Building a World Class Security Operations Center for any organization
By: Timothy McLaurin
Director of Security
Carson Zimmerman has worked out what has become close to gospel in my approach to the design and implementation of an effective Security Operations Center. He outlines 10 strategies organizations should take to implement a SOC that demonstrate maximum effectiveness and reflect the characteristics of a world class security operations center. The 10 strategies are:
Strategy 1: Consolidate Computer Network Defense Under One Organization
Strategy 2: Achieve Balance Between Size and Agility
Strategy 3: Give the Security Operations Center the Authority to Do Its Job .
Strategy 4: Do a Few Things Well
Strategy 5: Favor Staff Quality over Quantity
Strategy 6: Maximize the Value of Technology Purchases
Strategy 7: Exercise Discrimination in the Data You Gather
Strategy 8: Protect the Security Operations Center Mission
Strategy 9: Be a Sophisticated Consumer and Producer of Cyber Threat Intelligence
Strategy 10: Stop. Think. Respond . . . Calmly
If there is any theme to my aphorisms it's that organizational goals should be plainly defined and understood before any technology purchases or acquisition of many staff members/contractors. Zimmerman outlines 5 strategies before mentioning the technologies used in a SOC. He makes it clear that the organization primarily must have bought in and defined a clear mission in order to be successful. Also it highlights that a SOC that operates at a high level does not necessarily need to be reserved exclusively for large organizations with matching budgets.
Strategy 1: Consolidate Computer Network Defense Under One Organization
Strategy 1 is in the appropriate place because quite often the struggles of the SOC occur because its capabilities are fractured within the organizations. Engineering occurs in a group that is not specific to the SOC. Tier 2 is often commingled with operations tier 2 who will have issues escalating incidents to the correct personnel. An example is Firewall tickets end up going to the SOC when it should go to network operations. In a perfect world the SOC has its own triage, Tier 2, engineering, administration, and analysis teams. In typical deployments I suggest that triage infrastructure be maintained and personnel trained on which incidents belong in which buckets. However it is imperative that the remaining functions be reserved exclusively for SOC specific activities. Internal processes, availability of resources, and effective support of the SOC mission are measurably improved with independence from other organization activities.
Strategy 2: Achieve Balance Between Size and Agility
Strategy 2 is meant to address the need for the SOC to be structured in a manner that best fits the organizational need. It needs to be sized appropriately so that it is able to effectively meet the demands that may be placed on it while having the ability to dynamically adjust to fluctuations in the environment and/or scenario. In this strategy, Zimmerman provides guidelines for the appropriate sizing and structure of a SOC depending on the organization size and footprint.
Strategy 3: Give the Security Operations Center the Authority to Do Its Job .
Strategy 3 should've been number 1 to me. Once the idea of a SOC has been signed off on, the first thing that should occur is the drafting of a charter and mission statement. Management should sign off on the documents granting them the appropriate authority to monitor systems, detect and resolve incidents throughout the enterprise, and execute its mission. The organizational structure should appropriate autonomy from other potential competing interests. Zimmerman provides suggestions to where the SOC functions should reside in an org chart. The recommendation I often make is that the SOC should be tightly coupled with the Network Operations Center (NOC) while independent. This has the benefit of supporting each other's activities while fostering a collaborative relationship.
Strategy 4: Do a Few Things Well
When writing the charter and mission statements, special care must be taken in defining the SOC capabilities. This will go a long way in managing expectations and budget. It will also provide focus in making sure you are able to deliver services effectively. These can be compliance driven or shaped by need to provide specific functions (vulnerability scans, application assessment, tool implementation, etc). While deciding on your capabilities, it is equally important to define metrics that are able to effectively show how well you are doing at providing the services. It is also useful to have an eye for the future on what services are on the horizon that could complement the current offerings as the SOC matures.
Strategy 5: Favor Staff Quality over Quantity
This strategy is all about the acquisition and retention of information security talent. There is much to be said about the talent gap in security. The need for information security professionals is far outpacing the number of individuals with the skill set to fill that need. Zimmerman states that your focus in staffing the SOC should be on acquiring the staff that is able to think creatively and outside of the box to solve problems. These types of individuals may be worth several people in that they find automated ways to sift through data to identify problems and solutions where others may toil for more time to arrive at the same solution. I tend to recommend that organizations look inside of their own organizations first to fill the talent gap. Information security is a hot field that people from all types of backgrounds are looking to get into. The problem is that it is often a field that is often difficult to break into and people do not know the steps they need to get into the arena. Organizations need to start enabling their people and searching for folks outside of the normal realms to find talent. What is often all that is necessary for good security professionals is enthusiasm. Feed that enthusiasm with opportunity. Having this mindset has the dual effect of learning to leverage the talent you have and nurturing it to grow into something bigger and better. It provides a positive work environment and bolsters retention.
Strategy 6: Maximize the Value of Technology Purchases
We've gone through people, processes, and goals before addressing the technology. This is very intentional. It helps you establish all the things you want out of your SOC before even thinking about the technology that can deliver these objectives. Many organizations make the mistake of shaping their organizational goals and processes around technology when it should be the polar opposite. By setting your goals around the needs of the constituents you are able to develop requirements that are unique to your organization. From there you are able to evaluate vendors against the specific needs you have defined. These needs may end up being filled with simple solutions or multiple complex technologies that have to interact with each other to secure your systems.
One thing that I harp on is that you cannot have a security program or solution at any level of maturity without having a full mapping of your systems and their expected behaviors. At the onset of Strategy 6, Zimmerman brings up that before you can operationalize your SOC, they must be provided with a database of system assets and a method to keep it updated. This database will heavily impact your technology choices and how/where they should be deployed.
Strategy 7: Exercise Discrimination in the Data You Gather
Strategy 7 goes hand in hand with Strategy 4. If you know what you do well then you should know what information you need to do it well. You can't do anything well if you are inundated with extraneous information. The SOC needs to be discriminate in the information it receives and processes. This allows for the freeing of resources to effectively perform its duties.
Zimmerman then goes on to provide the reader with best practices of where to obtain data and how to centralize your log processing out of band.
Strategy 8: Protect the Security Operations Center Mission
This strategy folds into Strategies 1 and 3. Whoever is running the SOC must be cognizant of its mission and prevent it from being pulled into conducting tasks that do not support that mission. Organizations tend to tap the SOC for operational or development needs due to the tendency of SOC personnel having skill sets that complement these arenas. Zimmerman's description of this strategy is that the SOC must have its own infrastructure, people, processes, and budget.
Strategy 9: Be a Sophisticated Consumer and Producer of Cyber Threat Intelligence
Cyber Threat Intelligence Feeds are a controversial topic in information security. Threat Intelligence is the process of examining an Advance Persistent Threat (APT) actor's activities and creating a fingerprint to help identify them. Criticism of Threat Intelligence feeds is that an APT's methods are typically unique to the organization they are trying to exploit. Therefore the fingerprint that is associated with one attack should not match a separate attack. So the effectiveness of threat intelligence feeds have been called into question.
I believe that a mature SOC is able to leverage these feeds in a way that help them identify a similar attack more quickly than they would without the information provided to them in a feed. Cyber Threat Intelligence feeds are not meant to be a magic bullet to help organizations in similar industries quickly detect a persistent threat actor. They are meant to share information to the community so everyone is better able to detect and thwart concerted efforts to undermine your security posture.
Zimmerman goes through the steps of how an organization can establish a Threat Intelligence operation that is internal to your organization. With an internal Threat Team, analyst will not have to ingest and process the contents to understand if it is relevant for their environment. The threat data is an analysis of external and internal data to develop signatures to automatically detect an ongoing attack. Cyber Threat Intelligence teams conduct malware analysis, digital forensics, and in depth network traffic analysis to observe how they have been compromised. This information is then feed back to the SOC team so they are able to detect similar threats in the future.
This is not for the faint of heart and is reserved for the most mature of information security programs.
Strategy 10: Stop. Think. Respond . . . Calmly
If you have taken care in previous strategies, the tenth should come relatively naturally. In the event of an incident, personnel should have been trained to follow their playbooks to detect, respond, and remediate. The correct communications have occurred, the correct actions to quarantine have taken place, correct methods to preserve evidence have been followed, and any after action lessons learned have been recorded. The best way to achieve the calm, measured response throughout the organization in the event of a compromise is to practice during seemingly tranquil times. This will indoctrinate the staff on what they should be doing when and also hammer out any inadequacies in the current processes.
If any organization is looking to build out SOC I would recommend they reference Zimmerman's Mitre paper as a place to begin. It gives all the details one would need in a successful SOC covering things like logistics, technology deployment strategies, staffing, and creating a mission to build from.
Zimmerman, Carson. 2014. Ten Strategies of a World-Class Cybersecurity Operations Center
https://www.mitre.org/publications/all/ten-strategies-of-a-world-class-cybersecurity-operations-center