Security operations center (SOC) globalization

Transcription

1 Security operations center (SOC) globalization Important factors to consider when centralizing security services and monitoring environment for your organization kpmg.com

2 b Security operations center globalization

3 Security operations center globalization 1 Introduction Companies with a global footprint are increasingly shifting towards centralizing their security operation center and security monitoring functions within a single locale or office. There are obvious benefits that make this model appealing to organizations. First, long-term operational and capital costs are reduced since only one instance of the toolset needs to be purchased and one team of individuals trained. In a decentralized organizational model, any change to security processes or toolsets will need to be effectively communicated to each of the regional teams. Aggregating these functions helps ensure that business processes performed by this central team are repeatable and performed in a consistent manner across the enterprise. Additionally, the quality of work relies heavily upon the skill of the team performing them, and staffing redundancies are almost inevitable. The centralized model keeps the security function running leaner and more efficiently, as management will have a firmer grasp on actual staffing needs for the company holistically as opposed to per location. As attractive as the benefits are, this does not mean that implementing a global security operations center is without its share of pitfalls. There are many factors that organizations do not typically consider, which typically equate to an overrun in budget, time estimations, or failure to meet project objectives. This white paper is designed to highlight many of the hurdles companies have faced when undertaking a globalization or centralization effort of their security operations center.

4 2 Security operations center globalization Common functions for a global security operations center (GSOC) The foundation to building out a GSOC is to determine what security functions will be performed out of the GSOC as opposed to the local office teams. At a minimum, most organizations consider the use of the GSOC for all security monitoring and log management functions. This includes the review of logs and alerts from the corporate Intrusion Prevention System (IPS), Security Information and Event Management (SIEM) system, or anti-virus installations to name a few. As a natural product of this, incident response teams may operate out of the GSOC as well. Assuming the company s log management processes are at a high maturity level, this allows advanced incident responders to gain rapid access to any security logs that may be needed for an investigation or response effort. Incident response is also a shining example of a process that needs to be performed in a consistent manner, which is why it is a prime candidate for centralization. An organization must also be aware of its core competencies, and schedule for availability in order to determine if any functions that can be outsourced to managed security service providers (MSSP) where internal coverage is lacking. For example, many mid-sized or smaller companies find it difficult to establish a 24/7 security operations center and staff it appropriately to manage this function. MSSPs provide services that allow an organization to outsource the security monitoring function, and to some degree the response to an incident, when internal staff lacks the necessary skill set, or staff availability is a challenge. For organizations with the right skill set but lack of off-hours staff availability, a hybrid approach may work best. This allows the organization s resources to be at the switch during the normal work day, with a transition to the MSSP for off-hours monitoring. Finally, global companies with the right skill set and geographic locations may also consider a follow-the-sun model to ensure 24/7 coverage using only internal resources. The answer to the question of having the right outsourcing approach will be based on location, coverage requirements of the program, and staff skill and availability. Rebuilding after the war Once a GSOC consolidation effort announcement is communicated throughout the organization, there will come the inevitable power struggle between the various IT and security teams to stake their respective claims for control. The war will be fought on two fronts, one to control the geographic placement of the new GSOC, and the other to take responsibility for each of the operational processes and corresponding toolsets. The geographic placement discussion may be an easy discussion if there is already a central business/technology hub or if senior management had already predefined its location. Along those same lines, companies often find that years of decentralization ultimately lead to silos of disparate and dissimilar practices across the organization, and different locations or business units can have different requirements for their security program and its objectives. This means that the new team will need to pick and choose what practices and tools work best in a global scale, as well as publish new guidance surrounding the company-wide security model. Additionally, there will almost certainly be pushback from the remote teams that are in the most danger of losing either their jobs or their control in the organization. Senior management will need to be active in communicating the centralization effort, which is one of the best ways to garner the most active support for the project. The tone should be set at the highest levels of IT, with a messaging containing all the potential benefits this effort can provide, as well as reinforcing that this is a project with the steadfast support of the company.

5 The war will be fought on two fronts, one to control the geographic placement of the new GSOC, and the other to take responsibility for each of the operational processes and corresponding toolsets. Security operations center globalization 3

6 4 Security operations center globalization The people and technology pieces of the puzzle are not mutually exclusive. Know your role Centralizing incident response efforts can pose significant challenges in the way local IT teams interact with the Security and Incident Response teams. While the response team may be located in a single geographic location, the different IT teams may be scattered across multiple geographic regions and cities. Investigation of an incident will require participation from multiple cross-functional teams, many of which the Incident Response team may not be familiar with. Direct involvement will be based largely on their familiarity with the compromised asset, which makes geographic location and role within IT primary factors. The fact that the cast of characters may differ widely depending on the specifics of an incident only highlights the need for thorough tabletop testing exercises. In a large environment, the individual creating the testing scenarios needs to determine whether a server compromised in Chicago will involve the same personnel should the same thing happen in New York or London or Tokyo. If the answer is a yes, that scenario will need to be tested twice with each of the different or geographically dispersed teams. In conjunction with testing, specific service level agreements (SLAs) should be made to define exactly what services IT teams need to perform in the event of a response effort, and in what time frame. This is important given the likelihood of the response teams and technical owners never meeting in person, and thus not being able to relay the urgency in the requests. Top-level management support, a solid incident response plan and process, and testing are key to ensuring success during incident response in a centralized incident response/dispersed support model. Tool scalability Now that the teams and tools have been selected and policies approved, the next step is to pressure test the tools to verify they can perform under a global context. Monitoring tools, such as SIEM or intrusion detection systems (IDS), are especially susceptible to being underpowered once companies begin feeding it their complete log set or additional sources that were not considered in the initial regional or local design. Additional sensors for both solutions will need to be procured to provide complete coverage in the environment. Also, the central collection engines may need to be upgraded based upon the increase in log traffic. Baseline testing should be performed in order to determine what SIEM or log management solution would be best suited to handle the increase in logs. Storage for these logs and events may also need to be increased in order to achieve desired data retention rates. The people and technology pieces of the puzzle are not mutually exclusive. With the new global reach of the SOC, more events will inevitably fire from both the IDS and SIEM systems. Policies should be in place to triage these alerts, and adequate headcount should be allocated to respond to any critical events in a timely manner.

7 Security operations center globalization 5 International regulatory and nation-state considerations Regulations governing cross-border transfer of private information, even within the same organization, may need to go through risk management and may take a significant amount of time to complete. For instance, the European Data Privacy Directive states that no transfer of personal data may be sent outside of the European Union unless certain conditions are met. These conditions can range anywhere from companies applying for Safe Harbor status, to having each of their European employees sign explicit agreements allowing their employer to transit their information outside of the European Union. Even when privacy initiatives or regulations do not exist in certain countries in which the company does business, the organization must ensure that adequate risk management practices are followed in the transfer of data in and out of these countries as well as the protection of log and security data while in storage. The privacy of data cannot be ensured in all nations and depends greatly on the nation s local and governmental practices and ability to request and receive data from non-nation state-owned organizations. Many organizations may choose to eliminate certain geographic locations from the globalization to bring the risk to an acceptable level. However, the lack of a global view of security data for the organization is also a risk that must be considered. While these issues may influence the overall geographic placement of the GSOC, consideration must be paid to this issue, and a sound decision based on risk needs to be made. Conclusion Globalization or centralization of a SOC, security monitoring, and response brings the benefits of having a global view of the current security events within the company while reducing costs and increasing efficiencies related to monitoring and response. And while this journey is not without its share of concerns and hurdles, they are not insurmountable with proper management support, risk management, and project planning. Finally, as part of overall project planning, success criteria, metrics, or key performance indicators (KPIs) should be created to track the overall success of the effort and corrective actions implemented as needed to ensure the overall success of this endeavor. KPMG provides an extensive set of services in this space related to current-state SOC assessment, strategy and planning, implementation, and future-state road map development. Our experience in this field allows KPMG to bring industry-leading practices to your organization to help you ensure your security monitoring and response function is protecting your organization from compromise or loss due to security incidents. Marketing After the people, process, and technology have been assembled, an effective marketing strategy is paramount to making your new GSOC a success. Stakeholders in all areas of the organization should be made aware of the types of services currently being provided by the GSOC, and what ad hoc services the GSOC is responsible for should the need arise. To help facilitate this, what many companies have found helpful is a one-page catalog of services along with brief descriptions of each. SLAs should also be defined such that organizations will know approximate turn-around times for each offering provided. This catalog not only provides a helpful reference guide detailing what can be expected of the GSOC, but also helps ensure that other groups within IT do not create redundant processes or implement technologies that are already in place.

8 The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. Printed in the U.S.A. The KPMG name, logo and cutting through complexity are registered trademarks or trademarks of KPMG International. NDPPS