Building the Security Operations Center (SOC)


Whether defending against common malware or some determined Nation State, being able to proactively detect attacks and changes in the organization are required.  The past year I spent a large amount of time helping several organizations setup and put in place the right people, processes, and technology to help defend against increasing security threats.  Although many organizations spend millions of dollars on technology and hire staff to monitor security 24/7 the organizations were still lacking two fundamental items.

  1. The people although good at monitoring lacked the attack and threat mind set.  The staff was not able to figure out when an actual attack was happening.
  2. Second the organizations lacked the basic security operations processes required to keep track and make appropriate use of the vast amounts of data.

As a result I spent the past few months developing a whitepaper that specifically addresses the primary components of a SOC, which can be used to help organizations setup a centralized core and embark on developing the correct operational processes.  Although I don’t address item number one above, this paper explains in detail the following.

  • Defining the SOC
  • Determining the Processes
  • Understanding the Environment that needs protected
  • Identifying the SOC Customers
  • Staffing the SOC
  • Managing the Events
  • Leveraging ITIL compliance

Creating and Maintaining a SOC – The details behind successful Security Operations Centers

If your organization is under attack and you have invested in more people and technology be sure to implement the right processes and build a foundation for future defense.

Advertisements

Get Your Daily Security Feed


There has been a large amount of security information and recent attacks posted in the media.  We have Mandiant’s report on China as well as several issues concerning Java.  The pure volume of information over the past year has made it difficult to keep up without a combination sources.  As a result InfoSecAlways has done a few modifications to the site.  Please check out the new “Security Feeds” in the right column (4th Block Down).  This is a combination of about 20 different security RSS feeds piping into the blog now.  You can check the site daily to get the latest news and updates in the industry.

Also, check out the links page as there are several new Threat and Vulnerability links added.  These are great if you are looking for specific attacks, breaches, or threats.

To Trust or Not to Trust


Over the past three weeks an ongoing LinkedIn thread titled “Shall we trust our employees or not?” has continued to be a hot topic of debate. There simply appears to be no agreement among all the contributors.  Trust is relative.  You can always trust an employee or an organization, but the key is to what extent. You can also always trust that particular characteristics or actions will be repeated by each entity.  For example, some employees will always keep a secret while others will always tell at least one other person.  Therefore, you can trust one person to keep a secret and you can also trust the other person to tell your secret.  Simply put its a matter of behavior and action over time that should be used to build the trust model.

When referring to trust among organizations Section 2.6.1 Establishing Trust Among Organizations in NIST SP800-39 provides the best explanation.

Parties enter into trust relationships based on mission and business needs. Trust among parties typically exists along a continuum with varying degrees of trust achieved based on a number of factors. Organizations can still share information and obtain information technology services even if their trust relationship falls short of complete trust. The degree of trust required for organizations to establish partnerships can vary widely based on many factors including the organizations involved and the specifics of the situation (e.g., the missions, goals, and objectives of the potential partners, the criticality/sensitivity of activities involved in the partnership, the risk tolerance of the organizations participating in the partnership, and the historical relationship among the participants). Finally, the degree of trust among entities is not a static quality but can vary over time as circumstances change.

 

Lock Picking – A Security Professional Must


Lock picking has long been a method of access to information.  Professionals engaged in physical security reviews or social engineering assessments currently are the main security professionals using these methods.  We’ve all picked the weak file cabinet lock at work or maybe even jiggled a key of a similar type to get access through a door, but how important is it really for security professionals to know this skill.

Recently having purchased a lock pick set and several training locks I found it was extremely easy to pick the locks.  I went through a 6 set training lock package in just a few minutes and then an advanced 4 set in even less time.  I’ve read a lot prior to the purchase and even have made picks out of street cleaner bristles, but very little practical knowledge.  After moving on to master locks, etc. I found it was a little more difficult initially, but if you just sit down watching TV and practice picking the lock it becomes easy after a while.  Now there are some very complex locks and I continue to learn and understand more about these locks.   In any event, unless the lock implements very strong controls, picking the lock is done easily.

It is important that security professionals understand lock picking to grasp the risk.  Many professionals really only talk security and don’t really practice it.  The auditor comes in and says you need to put in badge readers because there is no accountability, etc.  These people really don’t understand the simplicity of lock picking or the real weakness.  Not that I’m anywhere near a professional at it.

  • How many locks at your work environment are key locks?
  • Is there sensitive information in these areas?

As professionals we should not underestimate the simplicity of lock picking.  If you are serious about security you really need to get some lock picking practice and understand the risks associated with standard locks.

If you are interested in learning more you can learn lock picking at Defcon and ShmooCon

In addition, if you continue as a hobby I would recommend becoming a member of the following site.

http://www.lockpicking101.com/

Security Conference List – Wikipedia Rocks


Wikipedia truly is amazing.  Check out the list of worldwide security conferences.  This is a great place to look for any professionals wanting to speak or attend high profile conferences.  Definitely a good site to add to my links page.

 http://en.wikipedia.org/wiki/Computer_security_conference