Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

3/13/2017
10:30 AM
Chris Crowley
Chris Crowley
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

What Your SecOps Team Can (and Should) Do

If your organization has all of these pieces in place, congratulations!

The security operations (SecOps) function takes many forms. For some organizations, it is simply a incident and event management device. Others have a more elaborate concept of their SecOps strategies and technologies. But most companies I've worked with, both small and global, lack adequate clarity for SecOps objectives.

SecOps manifests in many ways, but it's likely to be administered via a cybersecurity operations center (CSOC or SOC) of some sort. For those companies that do have a clear picture of what they should be doing, execution of that vision in the immediate term and on an ongoing basis will be the next challenge. This brief description is intended to provide a picture of what fully operational security operations can do. Designing, building, and operating with ongoing optimization of performance and maturity is the program I develop fully in my SANS management course. If your organization has these functional capabilities; technology, people, and processes in place to accomplish these objectives; and an ongoing dialogue with the business for maturity: congratulations! You and your team are among the global elite.

Security Operations
My definition of security operations is the ongoing protection of information assets of an organization. This covers the people, systems, and data entrusted to the organization. SecOps is a support function to the business operations and it should be fully integrated with those operations. To that end, I use several functional areas to explain what complete security operations entails.

Functions
The groups below are functional areas. Some companies will combine these groups, some will have distinct organizational units. But the functional capability is what is important.

  • The steering committee is a group designed to help the business provide strategic vision. This strategy is what the SOC should do to best defend the business's information assets. Via the steering committee, the SOC conveys to the business what it has done to protect the business and what it intends to do going forward. This is designed to establish and maintain ongoing, bidirectional communication between the SOC and the business. Without a formal mechanism for this alignment, there will be wasted effort.
  • The command center is the directive and interactive facility of the SOC. It is how the business can request assistance from SecOps. It serves as the way to announce information to the business for situational awareness during incidents and ongoing training.
  • Network security monitoring is the practice of inspecting available internal data for abnormal circumstances. This should include routine alert-based detection as well as long-tail analysis and hunting for novel threat events.
  • Threat intelligence is the study of adversary operations to devise detective and responsive actions for the organization. Because the organization has limited resources to deploy defense, understanding the techniques that adversaries use allows for effective defenses to be deployed to detect, disrupt, and deceive the attacker.
  • Incident response is the organization's reactive capability to deal with unwanted situations. In this functional grouping, the detection of the situation is typically performed by the network security monitoring team while the reactive attempts to contain damage from the attack and remove the attacker completely are the purview of the incident response team.
  • Forensics is the specialized capability to assess information assets for details surrounding investigations and response activity. The complex array of technology used by an organization warrants specialization in this area.
  • Self-assessment is the ongoing assessment of the state of systems and people within the organization. This includes change management and detection; configuration management; vulnerability assessments; penetration testing; and setting up a "red team" to promote effectiveness. These are frequently considered security tasks. But incorporating these tasks into SecOps becomes an effective way to facilitate detection and advise the operational capabilities on the status of the environment. For example, if the vulnerability scan team works with threat intelligence, rapid detection via network security monitoring can be accomplished when new threats or vulnerabilities are discovered. Coordination among these groups in mature SecOps often leads to the discovery of previously unknown threats and vulnerabilities.

People, Technology, and Processes
The tangible components of the functional areas include people performing processes with technology. Many vendor sales teams will tell you to make the technology the centerpiece of your design and build your process around it. Business alignment, then process development, then role definition, and then technology selection is the optimal sequence for building security operations. Even if there's already an existing SecOps organization, redesigning it should follow this sequence.

The details of the interactions between the functional areas, and how each area performs its work must be coordinated to feed input from one process into the next. Without this overall vision and tactical coordination, the security operations will fail to perform optimally and can't hope to mature uniformly across all functional areas.

Here is a graphic image of the processes performed by each (and a more complete visual approach to this material can be downloaded from SANS):

Image Source: Chris Crowley
Image Source: Chris Crowley


A SecOps team is most effective when it is closely aligned with the business and has a clear understanding of what capabilities are needed and how these functions interact with one another. The necessary functions are business alignment (the steering committee), communication (the command center), monitoring (network security monitoring), detailed analysis of threats (threat intelligence), response capability (incident response), detailed analysis of artifacts (forensics), and ongoing assessment and improvement of the security posture of the organization (self-assessment).

Related Content:

Chris Crowley is as an independent consultant at Montance, LLC, focusing on effective computer network defense. His work experience includes penetration testing, security operations, incident response, and forensic analysis. He is the course author for "SANS Management 517 - ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-24376
PUBLISHED: 2021-06-21
The Autoptimize WordPress plugin before 2.7.8 attempts to delete malicious files (such as .php) form the uploaded archive via the "Import Settings" feature, after its extraction. However, the extracted folders are not checked and it is possible to upload a zip which contained a directory w...
CVE-2021-24377
PUBLISHED: 2021-06-21
The Autoptimize WordPress plugin before 2.7.8 attempts to remove potential malicious files from the extracted archive uploaded via the 'Import Settings' feature, however this is not sufficient to protect against RCE as a race condition can be achieved in between the moment the file is extracted on t...
CVE-2021-24378
PUBLISHED: 2021-06-21
The Autoptimize WordPress plugin before 2.7.8 does not check for malicious files such as .html in the archive uploaded via the 'Import Settings' feature. As a result, it is possible for a high privilege user to upload a malicious file containing JavaScript code inside an archive which will execute w...
CVE-2021-24379
PUBLISHED: 2021-06-21
The Comments Like Dislike WordPress plugin before 1.1.4 allows users to like/dislike posted comments, however does not prevent them from replaying the AJAX request to add a like. This allows any user (even unauthenticated) to add unlimited like/dislike to any comment. The plugin appears to have some...
CVE-2021-24383
PUBLISHED: 2021-06-21
The WP Google Maps WordPress plugin before 8.1.12 did not sanitise, validate of escape the Map Name when output in the Map List of the admin dashboard, leading to an authenticated Stored Cross-Site Scripting issue