Security operations center (SOC) globalization



Similar documents
Top 5 reasons incident response is failing. kpmg.com

KPMG s Financial Management Practice. kpmg.com

Building and Sustaining a Strong Organization Amid Challenge And Change KPMG LLP

Payment Card Industry Data Security Standard

Scalability in Log Management

Your incentive compensation plans have no borders.

IT Transformation. Moving Beyond Service Management to a Strategic Business Role. August kpmg.com

Ecom Infotech. Page 1 of 6

Running the business of IT metrics that matter

Sustainability reporting What you should know kpmg.com

ADVISORY SERVICES. Risk management in an evolving world. Making the case for social media governance. kpmg.com

Transforming Internal Audit: A Maturity Model from Data Analytics to Continuous Assurance

Drive to the top. The journey, lessons, and standards of global business services. kpmg.com

Best Practices for Building a Security Operations Center

How To Transform It Risk Management

Effectively using SOC 1, SOC 2, and SOC 3 reports for increased assurance over outsourced operations. kpmg.com

Cisco Advanced Services for Network Security

Your incentive compensation plans have no borders. Why should your compliance processes? Powered by KPMG LINK Global Equity Tracker

Leveraging data analytics and continuous auditing processes for improved audit planning, effectiveness, and efficiency. kpmg.com

SIEM Implementation Approach Discussion. April 2012

SAP at Accenture The journey to high performance in the close process

Business Case Outsourcing Information Security: The Benefits of a Managed Security Service

Transforming risk management into a competitive advantage kpmg.com

Developing a Free Credit Score Program. kpmg.com

Managed Security Service Providers vs. SIEM Product Solutions

Organizational Issues of Implementing Intrusion Detection Systems (IDS) Shayne Pitcock, CISSP First Data Corporation

Global ediscovery Client Data Security. Managed technology for the global legal profession

Choosing Between Managed Security Services or In-house SIEM? Consider the Benefits of both!

BRIDGE. the gaps between IT, cloud service providers, and the business. IT service management for the cloud. Business white paper

Data Center Consolidation in the Federal Government Looking beyond the technology

REDUCING THE RISKS INHERENT IN EMERGENCY MEDICAL CONTACT AND UNBLINDING

BREAKING THE KILL CHAIN AN EARLY WARNING SYSTEM FOR ADVANCED THREAT

Best Practices in adopting a Shared Services Model August YYYY

Sales and Use Tax Compliance Services

Company size matters: Perspectives on IT Governance

Investment Management: Rising to the Risk and Compliance Challenge kpmg.com

KPMG LLP Credit Risk Management Practices 2014 Survey on Credit Bureau Reporting

QRadar Security Intelligence Platform Appliances

Compliance Overview: FISMA / NIST SP800 53

Title here. Successful Business Model Transformation. in the Financial Services Industry. KPMG s Evolving World of Risk Management SECTORS AND THEMES

RSA ARCHER OPERATIONAL RISK MANAGEMENT

ASSUMING A STATE OF COMPROMISE: EFFECTIVE DETECTION OF SECURITY BREACHES

Dell Advanced Network Monitoring Services Service Description

Client Security Risk Assessment Questionnaire

The Case for Managed Security Services for Log Monitoring and Management

FIVE PRACTICAL STEPS

RSA ARCHER AUDIT MANAGEMENT

The Business Benefits of Logging

Connecting the dots: A proactive approach to cybersecurity oversight in the boardroom. kpmg.bm

Cisco Virtual Desktop Infrastructure Strategy Service

Data & Analytics in Internal Audit. January 13, 2015

Compliance Risk Management Survey A Point of View

KPMG Powered Enterprise

Move beyond the expected.

What to Consider When Building An Internal Sourcing Function

Concurrent Technologies Corporation (CTC) is an independent, nonprofit, applied scientific research and development professional services

Security Information/Event Management Security Development Life Cycle Version 5

The Changing IT Risk Landscape Understanding and managing existing and emerging risks

A NEW APPROACH TO CYBER SECURITY

Achieving business excellence through quality in a BPO environment

HR Optimization in the Public Sector. kpmg.com

APPENDIX 8 TO SCHEDULE 3.3

Company Overview. Enterprise Cloud Solutions

KPMG s National Broker-Dealer Practice Survey Results

Dynamic Service Desk. Unified IT Management. Solution Overview

Whitepaper. IT Strategies for HR Transformation YOUR SUCCESS IS OUR FOCUS. Published on: Feb 2006 Author: Madhavi M

Advanced Threats: The New World Order

How to ensure control and security when moving to SaaS/cloud applications

Microsoft Dynamics CRM Solutions for Retail Banking

Pursuing Compliance with the FFIEC Guidance Risk Assessment 101 KPMG RISK ADVISORY SERVICES

Driving Business Value. A closer look at ERP consolidations and upgrades

How to successfully manage your mega-project

Leveraging Data Analytics and Continuous Auditing. Internal Audit. January 9, 2014

A Pragmatic Guide to Big Data & Meaningful Privacy. kpmg.be

Boosting enterprise security with integrated log management

Intelligence Driven Security

How To Audit Cloud Computing

White Paper. Central Administration of Data Archiving

Managed Hosting: Best Practices to Support Education Strategy in the Career College Sector

How to Unlock Agility by Backing up to, from, and in the Cloud

Project Portfolio Optimisation: Do you gamble or take informed risks?

INSIDE. Demystifying the Managed Security Service Provider Market. Symantec Enterprise Security

Log Management: 5 Steps to Success

North American Electric Reliability Corporation (NERC) Cyber Security Standard

HR Function Optimization

2012 North American Managed Security Service Providers Growth Leadership Award

MANAGED SECURITY SERVICES (MSS)

CISM ITEM DEVELOPMENT GUIDE

Project Risk Management

QRadar SIEM 6.3 Datasheet

GMS NETWORK ADVANCED WIRELESS SERVICE PRODUCT SPECIFICATION

Transcription:

Security operations center (SOC) globalization Important factors to consider when centralizing security services and monitoring environment for your organization kpmg.com

b Security operations center globalization

Security operations center globalization 1 Introduction Companies with a global footprint are increasingly shifting towards centralizing their security operation center and security monitoring functions within a single locale or office. There are obvious benefits that make this model appealing to organizations. First, long-term operational and capital costs are reduced since only one instance of the toolset needs to be purchased and one team of individuals trained. In a decentralized organizational model, any change to security processes or toolsets will need to be effectively communicated to each of the regional teams. Aggregating these functions helps ensure that business processes performed by this central team are repeatable and performed in a consistent manner across the enterprise. Additionally, the quality of work relies heavily upon the skill of the team performing them, and staffing redundancies are almost inevitable. The centralized model keeps the security function running leaner and more efficiently, as management will have a firmer grasp on actual staffing needs for the company holistically as opposed to per location. As attractive as the benefits are, this does not mean that implementing a global security operations center is without its share of pitfalls. There are many factors that organizations do not typically consider, which typically equate to an overrun in budget, time estimations, or failure to meet project objectives. This white paper is designed to highlight many of the hurdles companies have faced when undertaking a globalization or centralization effort of their security operations center.

2 Security operations center globalization Common functions for a global security operations center (GSOC) The foundation to building out a GSOC is to determine what security functions will be performed out of the GSOC as opposed to the local office teams. At a minimum, most organizations consider the use of the GSOC for all security monitoring and log management functions. This includes the review of logs and alerts from the corporate Intrusion Prevention System (IPS), Security Information and Event Management (SIEM) system, or anti-virus installations to name a few. As a natural product of this, incident response teams may operate out of the GSOC as well. Assuming the company s log management processes are at a high maturity level, this allows advanced incident responders to gain rapid access to any security logs that may be needed for an investigation or response effort. Incident response is also a shining example of a process that needs to be performed in a consistent manner, which is why it is a prime candidate for centralization. An organization must also be aware of its core competencies, and schedule for availability in order to determine if any functions that can be outsourced to managed security service providers (MSSP) where internal coverage is lacking. For example, many mid-sized or smaller companies find it difficult to establish a 24/7 security operations center and staff it appropriately to manage this function. MSSPs provide services that allow an organization to outsource the security monitoring function, and to some degree the response to an incident, when internal staff lacks the necessary skill set, or staff availability is a challenge. For organizations with the right skill set but lack of off-hours staff availability, a hybrid approach may work best. This allows the organization s resources to be at the switch during the normal work day, with a transition to the MSSP for off-hours monitoring. Finally, global companies with the right skill set and geographic locations may also consider a follow-the-sun model to ensure 24/7 coverage using only internal resources. The answer to the question of having the right outsourcing approach will be based on location, coverage requirements of the program, and staff skill and availability. Rebuilding after the war Once a GSOC consolidation effort announcement is communicated throughout the organization, there will come the inevitable power struggle between the various IT and security teams to stake their respective claims for control. The war will be fought on two fronts, one to control the geographic placement of the new GSOC, and the other to take responsibility for each of the operational processes and corresponding toolsets. The geographic placement discussion may be an easy discussion if there is already a central business/technology hub or if senior management had already predefined its location. Along those same lines, companies often find that years of decentralization ultimately lead to silos of disparate and dissimilar practices across the organization, and different locations or business units can have different requirements for their security program and its objectives. This means that the new team will need to pick and choose what practices and tools work best in a global scale, as well as publish new guidance surrounding the company-wide security model. Additionally, there will almost certainly be pushback from the remote teams that are in the most danger of losing either their jobs or their control in the organization. Senior management will need to be active in communicating the centralization effort, which is one of the best ways to garner the most active support for the project. The tone should be set at the highest levels of IT, with a messaging containing all the potential benefits this effort can provide, as well as reinforcing that this is a project with the steadfast support of the company.

The war will be fought on two fronts, one to control the geographic placement of the new GSOC, and the other to take responsibility for each of the operational processes and corresponding toolsets. Security operations center globalization 3

4 Security operations center globalization The people and technology pieces of the puzzle are not mutually exclusive. Know your role Centralizing incident response efforts can pose significant challenges in the way local IT teams interact with the Security and Incident Response teams. While the response team may be located in a single geographic location, the different IT teams may be scattered across multiple geographic regions and cities. Investigation of an incident will require participation from multiple cross-functional teams, many of which the Incident Response team may not be familiar with. Direct involvement will be based largely on their familiarity with the compromised asset, which makes geographic location and role within IT primary factors. The fact that the cast of characters may differ widely depending on the specifics of an incident only highlights the need for thorough tabletop testing exercises. In a large environment, the individual creating the testing scenarios needs to determine whether a server compromised in Chicago will involve the same personnel should the same thing happen in New York or London or Tokyo. If the answer is a yes, that scenario will need to be tested twice with each of the different or geographically dispersed teams. In conjunction with testing, specific service level agreements (SLAs) should be made to define exactly what services IT teams need to perform in the event of a response effort, and in what time frame. This is important given the likelihood of the response teams and technical owners never meeting in person, and thus not being able to relay the urgency in the requests. Top-level management support, a solid incident response plan and process, and testing are key to ensuring success during incident response in a centralized incident response/dispersed support model. Tool scalability Now that the teams and tools have been selected and policies approved, the next step is to pressure test the tools to verify they can perform under a global context. Monitoring tools, such as SIEM or intrusion detection systems (IDS), are especially susceptible to being underpowered once companies begin feeding it their complete log set or additional sources that were not considered in the initial regional or local design. Additional sensors for both solutions will need to be procured to provide complete coverage in the environment. Also, the central collection engines may need to be upgraded based upon the increase in log traffic. Baseline testing should be performed in order to determine what SIEM or log management solution would be best suited to handle the increase in logs. Storage for these logs and events may also need to be increased in order to achieve desired data retention rates. The people and technology pieces of the puzzle are not mutually exclusive. With the new global reach of the SOC, more events will inevitably fire from both the IDS and SIEM systems. Policies should be in place to triage these alerts, and adequate headcount should be allocated to respond to any critical events in a timely manner.

Security operations center globalization 5 International regulatory and nation-state considerations Regulations governing cross-border transfer of private information, even within the same organization, may need to go through risk management and may take a significant amount of time to complete. For instance, the European Data Privacy Directive states that no transfer of personal data may be sent outside of the European Union unless certain conditions are met. These conditions can range anywhere from companies applying for Safe Harbor status, to having each of their European employees sign explicit agreements allowing their employer to transit their information outside of the European Union. Even when privacy initiatives or regulations do not exist in certain countries in which the company does business, the organization must ensure that adequate risk management practices are followed in the transfer of data in and out of these countries as well as the protection of log and security data while in storage. The privacy of data cannot be ensured in all nations and depends greatly on the nation s local and governmental practices and ability to request and receive data from non-nation state-owned organizations. Many organizations may choose to eliminate certain geographic locations from the globalization to bring the risk to an acceptable level. However, the lack of a global view of security data for the organization is also a risk that must be considered. While these issues may influence the overall geographic placement of the GSOC, consideration must be paid to this issue, and a sound decision based on risk needs to be made. Conclusion Globalization or centralization of a SOC, security monitoring, and response brings the benefits of having a global view of the current security events within the company while reducing costs and increasing efficiencies related to monitoring and response. And while this journey is not without its share of concerns and hurdles, they are not insurmountable with proper management support, risk management, and project planning. Finally, as part of overall project planning, success criteria, metrics, or key performance indicators (KPIs) should be created to track the overall success of the effort and corrective actions implemented as needed to ensure the overall success of this endeavor. KPMG provides an extensive set of services in this space related to current-state SOC assessment, strategy and planning, implementation, and future-state road map development. Our experience in this field allows KPMG to bring industry-leading practices to your organization to help you ensure your security monitoring and response function is protecting your organization from compromise or loss due to security incidents. Marketing After the people, process, and technology have been assembled, an effective marketing strategy is paramount to making your new GSOC a success. Stakeholders in all areas of the organization should be made aware of the types of services currently being provided by the GSOC, and what ad hoc services the GSOC is responsible for should the need arise. To help facilitate this, what many companies have found helpful is a one-page catalog of services along with brief descriptions of each. SLAs should also be defined such that organizations will know approximate turn-around times for each offering provided. This catalog not only provides a helpful reference guide detailing what can be expected of the GSOC, but also helps ensure that other groups within IT do not create redundant processes or implement technologies that are already in place.

The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation. 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. Printed in the U.S.A. The KPMG name, logo and cutting through complexity are registered trademarks or trademarks of KPMG International. NDPPS 102644

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information