SECURITY OPERATIONS CENTER (SOC) Implementing Security Monitoring in Small and Mid-Sized Organizations



Similar documents
Corporate Overview. MindPoint Group, LLC 8078 Edinburgh Drive, Springfield, VA Office: Fax:

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

Analyzing Security for Retailers An analysis of what retailers can do to improve their network security

Managed Security Service Providers vs. SIEM Product Solutions

CHAPTER 3 : INCIDENT RESPONSE FIVE KEY RECOMMENDATIONS GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC

MANAGED SECURITY SERVICES (MSS)

Business Case Outsourcing Information Security: The Benefits of a Managed Security Service

Statement of Danny Harris, Ph.D. Chief Information Officer U.S. Department of Education

ASSUMING A STATE OF COMPROMISE: EFFECTIVE DETECTION OF SECURITY BREACHES

Italy. EY s Global Information Security Survey 2013

Cautela Labs Cloud Agile. Secured. Threat Management Security Solutions at Work

Security Controls What Works. Southside Virginia Community College: Security Awareness

Managed Services. Business Intelligence Solutions

Intelligence Driven Security

GREEN HOUSE DATA. Managing IT in Uncertain Economic Times: Is a An External Private Cloud the Way to Go? Built right. Just for you.

EVALUATION REPORT. Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review. March 13, 2015 REPORT NUMBER 15-07

SITUATIONAL AWARENESS MITIGATE CYBERTHREATS

U.S. Office of Personnel Management. Actions to Strengthen Cybersecurity and Protect Critical IT Systems

Managed Security Services for Data

MANAGED SECURITY SERVICES (MSS)

ForeScout CounterACT CONTINUOUS DIAGNOSTICS & MITIGATION (CDM)

SIEM Implementation Approach Discussion. April 2012

Strategy and Management Services (SAMS), Inc.

Cybersecurity Awareness for Executives

_experience the commitment TM. Seek service, not just servers

Security Management. Keeping the IT Security Administrator Busy

Extreme Networks Security Analytics G2 Vulnerability Manager

Defending Against Data Beaches: Internal Controls for Cybersecurity

CounselorMax and ORS Managed Hosting RFP 15-NW-0016

SYMANTEC MANAGED SECURITY SERVICES. Superior information security delivered with exceptional value.

REMOVING THE BARRIERS FOR DATA CENTRE AUTOMATION

Implement security solutions that help protect your IT systems and facilitate your On Demand Business initiatives.

Brocade Network Monitoring Service (NMS) Helps Maximize Network Uptime and Efficiency

IT Security Strategy and Priorities. Stefan Lager CTO Services

The Business Case For Private Cloud Services

Defending against modern cyber threats

Avoiding the Top 5 Vulnerability Management Mistakes

FIVE PRACTICAL STEPS

Information & Asset Protection with SIEM and DLP

Critical Controls for Cyber Security.

The Benefits of an Integrated Approach to Security in the Cloud

DEFENSE THROUGHOUT THE VULNERABILITY LIFE CYCLE WITH ALERT LOGIC THREAT AND LOG MANAGER

Managing the Ongoing Challenge of Insider Threats

PREMIER SERVICES MAXIMIZE PERFORMANCE AND REDUCE RISK

Full-Context Forensic Analysis Using the SecureVue Unified Situational Awareness Platform

Beyond Point Technology and The Managed Security Service Provider (MSSP) Co-management applied across the entire security environment

University of Pittsburgh Security Assessment Questionnaire (v1.5)

How to Define SIEM Strategy, Management and Success in the Enterprise

Security from a customer s perspective. Halogen s approach to security

Information Security Services. Achieving PCI compliance with Dell SecureWorks security services

D. Grzetich 6/26/2013. The Problem We Face Today

STATE OF MARYLAND 2017 INFORMATION TECHNOLOGY MASTER PLAN (ITMP) Department of Information Technology David Garcia; State CIO

Sorting out SIEM strategy Five step guide to full security information visibility and controlled threat management

Payment Card Industry Data Security Standard

White paper. Creating an Effective Security Operations Function

MANAGEMENT CONSULTING ENTERPRISE SOLUTIONS IT OUTSOURCING. CAPABILITY briefing

Achieving Control: The Four Critical Success Factors of Change Management. Technology Concepts & Business Considerations

How To Manage Security On A Networked Computer System

industry perspective: MAKING SMARTER IT INVESTMENTS: Customizing the Cloud

Your Infrastructure. Our Responsibility.

The President s Critical Infrastructure Protection Board. Office of Energy Assurance U.S. Department of Energy 202/

The Protection Mission a constant endeavor

The Case for Managed Security Services for Log Monitoring and Management

NASA OFFICE OF INSPECTOR GENERAL

Network Intrusion Prevention Systems Justification and ROI

SELECTING THE RIGHT HOST INTRUSION PREVENTION SYSTEM:

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

ERP Challenges and Opportunities in Government

The SIEM Evaluator s Guide

INFORMATION SECURITY Humboldt State University

End-user Security Analytics Strengthens Protection with ArcSight

SORTING OUT YOUR SIEM STRATEGY:

Get Confidence in Mission Security with IV&V Information Assurance

AN EXECUTIVE S GUIDE TO BUDGETING FOR SECURITY INFORMATION & EVENT MANAGEMENT

Logging In: Auditing Cybersecurity in an Unsecure World

Public or Private Cloud: The Choice is Yours

Company Overview. Enterprise Cloud Solutions

FY 2016 Inspector General Federal Information Security Modernization Act of 2014 Reporting Metrics V1.0

Transcription:

SECURITY OPERATIONS CENTER (SOC) Implementing Security Monitoring in Small and Mid-Sized Organizations A White Paper Presented by: MindPoint Group, LLC 8078 Edinburgh Drive Springfield, VA 22153 (o) 703.636.2033 (f) 866.761.7457 www.mindpointgroup.com blog.mindpointgroup.com SBA 8(a) Certified Small Disadvantage Business Woman-Owned Small Business (WOSB) Economically Disadvantaged Woman-Owned Small Business (EDWOSB) Minority-Owned Small Business

BACKGROUND The primary goal of a Security Operations Center (SOC), or a security-monitoring infrastructure, is to provide the capability to detect and analyze potential information security and privacyrelated incidents. Security and privacy incidents can greatly impact any organization s operational effectiveness and can hinder the organization s ability to complete its mission. The SOC also provides several other capabilities that are of importance to a security program. For example, a properly designed and implemented SOC will provide the ability to easily interpret and output security metrics. Security metrics provide support to the organization in assessing security initiatives and investments, which can aid in decision-making, planning, resource allocation, and product and service selection. In addition, security metrics can also provide tactical oversight enabling the ability to monitor and report on the security posture of systems in real time, gauge the effectiveness of controls, and provide reporting and trending data. (Jansen, 2009) This true is regardless of an organization s size - the SOC is no less important to smaller organization than larger ones. For instance small or mid-sized organizations may still be part of a formally regulated industry, or may wish to simply implement security best practices in order to protect customer data or proprietary company data. Additionally, a data breach in a small or mid-sized agency can have just as much of an impact as a breach that occurs within a larger organization. In fact, organizations of a smaller size may not have the same level of resources available to them as large organizations in responding to a data breach. Legal resources, damage to the company brand, investigative and clean up costs after an incident can quickly add up for a small operation. Effectively an identical breach could impact a smaller organization more in terms of its ability to absorb the associated costs and consequences. The primary issue affecting smaller organizations is the perception that SOCs are for large enterprises and cost tens of millions of dollars to implement, or that small organizations cannot realize the benefits of implementing a SOC due to environmental constraints even though they need one. In response to this smaller organizations tend to implement one of the following approaches: Decide that it is out of reach for their organization, and go no further; Decide that the only cost-effective option for a small to mid-sized organization is to contract the work to a Managed Security Service Provider (MSSP); Decide to implement security monitoring in-house. In spite of the perceived restrictions to implementing a SOC, MindPoint Group has helped implement cost-effective monitoring solutions and as a result many small organizations have been able to successfully implement and run comprehensive security monitoring solutions. In order to have a successful solution, there are certain choices that need to be made in order to keep the solution within the budget limitations of the organization, but it does not make it impossible. In fact, extremely effective features can be implemented even with a limited budget. By having a clear picture of your environment, the threats your organization faces, your available 1

budget, the recurring costs involved in the final solution, available human resources to support the solution, careful planning, and the support of management you have a strong chance of implementing a successful SOC solution. COMPARISON OF THE OPTIONS When an organization decides to tackle the challenge of implementing a SOC they are going to essentially take one of two main approaches: implement an MSSP solution; or implement an inhouse SOC. The MSSP solution is an attempt to generalize security-monitoring so that it can be resold to many different clients in order to achieve economies of scale. The MSSP will often provide a good basic level of protection but due to the generalized nature of their solution they infrequently ever provide much beyond that basic level of protection. These services rarely provide equipment and software tuning for an organization s specific needs or a staff solely focused on researching and developing protection for the organization s specific threats. Additionally the organization may lose long term value gained from implementing and customizing equipment and software for their organization, as well as the knowledge and experience developed by a dedicated staff. All the equipment, software, staff, and all the data and knowledge stored in these resources are solely the property of the MSSP and are lost when switching providers or moving to an in-house solution. The in-house SOC solution is primarily designed, implemented, managed, and operated by internal resources. In most cases support from consultants that are experts in the area of security monitoring and analysis are used to assist with the initial planning, design, and implementation. Additionally, there is some outside help from vendors providing specific equipment as part of the solution. The benefit of an in-house SOC solution is that the solution is tailored to the environment. All of the devices are tuned specifically to protect against the threats facing the environment, and in-house staff usually have the skills and knowledge necessary to ensure that the solution comprehensively addresses the security needs of the organization. An in-house SOC solution routinely works for most organizations, but proper staffing can sometimes be difficult for smaller organizations. OUR EXPERIENCE MindPoint Group s team has extensive experience in implementing the various stages of the SOC and security-monitoring program life-cycle. We are equipped to help clients design, implement, manage, and operate a SOC. Additionally our experience in a variety of SOC environments means that we are well equipped to assist with staffing, perform training, process development, as well as researching threats and developing customized protection mechanisms. We were recently contracted to design and build a security-monitoring infrastructure for a small government agency. This type of solution would be categorized as an in-house solution that started with a reliance on our expertise during the design and build-out, but ultimately transitions to using internal organizational employees for management and operation of the SOC. Despite the size of the agency, highly sensitive data is processed at the core of their business processes, 2

and their operations are spread across seven main sites with more than two dozen satellite offices. When we first began work at the agency there was little to no security monitoring program established. Significant, recent turnover in the Chief Information Officer (CIO) office included the security staff. The program that was established was focused on compliance, policies, and vulnerability management/system patching. While those are important aspects in a security program they do not address actively monitoring the traffic on the network. The security and network teams had little insight into what was actually occurring on the network. Although there were some incidents they could respond to, they did not have the tools, personnel, or processes in place to identify the incidents in the first place. Even with this nearly blank slate we still had a few technologies already in place that could be used in the design and implementation of the SOC. Anti-Virus: The organization had a centrally managed host-based anti-virus solution in place. Firewalls: The organization had proper firewall technologies in place at their egress/ingress points. Security Information and Event Management (SIEM): The organization had purchased a product for log collection and correlation which was actually a full-featured SIEM priced for small and mid-sized environments. However, the product had not been put into production at the time we started. Because these products were already purchased we were able to focus more effort on selecting technologies to provide intrusion detection and data loss prevention capabilities. We were also able to put significant effort into the technical design of the components and how they would interact, as well as effective configuration and tuning. Often times these projects can get bogged down in vendor and product selection. The more important tasks of proper design, implementation, and customization/tuning suffer. Our design phase consisted of the following steps: Client consultation to get a better understanding of the client business and the threats they faced on a regular basis. We worked with the client on daily activities to see if there were any differences between perceived threats and actual threats. We identified various sources of data which could be considered the most sensitive data by the client as well as the high-value targets present in their network. We consult with the various teams within the organization; network infrastructure, server, desktop; in order to get a better understanding of needs as well as a clear picture of how a proper monitoring solution could be integrated in the environment most efficiently. From these data points we crafted a comprehensive Concept of Operations (CONOPS) for the SOC. The CONOPS clearly described the current state of the security monitoring program, issues, strong points, and impacts of problems with the program. The document then followed with a clear picture of the recommendations we had for implementing the SOC program. This included recommendations for changes to current technologies; procurement of new 3

technologies; staffing needs; standard operating procedure and policy development; incident/case management processes; and knowledge sharing/training initiatives. Some of the challenges in developing this type of to-be state involve effectively dealing with the unknowns. Sometimes budgetary or staffing constraints are not clear. However, we are always focused on creating the right solution for the given environment, and focus on understanding the client as much as we understand the technology. We knew the organization needed an IDS and DLP solution, and we set out to propose the most effective solution that would meet the needs of the organization; be manageable by a limited staff; and would provide the greatest value. Our design strategically combined commercial tool options with free open source software (FOSS) tools, and utilized existing hardware and resources where available. Ultimately we knew that the Data Loss Prevention (DLP) space was the one area that the organization needed the most advanced and effective solution, and that funds would need to be directed there first in order to build a program that secured the data assets of the client. Because of this we planned for and proposed an intrusion detection system (IDS) solution that utilized leading edge FOSS IDS technology alongside commercial tools. The proposed FOSS IDS solution gave the organization an IDS infrastructure that matched or exceeded the commercial solutions in terms of detection capability but cost more in terms of administration and resource utilization. Working closely with the client, ultimately the design allowed for the procurement of an industry leading commercial solution in the DLP space due to cost-savings related to hardware repurposing and the use of FOSS tools Once the solution was designed and approved a project plan was built and the solution was implemented. The implementation experienced several issues that threatened successful completion within the defined timeframes: Procurement: The organization experienced many issues in procuring the technology in a timely fashion. Due to the layout of the project plan this began to delay certain aspects of the project. We were able to quickly reorganize the plan in order to work around these issues. Staffing: The organization had multiple staffing and resource availability issues during the project that caused delays. We were able to work around these issues in most instances but these are unfortunately the biggest threat to completing projects on time within a small organization. Other projects: The organization had multiple other large-scale infrastructure projects taking place during the time of implementation. Shifting of already thin personnel resources to these projects caused the delay of certain pieces of the implementation. The above issues did cause minor delays with the project but in most cases we were able to quickly pivot the project onto another task to minimize the impact. We accomplished this by minimizing task dependencies, keeping the project team small to maximize agility when switching tasks, and by being flexible and client-focused. By focusing on the client needs we were able to deliver tasks at the appropriate times, provide guidance on the impact of other 4

projects, and provide support on tertiary tasks in order to free up organizational resources and move our tasks forward. The final implementation consisted of the following capabilities: Network IDS Network Data Loss Prevention SIEM Host-based AV and Host-based IDS Centralized Log Collection In addition to the functions above we developed Standard Operating Procedures (SOPs) and helped to institute processes. Throughout the project we provided knowledge transfer and staff training. Also, we were able to utilize several products to fill gaps in the security infrastructure. For instance full packet capture is an invaluable resource to a security program but it is often expensive in terms of the hardware and software required. We considered using OpenFPC to perform packet capture which would have eliminated software costs but would have still required an expensive capital expenditure on hardware. Instead we were able to fill this need by utilizing a feature built into the SIEM which allowed us to capture and store internal/external traffic. TAKEAWAYS Security monitoring and analysis is a key capability needed to support ongoing security operations. An organization s incident handling capability relies on a strong security monitoring capability in order to identify all potential incidents and to capture as much information as possible about those incidents. Some things to keep in mind when entering into a SOC or security-monitoring project: Each organization has its own requirements, priorities, and operating environment that need to be identified and addressed in any solution design. Sometimes the key-players at the organization are too close to identify any or all of the above items. This makes outside input all the more important to successfully design a solution. In-house and MSSP solutions can in most cases meet all of an organizations needs and be successful, but the right decisions need to be made upfront during the design phase. Commercial solutions are not always necessary and many FOSS products can lower costs while providing great functionality. Don t forget to factor in the increase in resource usage (i.e. administration, maintenance, and setup) that is often hidden. When deciding whether to use an MSSP, remember that their business model is to use the same cookie-cutter solution for all customers. If you don t need customization, then this is truly a viable option. Consider having a third-party evaluate the organizational needs and then work as an advocate for the organization during the selection and implementation phases of an MSSP solution. 5

At MindPoint Group we take an approach focused on logical design, identifying customer needs, efficient implementation, extensive tuning, and effective staffing. We understand the challenges associated with keeping an organization secure and have experience staffing, designing, and building SOCs at small and large organizations. You can leverage or use our expertise to help implement this type of capability in your organization and determine whether an in-house or MSSP solution is the right fit for you. ABOUT MINDPOINT GROUP MindPoint Group, LLC (MPG) is a Small Business Administration (SBA) certified 8(a), Woman-Owned (WOSB), Economically Disadvantaged Woman-Owned (EDWOSB), and Minority-Owned Small Disadvantaged Business (SDB) with its headquarters in Springfield, VA. MPG s Information Security and Privacy (ISP) services provide program management support, security assessment & authorization (S&A formerly C&A), independent verification and validation (IV&V), continuous monitoring, cyber security, security controls and vulnerability assessments, penetration testing, and security operations center support. MPG understands that information security has a broad scope, and an effective information security program must integrate with a number of other organizational processes in order to function effectively. MPG has experience developing and implementing a wide range of security policies, procedures, and technologies in a variety of environments with the goal of ensuring the confidentiality, integrity, and availability (CIA) of our clients sensitive assets and information systems. MPG specializes in implementing IT Security Program Management through our IS&P methodology of establishing a collaborative working environment across all disciplines through innovation, technical excellence and a dedication to repeatable processes. MPG goes beyond FISMA compliance by helping our clients align Federal regulations with their operational mission. Through this methodology, MPG has successfully supported various clients integrate security across a wide range of security domains and environments. For more information on our solutions, please visit our web site at www.mindpointgroup.com, or check out our blog at blog.mindpointgroup.com. 6

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information