White paper. Creating an Effective Security Operations Function

Transcription

1 White paper Creating an Effective Security Operations Function

2 Awareness of security issues is fundamental to an effective policy. When we think of a security operations center (SOC), we often have an image of a large room, full of people sitting in neat rows, with their attention split between their desktop monitors and a big screen up-front similar to the Houston Space Center during a Space Shuttle launch. Of course, such places exist, but in many organizations, the reality is quite different. While almost every enterprise has a security operations function, it can take many forms. In some cases, it s a formally designated group, with dedicated staff and facilities. In other cases, security operations consists of just a handful of people with multiple responsibilities who deal with IT security problems as they arise. Wherever you fall on that continuum, understanding all the activities and roles in a security operations function is the first step in making those operations more effective and efficient allowing you to leverage your related technology investments and human expertise to best advantage. Security Operations Defined: What is it exactly that you do? Security operations is a term that has emerged over the last few years to describe a range of activities intended to keep an organization s information assets secure. In the past, security-related tasks were split, on an ad hoc basis, among security personnel, network administrators and server operations teams. Increasingly, these responsibilities are being united under the umbrella of security operations. Daily Activities Whether or not you have a formal SOC in place, it is quite likely that staff members are performing certain routine duties in some shape or form. These daily activities are designed keep security systems working optimally so that business processes are protected from attacks and abuses, yet can still operate seamlessly and without interruption. Vulnerability management keeps hackers (and auditors) at bay. Identifying unpatched systems, weak passwords and misconfigurations serves two purposes: helping you strengthen both security and compliance. It gives you an accurate picture of security vulnerabilities so, for example, you can encourage server operations staff to patch their systems. In turn you can stay one step ahead of hackers who might want to exploit those vulnerabilities and auditors who will hold you accountable for protecting the infrastructure in a compliant manner. Security device management increases the accuracy of threat detection. Keeping firewall policies up-to-date and tuning rules for intrusion detection (IDS) and security information and event management (SIEM) systems enables you to continually refine the accuracy of alerts. When the technology you have deployed is doing its job effectively, network traffic can flow where it needs to go, software can run without interruption, and staff time is not wasted investigating false positives. Monitoring provides an early warning when problems occur. Scanning the security environment for signs of trouble is an ongoing task. This includes verifying that security systems are working properly, checking various communication channels for automated alerts that may require follow-up, and scanning for other indicators, such as an unexplained spike in network traffic, that may signal an attack is under way. Threat research tells you what to look for and how others are responding. Many resources are available to help you keep track of newly discovered vulnerabilities, how they are being exploited and what fixes have been developed in response. These resources include vendor security advisories, bulletin boards, mailing lists and organizations such as the Computer Emergency Response Team (CERT ), SANS Internet Storm Center and the Department of Homeland Security s Cyber Security Alerts. The information they provide can help you quickly recognize an attack and take appropriate actions to reduce your risk. Longer term, they can help you prioritize security investments to better protect your environment.

3 Tools Data Feeds & bulletin boards Threats Configuration management database Assets Information Alerts Figure 1. A Snapshot of Security Operations Vulnerability assessment SIEM & log management Device consoles Vulnerabilities Events Policies Security Operations Center Reports Advisories Drawing on a wide range of tools and information resources, the Security Operations function continually monitors an organization s security environment, responds to immediate threats and longerterm vulnerabilities, and provides advice and guidance on security matters to both senior management and business units. Identity & access management Identities Incident and Issue Management Beyond daily operations, another set of tasks is carried out in response to security incidents. In smaller organizations such events may only happen periodically; in larger organizations they are likely to occur with greater frequency, requiring the attention of dedicated security operations personnel. Rapid incident response mitigates the impact of attacks. The SOC directs the response to attacks and high-risk vulnerabilities, taking immediate steps to blunt the impact of an attack in progress and providing network administrators and systems operators with guidance on further steps to contain or remediate a threat. Issue triage and incident management help ensure you re spending your time wisely. Most security operations teams have more work than they can handle. Establishing an issue triage process enables staff to quickly assess incidents and issues and prioritize which ones pose the biggest risk to the business. In turn, you can allocate skilled resources to the most urgent and/or important issues. Further, well-defined workflow and escalation procedures help ensure that high-risk incidents are resolved as rapidly as possible. Forensic investigation reveals the underlying source of security incidents. With the right information and tools, security analysts can study the circumstances surrounding an attack or breach and follow the trail of evidence all the way back to the source. In turn, SOC staff can protect against repeat events and your organization can take action against known parties (e.g., employees, partners or contractors) who are involved. Strategic Advice and Guidance In the course of carrying out its duties, Security Operations gathers valuable data on the IT environment and the way the organization is approaching security. Turning that operational data into actionable business advice is also an essential task. Strategic advice on security supports business innovation and growth. With a view of the security environment that is both very broad and highly granular, Security Operations is in an excellent position to advise the business on how security can support strategic initiatives such as acquisitions and mergers, partner networks, and the rollout of new lines of business. RSA White Paper 1

4 Figure 2. Who s Who in the SOC? Even in a relatively small security operations function, roles, responsibilities and the reporting structure typically resemble some variation of this model. Shaded areas represent functional overlap. Strategic Incident Response Day-to-day CSO Strategic advice Metrics gathering Security Manager Metrics gathering IR oversight Metrics gathering Security Guru Issue triage Investigation Threat research Investigation Security Analyst Monitoring & alerting Device configuration management Vulnerability management Security operations metrics show areas requiring improvement. Organization-specific advisories raise awareness and drive change. Operational data gleaned from security event logs and incident reports expose gaps between your expectations for how the SOC should operate and the day-to-day realities with which your staff must contend. By examining trends in operational data, you can pinpoint areas requiring improvement to staffing, training, processes, policy or technology. For example, a persistent failure to patch vulnerabilities may indicate there s a need for stronger communication or awareness training directed at server operations personnel. Extended network slowdowns caused by externally launched attacks might highlight the need for more sensitive monitoring of threats or a more disciplined escalation process. In these and other scenarios, once corrective measures have been taken, trend data can also measure whether those actions are having the desired effect. A key responsibility of the SOC team is to translate the organization s own security incidents as well as threat information being generated by CERT, SANS and other authoritative sources into actionable recommendations specific to the organization. When consistently acted on in a timely way, such recommendations can steadily improve the overall security posture. For example, advisories can provide enterprise architects and others with guidance on the types of controls that need to be put in place to protect the business. Additionally, advisories that are more strategic in nature can raise executive awareness about security issues and influence decision-makers to give security an increased level of attention and investment. 2 RSA White Paper

5 Roles and Responsibilities: Who s Who in Security Operations The most important ingredient in a successful security operations center is a well-functioning team. In small organizations, this may include just one or two people handling all SOC tasks, albeit with a focus that is necessarily limited to the most urgent or critical activities. Larger companies may have a sizable team of dedicated security operations personnel, each with specialized areas of expertise. Figure 2 shows the key functions each role performs and how they map to each other. Security Analysts Security analysts are on the front lines of security operations. They have responsibility for ensuring that security tools are appropriately deployed and are running optimally. They constantly monitor the environment for signs of trouble and are often the first point of contact when a high-risk alert is issued or a suspected attack begins to affect business operations. Analysts also typically conduct the initial stages of a forensics investigation. Research Specialists Behind the scenes at most successful SOCs is one or more security gurus, whose formal title may be Research Specialist or Senior Analyst. Typically these individuals have vast technical expertise and wide experience. They live, breathe and eat security and are called on to assist with security incidents that are particularly complex and/or high-pressure. Due to their grasp of security challenges and technologies, they may also act as a consultant to the SOC Manager and Chief Information Security Officer (CISO), advising them on security strategy. SOC Manager The SOC Manager oversees day-to-day security operations, putting in place the people, tools, processes, and measurement methods needed to achieve SOC objectives for supporting the business. The SOC Manager also serves as the interface between the SOC and the CISO. In this role, he or she translates the CISO s goals and requirements into a set of actions for the SOC team to execute and, conversely, makes the CISO aware of issues requiring executive attention and/or investment. CISO As the primary interface between the security organization and the business, the CISO is responsible for ensuring that SOC resources and activities are aligned to support the overall business strategy and are helping to create business value. The SOC translates business requirements into security operations objectives, prioritizes where budget is spent, and often serves as an evangelist, educating business executives about how security can enable business innovation and be used to manage information risk. More advanced security operations centers are turning to tools like SIEM, as well as log management, to automate information gathering, alerting and reporting. RSA White Paper 3

6 The most advanced SOC teams further enrich their insight into the security environment with contextual information provided by other tools and information sources. SOC Tools: From Basic to Advanced Technology is a key element of security operations, providing the means to centralize processes, automate repetitive tasks, and generally make your people more productive. Most security operations teams make use of the following basic tools: Perimeter security devices and software (e.g., firewalls, IDS and antivirus products) each have their own reporting and alerting mechanisms as well as consoles to make policy changes. In rudimentary SOCs, these tools are often the first point of entry for analysts to investigate or remediate a security issue. Vulnerability assessment tools can be commercial products or open source tools like Nessus. Either way, they provide valuable insight into which systems are patched and configured correctly and which systems pose a security risk to the environment. Freeware diagnostic tools are easily downloadable and are extremely useful, even to the most advanced security operations analyst. Network scanning tools such as nmap, wireless scanning tools (Kismet) or penetration testing tools like Metasploit can be invaluable in testing and diagnosing security issues. Beyond the Basics More advanced security operations centers are turning to tools like security information and event management (SIEM) as well as log management tools to automate information gathering, alerting and reporting capabilities. For example, RSA s SIEM solution the RSA envision platform streamlines security operations by: Providing real-time, actionable security information. Realtime alerts highlight high-risk issues, enabling security professionals to prioritize their activities. Scalable correlation capabilities improve analyst productivity by reducing false positives. Enabling forensic investigations. The RSA envision platform supports investigative work on past security incidents by providing the ability to search events in multiple ways, e.g., time period, user ID, port number, host server, to quickly get to the source of the incident. Workflow accelerates the problem resolution lifecycle from initial investigation, routing to the appropriate team members, automatic escalation of high-priority or hardto-resolve incidents, to resolution, closure and archiving. Increasing visibility into the effectiveness of security measures. RSA envision technology helps organizations assess the effectiveness of their security program by providing information about how well access controls are being enforced as well as any unauthorized applications and network services. Context is Key The most advanced security operations teams further enrich their insight into the security environment with contextual information provided by other tools and information sources. For example the configuration management database which captures configuration data for a wide range of assets makes it easier to assess both the requirements for implementing security changes across the enterprise and the potential operational and business impact of such changes. Identity and access management (IAM) systems provide visibility into user behavior, not only for specific security incidents but also to spot broader IAM trends. This helps increase user accountability while allowing the SOC staff to more easily detect the misuse of privileges by insiders. 4 RSA White Paper

7 Getting Started: How do you get security operations up and running? Once you have identified the current security operations functions and roles within your organization, you will want to identify any gaps and inefficiencies and begin to address them. Some of the key best practices employed by leading IT organizations are summarized below. Start by making the analyst s life easier The security analyst s role can be a frustrating one. It is often highly reactive, and if there is no defined structure in place to prioritize and escalate issues, it can be easily become a firefighting job where staff are constantly suppressing the most obvious symptoms of security threats without resolving the underlying problems. Furthermore, if your security analysts can t access timely and accurate information about what s going on in your environment, it s impossible for them to know if you re putting in place the right controls. Over a month-long period, evaluate the activities on which your analysts are spending their time, and prioritize the places where you think additional staff or technology could have the biggest impact in improving their effectiveness. Give people the right information to do their jobs In all areas of the SOC, doing the job effectively depends on being armed with the right information at the right time. Look at the smart use of technology to put that information into people s hands. Analysts timely alerts, prioritized based on urgency. Log and asset data to provide contextual information about security incidents. Research specialists in-depth information on security incidents as they happen to speed resolution. Data on emerging threats so they can recommend protective measures. Focus on process improvements rather than SOC automation It s unlikely that technology will ever truly replace security operations personnel, but tools such as log management and SIEM can streamline some of the more tedious and repetitive processes they handle and thus make them more productive. One example would be taking IDS alerts, cross-referencing them against a list of machines vulnerable to the particular attack that has been detected, and restarting services on affected devices. In cases where the devices are owned by another group, you may need to negotiate permission to automate remedial action on their devices. Make technology work for your people, not the other way around A successful security operations function depends primarily on having a cohesive team of people, supported by welldefined processes and timely information that empowers them to make well-informed decisions. Technology is useful to the extent that it makes your people more effective, so use solutions such as SIEM judiciously to streamline your processes and make information available in an easily digestible manner. When deciding on the right SIEM technology for your security operations function, look for: An easily deployable solution that accelerates and simplifies your processes. A solution that makes readily available all the data your people need to do their jobs. A solution gives you to the tools to turn operational data into actionable information that will improve your security posture and support strategic business initiatives. Security managers up-to-date status on outstanding security issues. Data on how staff resources are being utilized. CISOs summary information on the most pressing security issues and incidents. Overall risk and security posture of the business. RSA White Paper 5

8 About RSA RSA, The Security Division of EMC, is the premier provider of security solutions for business acceleration, helping the world's leading organizations succeed by solving their most complex and sensitive security challenges. RSA's information-centric approach to security guards the integrity and confidentiality of information throughout its lifecycle no matter where it moves, who accesses it or how it is used. RSA offers industry-leading solutions in identity assurance & access control, data loss prevention, encryption & key management, compliance & security information management and fraud protection. These solutions bring trust to millions of user identities, the transactions that they perform, and the data that is generated. For more information, please visit and RSA, envision and RSA Security are registered trademarks or trademarks of RSA Security Inc. in the United States and/or other countries. EMC is a registered trademark of EMC Corporation. CERT is a registered trademark of Carnegie Mellon University. All other products or services mentioned are trademarks of their respective owners RSA Security Inc. All rights reserved. SOC WP RSA White Paper