As the threat landscape evolves rapidly, cyber protection needs to keep pace. Your Security Operations Center (SOC) is the front line of network defense, charged with preventing an attack before it happens. To be effective, your SOC must be matured and capable of detecting, investigating and responding to complex and persistent attacks.
However, global findings indicate that many SOCs are below target maturity levels, and unable to detect advanced attacks.This makes organizations vulnerable, placing their most sensitive and valuable assets at risk.
While powerful protection is the prime reason for developing, maturating and improving the capabilities of your SOC, increasing regulatory pressure and compliance requirements also play a part.
In this step-by-step DIY guide, you will learn how to assess the current maturity levels of your SOC, establish your desired level and chalk out your developmental roadmap.
People (trained and skilled security specialists), processes (for incident response and management) and technology (tools to collect and analyze data) are the foundation of SOC operations. This guide focuses on the Security Information and Event Management (SIEM) solution, which is an established platform for maturity modeling.
SIEM is implemented to
These objectives can only be achieved if all of the five components of SOC namely Governance, Services, People, Process and Technology are defined in line with the risk, maturity and in alignment of the business objectives. SOCs world-over are adopting technological innovations like automation, security analytics, machine learning and several other applications of cognitive computing. But, what technologies to adopt and how extensively to use them are critical decisions for improving SOC effectiveness. It is best to adopt a balanced approach that augments your people, processes and technologies through the right mix of automation, analytics, real-time monitoring, and hybrid staffing models.
Our experienced security experts recommend this balanced maturity assessment model for SOCs. This is based on real-world data and our experience helping thousands of security teams measure capability and maturity.
Comprehensive Governance Model
Service Catalog and SOC Operations
Integrated Security Technology
Asset Modelling/ Log Baseline
Log source Integration and custom parser/connector development
Use cases management - single device, multi device and threat aligned and compliance use cases
Flow Management and integration with SIEM
Full packet capture for forensics
Vulnerability integration for asset, incident and vulnerability visualization
Tactical Threat Intelligence integration into the SIEM
Strategic and actionable threat intelligence and analysis
Threat Intelligence Platform deployment, analysis and contextual mapping with assets/crown jewels
User and Entity Behavior Analytics
Network Threat Analytics
Visualization, Reporting, Trends and dashboard integration
Incident response orchestration
When you are starting from scratch (no SIEM, no SOC functions defined), building and your SOC and taking it to maturity can seem daunting. Our SOC experts have outlined a roadmap to get you there in 3 years.
Year 1: Log Collection, Enrichment and Management along with out of the box rules / compliance rules for monitoring and threat detection
Network devices like core router, core switches, key network management components
All perimeter security devices like Firewall, IPS, Proxy Servers, URL Filters etc.
All Authentication devices like AD, VPN Servers, database used for authentication, TACAS/ Radius servers
Public facing servers like Web applications used for transactions from middleware and backend limited to security logs
Critical applications like CRM, Core banking channels, API intersection, but limited to security logs
Monitor “what matters the most” (Web Apps, Core OS, PCI related Application, Databases, Credit Card Information, Customer and Employee PII etc.) from data security point of view
Keep the number of correlation rules in the order of risk, initially 10-12 Use cases each with 3-6 SIEM rules/alerts in a Kill Chain Model. For Example
Monitor all privilege activities
Monitor key system file changes
Website home page, file auditing and its alerts
All anomalous authentication activities
System reboot followed by Audit logs cleared and Audit logs cleared, and system rebooted; Failed Windows logins for multiple (3) user names from a single workstation
Add / Remove AD admin group membership privileges to another person
Forced password reset.
Account Management (A user account was locked out Followed by; A user account was unlocked Followed by; A member was added to a security-enabled local group Followed by; A member was removed from a security-enabled local group). Monitor terminated users, these could be users whose employment has been terminated or will be terminated
Audit Privilege Use and enable Privilege Auditing – Audit (- CREATE TABLE; - DROP TABLE; - ALTER TABLE)
Correlate Log drop user and revoking of rights from a user
Large web file sent and log http request and response
SQL Injection and XSS detected
Large spike in DNS request
A single machine receiving authentication failures from multiple servers
Monitoring and Notification Process
Triage and Escalation Management
Incident Response and Service Desk/ Ticketing Management
Create basic reporting and trends, alerts and notification and IR summary
Year 2: Advance event/flows, application (layer-7) level monitoring correlations, Threat detection/hunting and threat modelling
Add flow monitoring and create use cases with flows like large html packets, clear text username and password, clear text card information etc.
Perform 100% coverage for critical log sources; Include enterprise applications in the order of risk
Customization and Integration of application log sources via parsers / uDSM
Leverage user behavior analytics functions of an SIEM with authentication sources
Improve alert management with context
Privileged Access Monitoring – Monitor administrative activities and alerts for violations. Accounts having privileged access, e.g. Admin, sudo should be monitored on activity performed by ID. Any unauthorised activity or suspicious activity has to be alerted.
Back Doors – malwares and back doors and remote known exploits detected
Social (e.g. Phishing, Threat Intel.) - Communication to known malware sites such as Botnet Cnc, Phishing, Watering hole etc., Tactical threat feed integration
Vulnerability Management - Detects vulnerability scanning of the hosts
Anomaly (Behaviour) –
DDOS - Detect DOS/DDOS attacks such as sudden spikes in network bandwidth usage with net flow
Configuration Changes – Monitor and alert for configuration and system file changes on critical servers, applications and network devices
Physical Security – Verify physical security access logs for multiple failures and integrate with logical authentication logs for violation and context
Business Policy – Business policy violations like logons during non-working hours, direct database connections/queries.
File Transfer - Detect file transfer activity from sensitive servers such as DB or SAP servers or file servers
Create Run Book– For each use case define validation, containment, eradication and recovery steps.
Perform simulations of the run books
RCA and Lessons Learned and back to operations processes and analysis
Add tactical threat Intelligence via TAXII protocols.
Have a threat hunter to look for IOCs
Year 3: Machine Learning driven Advanced security and business analytics, High performance big data compute
Add full packet capture for forensics
Advanced firewall rule simulations and corresponding suggestions for optimized and noise free networks using the risk analysis modules
Improve and automate alert management
Advanced asset baselining to prioritize the response and recovery of assets over the other low risk assets in case of cyber attack/incident
Integrate with CMDB and perform auto change management
Integrate with Vulnerability management and provide for internal threat intelligence and prioritization of the state of security vulnerability, asset criticality and incidents.
Compliance driven reporting based on the line of business the Customer operate in for e.g. HIPAA, PCI-DSS, GLBA, FISMA,GDPR, NYDFS etc.
Monitor and Adapt Rule Bases – Fine tune rules
Create additional 10-12 Use Cases for business focused Applications and correlate them with the Flows which provide deeper contextual information and help in threat modelling and Incident Forensics
Automate tactical threat intelligence and its response
Define Threat Intelligence process for threat hunting, asset criticality and vulnerability identification and actionable – This can be achieved by implementing big data platforms like ELK or other big data threat hunting platforms to look for IOC, hunt for threats etc.
Leverage threat intelligence platform to fuse threat feeds from multiple sources, contextualize with asset criticality and provide actionable
Proactive threat hunting deployment using machine learning and automation like port-protocol mismatches, user behaviour and threat intelligence information for executing hunt missions.
Implement User and system behaviour analytics
Additional reporting and visualization for key systems and data
Network Analytics using full packet capture
Consider Endpoint Protection (EPP/ EDR) tools that leverage machine learning, Intelligence integration and IOC Management at the endpoints
The use cases of security analytics can be varied and leverage what is relevant