The six pillars of security operations

Six key points that should be considered when creating and developing a SOC

As mobilisation and bring-your-own-device (BYOD) becomes increasingly prevalent, business security has been propelled to the forefront of corporate strategy. The Security Operations Centre (SOC) is a key part of the enterprise security infrastructure – it enables an organisation to establish effective protection against security threats. There are six key points that should be considered when creating and developing a SOC that can effectively detect and counter any cyber threats in a timely manner.

1) Determine the correct policy.  

Security policy is the beating heart of an effective Security Operations Centre – it clearly defines the scope of protection and outlines the responsibilities of all relevant parties. The first step in designing a policy is to determine exactly what role you want the SOC to play. Will it simply observe, record and report on recurring attacks? Will it be actively involved in mitigating threats? Determining its role is crucial to ensuring your resources are not working against each other, but are instead working in harmony.

The second step is to agree on the scope of your SOC’s activities, such as whether it is restricted to the network only, or includes suspicious behaviour from user activity. An effective policy allows for the delegation of responsibility for certain actions within the SOC, maintaining close involvement among related parties who need to work together to accomplish a shared purpose.

2) Perform risk analysis

In a perfect world, there would be no risk and thus no need for security. But since the world is not perfect, risk is the main driver of security processes. A careful risk analysis can reveal critical issues – maybe issues you originally thought were insignificant, or perhaps vice versa. For example, attention may have previously been focused on your network monitoring, with anti-virus updates taking lesser precedence. This leaves your organisation more vulnerable due to anti-virus signatures not being updated.

A thorough risk analysis will enable you to pinpoint any threats and take corrective action. The results of the risk assessment should be used as the foundation of your security policy, with periodic reassessments. The SOC must meet the strategic needs of the business and it is usually appropriate to revise the risk analysis on an annual or biannual basis.

3) Define appropriate procedures

Procedures are vital – they will inform the actions you take in any security crisis. Implementing a clear set of procedures for your SOC will mean that all parties know, and understand, how to undertake their responsibilities properly in the event of an attack. If your current procedures need altering, if they do not meet best practice standards, changes should be agreed to by all parties involved.

It will also be valuable to provide instructions on how to best implement the procedure tools. Small but significant details about business operations should be stated clearly and used as reference in any incidents.

4) Focus on staffing

Staff are the life blood of any organisation, so your SOC staff are in a key position to prevent any threats disrupting your business. It is therefore essential to hire experienced staff such as incident responders, IDS analysts or knowledgeable forensics analysts with proper network experience. These people may not be easily found amongst job seekers and they may be expensive to hire, but the bottom line is – you get what you pay for. They are valuable resources who can search for a tiny detail in an ocean of data, and this ability makes them a good investment. It is too risky to have a security attack go unnoticed due to inexperienced staff.

5) Consider the organisational dynamics 

When you begin to implement your SOC, you need to define your organisational dynamics. There are three tiers you should consider, namely:

Tier 0: Core services where the security centre operational procedures run monitoring, prevention and mitigation of incoming attacks. Tier 0 is responsible for performing incident response, complete monitoring, and providing the patches and updates appropriate to the business needs of the organisation.

Tier 1: Internal customer base. This tier incorporates the other departments in your organisation which receive security protection. Protection and monitoring Tier 1 are daily duties.

Tier 2: External or business partners. When business is being conducted over the shared network, they are protected by your security operational procedures and monitored directly.

These three tiers require different levels of security. Tier 0 needs optimum protection and control over any incoming threats, while Tier 2 only needs minimum protection. Ideally, the critical assets in Tier 0 should be kept close to the core of the security operations centre.

6) Integrate the SOC in the organisation

It is necessary to integrate the SOC into your organisational information flow and activity. If there is any information that is valuable to the SOC, it needs to be passed on as every piece of information helps. Integration of information and effective communication strategies will enable the security operations manager to obtain information from within the organisation that may be relevant and applicable to detecting threats. Fully integrating the SOC into the organisation will enable a rapid response to any attacks.

These six pillars are vital to building a strong and effective security operations centre. By having a solid SOC, you can feel confident conducting daily business with minimal risk. In an increasingly online world, having the right defense in place is critical to business operational security.

Original Publication on CSO