This year I was interviewed by Infotech Research Group pertaining to the difference between a SOC and SOF for a solution they were developing collateral. Prior to the interview I prepared a response to their questions. The data they were asking is very similar to questions I’m asked regularly around security operations solutions. Therefore, I wanted to take this opportunity to put out some content around the core topics of security operations centers and functions.
What is the different between a Security Operations Center (SOC) and a Security Operations Function (SOF) and what is required to provide a state of the art intelligent security operations function?
To begin we must first clarify the difference between the two concepts. In general a SOC is or can be a portion of the overall SOF. A traditional SOC will usually focus around a SIEM whereas today’s security operations need to integrate multiple products and automate intelligence and response in real time. The traditional SOC was previously a large physical security command center. Today the SOC has shifted into more of a function where many responsibilities are spread outside of the traditional physical command center.
We should not forget that one advantage of housing the security operation within the same physical location is the capability to easily segment, secure, and control the data within the environment. When you start opening up the function you also open up access making it harder to secure the security data in larger environments.
1.0 and 2.0 what is the difference?
What are the key differences between a traditional SOC or SOF and the next generation solution (or version 2.0) and how is the next generation going to handle the newer technologies, as well as the continual changing threat landscape associated with big data, mobile computing, and social media?
The big difference is that monitoring is now no longer contained to inside organization and in many cases the data is not either, so in many cases you will be relying on third party organizations more. That means you must have good processes in place with defined SLA’s to understand the capabilities of each provider. Having a good understanding of the security for that third party environment will be critical to ensuring your data is not leaked. Also having a good way to detect malware in the environment will also be important to help prevent lateral movement across the organization and its suppliers or providers.
Also, because of the advanced threats that specifically target individual personnel the next generation of security operations solution will eventually have to enter more into the home environment to protect those key targets. Key executives that are targeted through their children or other family members will need to have some protections in place that help mitigate the risk. These advanced threat actors will compromise another family member’s account by sending an email with a title like “homework help” or something similar to fool the victim. Little does the parent know this was an attacker who hacked their kids account for the entire purpose of sending a word document with malware to attack the target executives work account eventually.
Some other items that will come more into play is real time threat intelligence. Getting automated feeds in formats like STIX or open IOC with specific data that is relevant to your organization will become the norm for large enterprises. In some cases even a private intelligence cloud will be used.
Why Implement a SOC or SOF in the first place?
Many of you may not currently even have a security operations function in place, however due to recent attacks you are wondering if this is the right fit for your organization. To help with that decision understand there are usually two main drivers.
- One is that the organization has had a series of major incidents and as a result needs to implement some type of monitoring and protection function.
- The second driver is usually for increased profits. The large MSSP or Telecommunications organizations will implement models to sell the managed SOF to their clients and therefore will build out operations.
At some point you really need to understand the threats to your organization. Without a clear indication of the attacks the organization faces daily it will be hard to justify the cost of a SOC/SOF and therefore you may need to consider an outsourced option.
Responsibilities of the SOF
We know that security monitoring and incident response are obviously included at some level, but how about security devices maintenance, identity and access provisioning/de-provisioning, even security solution design and implementation. Should those all be included?
Personally I don’t think device maintenance is a good function of the SOF. My experience in the field having done penetration tests against organizations that have MSSP’s (Managed Security Service Provider) who perform both the security and maintain functions show that many items are typically neglected. In short, the MSSPs can do everything from monitoring to maintenance, but in many cases they end up doing a poor job at everything because there is a lack of focus on one task. For device management and maintenance the SOF should really only be involved with reviewing security compliance around device maintenance and involved in coaching or developing the processes to ensure out of compliance items are either removed from the network until updated.
Other functions such as identity access and entitlement reviews can be a part of the SOF, but usually this is not included based on a decision around corporate cultural. Access control in many cases resides outside of the SOF or in an isolated SOF department and unless the organization can manage the cultural issues it will not work effectively in the SOF. The SOFs function really should be to review and compliance check on access controls and violations of access. We also need to be careful about giving the SOC too much capability because then the SOC becomes a single point of failure for security.
Overall some core items that should be provided by the SOF are:
- Monitoring, alerting, threat analysis, correlation and intelligence
- Incident response, investigation, malware and threat analysis, and serving as an extension of the forensic teams in some cases
- Advisory on corporate security solution designs
Outsourcing the SOF
How do you determine then if the SOF should be outsourced or not? There are several drivers in the decision making process that will determine if the function should be outsourced or not. In almost all cases this is relative to cost or that fact that the organization does not have the appropriate skills in house. In some cases the organization may also decide that it should not be investing in services that deviate from the core business goals.
Leveraging Centralized or Distributed Response Models
A challenge in many security functions is to determine the correct response model. This really depends on the global extent and cultural diversity of the organization. If the organization is global there will be many challenges if a central response team is implemented. If you have to send someone onsite half way around the world it could take days depending on where in the world that person must fly. Also you will run into challenges around language and VISA requirements.
On the other hand having a team that is distributed and speaks or reads multiple different languages is will enhance any response team in providing a timely and adequate response. The time to location is quicker, command and control can be done while onsite (war room), and intelligence can be shared via the coordinating or central lead team.
Key Aspects of the SOF – People, Process, and Technology
To implement and maintain a successful SOF the right defense in depth strategy is required.
People – A successful SOF must have skilled staff that can think like the adversary. This staff must also have technical knowledge and troubleshooting abilities to understand the threats and attacks.
Technology – The technology strategy at the most basic level must have several core components. New generation malware detection at the network egress points and endpoints is a requirement. A SIEM or correlation engine is necessary to integrate the logs of many technologies. Finally some custom integration between the core network, endpoint, and SIEM products is required to automate as much as possible for both identification and containment of the threat. Threat intelligence feeds will also become a core item in the next generation SOF to provide awareness of the latest trends as well as threats to the industry and its service providers. Most current SOC functions try to increase the function with more analysis software. The mistake with that is it requires the time of your skilled staff where as they should be looking to automate the analysis and containment tasks as much as possible and use a series of base products required to stop the attacks. Some other SOF based solutions will talk about risk-based decision systems. This is really just correlation and automation of high risk threats.
Process – For process there are several components. Sound roles and responsibilities must be defined. Automation of trouble ticking and remediation processes need to be in place. Threat risk assessments must be conducted to identify critical targets and the threat events that are high risk to the organization. A SOF at many levels must be integrated into every important aspect of the business. For example, if a hurricane is coming and the BCP department says we are on hurricane watch. The SOF should be looking for phishing attempts leveraging the hurricane as an event to try and attack the organization suspecting that employees will be reading every email and website about the hurricane.
Challenges within a SOF
There are hundreds of challenges to run a top notch next generation SOF, but there are some fundamentals that must be addressed. Education of staff is critical. Without the right skills the attackers will always hard to find in the organization and even harder to remove. Ensuring that the operators follow the procedures with little or no exception and continually update information and tactics based on the threats facing the organization is important. The management of the SOF must also make sure executive management understands the extent of the threat otherwise funding and other critical controls will be neglected or overlooked. Also, everyone talks about implementing more process in the next generation SOF, but in reality the real solution is to take as much human interaction out of the process and automate analysis and protection. A solution for querying the endpoint and enforcing rules based on network detections, a solution for leveraging and automating multiple technologies, and a solution for using first detection malware appliances to forward blocking information into Firewalls and Web/email gateways; these are the critical improvements and challenges required to build out the next generation SOF.
The 5 People, Process, and Technology Requirements
There are various sizes of organizations and every SOF will be different in many ways, but with respect to people, process, and technology the simple and most effective measures for providing security to an organization are:
- Egress malware blocking technology covering both email and web vectors combined with a web proxy and spam filter.
- Application blocking and anti-virus software on the endpoints
- SIEM for centralized logging and correlation of information
- Global Risk and Compliance software for integrating security with other processes within the organization
- After that you will augment these core components with other software for compliance and other business requirements.
- Strong leadership
- A strong person in network and application security
- A strong person in risk management and security policy
- A strong malware and forensic skill on staff
- After that you can build out the team based on the scope and mission of the security function and leverage contractors or outsourced solutions.
- Automation of as much process as possible
- A strong set of core policies and procedures for change control, incident response, alerting and reporting that focus on protecting the organization and its mission.
- Collection of metrics
- A process that modifies regularly to reduce detection, containment and remediation time
- A process to understand the real threats to the organization
As a person running a SOF you will always be asked to prove the effectiveness. Is there some important Key Performance Indicators (KPI) to help prove the value of the SOF? This is a difficult question and each organization may have specific KPIs based on the goals of the organization. However in general there are some core items that should be measured.
To help make sure each member of the SOF is working effectively, metrics around the roles and responsibilities for individual is important to measure. This is important to help measure the skill level of each person and that each individual is working toward the mission of the SOF. Therefore, measuring items such as:
- Shift logs and components captured in shift logs
- Hours analyzing events, hours automating, and hours researching
Together these items will help determine what you need to focus spending on and to help free up resource time in the future.
There are several items around the technology to measure including:
- How many incidents over different time metrics (week/month, etc.)
- Amount of incidents and events detected and the percentage of those that were automatically blocked or contained
- Timeline breakdown for each incident (When it was detected, contained, remediated)
- The breakdown of technology detection; there will always be overlap in detection, so this overlap should be measured to help effectively determine if a control is needed
In the process area you will want to track several many different things to prove the effectiveness around the incident response process including:
- Amount of time to resolve an incident
- Estimated cost to resolve an incident
- Increase or decrease in security spending over time (compare against protection metrics)
One of the other items that gets overlooked sometimes it to track the time it takes collect and report on the metrics. Inevitably, a large portion of the documentation is manual, and collecting metrics is manual due executive presentable formats not existing. The SOF will spend days at the end of each reporting period to generate the metrics and report to management. If you can automate the collection and reporting by using a global risk compliance system, some sort of ticketing system, or by using some custom code then that will help immensely in the long run.