead.” A good SOC must be built
with people, processes and technologies that are flexible and can adapt
quickly to change.

Open technologies can help considerably. But more important than any
technology is having the right process and approach – this will ensure that
the correct focus is in the correct place with the correct mission at all
times.

By taking this approach with your SOC, your firm will be able to stay one
step ahead of potential perpetrators.

The reality is that organisations today are in a constant state of
compromise and the deck is stacked against them.

By adopting a tailored strategy that balances technology, people and
process issues, organisations can ensure their SOC is fit for purpose and
maximise the value of their SOC staff and technology investments.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160613/39121962/attachment.html>


More information about the BreachExchange mailing list