Check list: Check that everything "knows" how to your SOUND?
What tasks does the SOC have to solve? With the answer to this question, it is advisable to start the Situation Center information security Security Operation Center project. Rinat Sagirov, a leading consultant to the Information Security Center of the company "," Jets Infosystems helped to understand that he should "be able" to "know" the modern SOUND, and to compile a list on this topic for the check list - a new format in TAdviser which experts share useful application, information tips and instructions on the use of various technologies.
What Your SoC Can Do
In addition to monitoring and responding to information security incidents, the SOC solves, in principle, any other operational tasks in the field of IB (secops).
Many companies in the company's organization erroneously focus on its technical equipment and only then begin to build processes and identify the necessary personnel. Meanwhile, it is advisable to start with an answer to the questions: what does the company need SOUNDfor, and what tasks should it solve. This will help you to create a target model of the planned SOUNDbased on the target set of its functions or services (if the company has implemented a service-oriented model). For example, MITRE allocates about 40 VLAN functions.
Human Resources - Processes - Technologies - Main Components
After selecting the target set of functions of the SOUND, experts recommend moving on to the development of a target model that defines its main components in the context of the classic triad "personnel - processes - technologies."
The target SSC model helps solve: what processes are needed; What technologies are required to automate processes What kind of personnel is needed to implement processes and support technologies.
There is no proper formula for the composition of SOC. Each company has its own path and its own "mandatory" set of SOUNDs. The composition is very much dependent on the target set of functions and the amount of tasks it solves.
To the companies with small area of a covering of monitoring will collect centrally enough, to filter and normalize events from infrastructure with the help of control systems of logs (Log Management System) and to build process of management of IB of incidents that the team of 2-3 people could solve objectives effectively.
Companies with a diverse stack of technologies, a distributed IT infrastructure, and a large fleet of IT tools require a large team of SOUNDs to meet monitoring and response challenges, and are able to leverage, support, and develop technology-related processes.
Let's take a closer look at the individual components of the SSC based on the basic functionality, which includes real-time detection and analysis of IB violations, incident response and informing all stakeholders in the company about the current level of security.
"Personnel": what command is needed to ensure the operation of the SOUND
The organizational structure of the SOUNDdepends on its functions, so there are no clear criteria that determine the exact number of personnel. In order to implement the basic functionality, you need to include specialists who will solve the following problems: monitoring of IB events; registration and classification of suspected IB incident; collection of necessary data for analysis of suspected IB incident; analysis of suspected IB incident in order to identify it; coordination of response to IB incidents; Administer the technical tools of the SoC Development of the SOC infrastructure.
The main team should be formed as early as possible so that it participates in the implementation of systems and process debugging. The experience of IT systems and network infrastructure administration, SIS implementation and administration, as well as skills in penetration testing is a good backstop for the SOUNDemployee.
"Processes": what processes are needed to effectively implement the functions of the SOUND
A common error during the creation of the SOUNDis the improper construction of processes: often their regulatory documentation is not viable and "goes to the table." As a result, specialists armed with technical means remain without a clear understanding of their tasks and without detailed instructions for their implementation. Under such conditions, it is extremely difficult to organize productive interaction within the SOC and with related units.
It is recommended that you simulate the processes of the control layer and the operational layer for the effectiveness of the RAC. The former will help ensure its development and a given level of quality of the implementation of the main functionality. The second involves building the main (i.e. directly related to the implementation of the target functionality) and auxiliary processes. The latter are used to determine approaches to connecting sources of events, developing correlation logic, solving problems of trawling and updating the list of information assets in the field of monitoring and data on these assets.
How to Avoid Errors When Lining Up SoC Processes
Connect all concerned departments to process modeling; Fix the areas of responsibility of specialists and determine the most convenient communication channels between them; Pilot the simulation results; Provide training to all who will be involved in the implementation of processes, with the analysis of real cases; Develop a set of metrics to evaluate the correct operation of the process.
 | In the case of the development of a system significant bank, we solved the problem of inefficiency in the process of managing IB incidents. As part of the modernization of this process, our team has developed its detailed process diagram, including all steps to process the incident and all possible escalation options. Also, together with the credit institution, we have identified all roles and developed communication matrices when responding to certain types of incidents, anchoring them in response plans (playbook). Rinat Sagirov, Lead Consultant, Jet Infosystems Information Security Center
|  |
"Technologies": with which solutions to automate the process
It is advisable to equip a large SOUNDwith tools for automating built-in processes.
The SIEM system helps automate the detection of IB incidents by collecting, correlating and analyzing IB events from IT infrastructure elements and information security tools.
IRP/SOAR systems (Incident Response Platform/Reactive Security Orchestra, Automation and Response) increase the speed of response to incidents by automating routine tasks for their processing. For example, they will save time on registration, classification (defining the category and level of criticality), filling out the incident card, enriching with events for analysis, checking for malicious indicators of compromise and performing response actions. With this class of solutions, you can configure response scenarios for each incident category to help automate the entire life cycle of incident management.
SOC can use IRP/SOAR systems not only to manage IB incidents, but also to solve additional problems.
Inventory and Control IT Infrastructure
If you have an Asset Management Module in your system, you can control the relevance of your IT infrastructure and address Shadow IT. All this is done in close cooperation with other infrastructure systems: CMDB, enterprise domain, IT infrastructure management systems.
Infrastructure Vulnerability Management
The system not only identifies and records, but also prioritizes vulnerabilities by information asset criticality, and automatically assigns responsibility and deadlines for remediation.
Threat Intelligence Platform helps automate tasks related to the use of cyber intelligence (Threat Intelligence) data. Such tasks include the collection and processing of compromise indicators with a subsequent retrospective analysis of the events of the IB for the presence of the obtained compromise indicators.
What the SOC should identify
During the construction of the SOC, there are often difficulties in understanding what incidents it should detect. This task is solved by its technological core - the SIEM system - by correlating IB events collected from IT infrastructure elements and security tools. Vendors deliver SIEMs with many correlation rules that can only be adapted to the realities of a particular IT infrastructure. Or you can write your own rules, focusing on the popular MITRE ATT&CK framework with the practice of identifying known attack techniques.
One should not expect that the correlation rule will be able to detect the full vector of the implementation of the threat of the IB. The probability that from the whole variety of tactics and techniques the attacker will choose exactly those set for monitoring is negligible. Therefore, it is better to develop correlation rules aimed at identifying atomic events of implementing specific techniques of current threats.
How to develop a script base
Identify current IS threats to the IT infrastructure being connected;
Set action scenarios (tactics) to implement each IS threat;
Identify vulnerabilities that can be exploited in a particular tactic;
Indicate the ways (techniques) to implement vulnerabilities;
Determine how to detect the implementation of the technique - a set of IB events that indicates attempts to execute or the implementation of a specific technique, such as:
- events of detection of compromise indicators (IP address, URL, hashes of files, etc.); -
detection events ON that allow the implementation of the technique; -
events of detection of actions taken within the framework of the implementation of techniques.
Perform penetration testing to ensure that the selected techniques for implementing IS threats are really relevant to the company.
| | We applied this approach on the project for the construction of a SOUNDfrom scratch in a large metallurgical company. This helped us not only to understand what information assets were required to be connected and what threats IB put on monitoring, but also to identify threats IB, the implementation of which the current protection system did not allow to detect. Rinat Sagirov, Lead Consultant, Jet Infosystems Information Security Center
| |
Analytics
The arising IB events in infrastrukturev the first stage of SOC has to analyze IB events in elements of IT infrastructure and means of information protection for identification of incidents of IB. This should be done not only in real time, but also in retrospect over a given period of time. So you can detect missed IB incidents.
Post-incident analysis In order not to repeat the incident, it is important to analyze the results of the response. It is necessary to understand why the incident occurred and how effective the measures taken to eliminate it were. After that, you can begin to develop recommendations: adjust security settings, make changes to incident detection rules, change response plans, etc.
Control of the measurement of the SOC Tracking metric values allows you to identify and eliminate problems in time that can be detected both in the organization of the process and in the personnel implementing it. The following metrics may be useful, for example: Proportion of incidents with response deadlines; average time to identify IB incidents; average incident response time (by criticality level).
Visualization of Reporting The activity analytics are displayed on dashboards in the form of widgets - all kinds of tables and diagrams, grouped by meaning on one screen. Systems that are part of the process core of SOC (SIEM, IRP/SOAR) are capable of forming many types of widgets of any composition and configuration. Most often, dashboards of operational and tactical levels are developed. The former demonstrate a cut in the current picture of the state of the IB: new and open incidents, their priorities, staff loading, compliance with deadlines, etc. The second provides statistics on activities over the past month: distribution by categories of incidents and objects of attacks, average time to detect and respond to an incident, and performance metrics.
Another way to visualize reporting is to present incident data in the form of graphs or interactive diagrams and maps of networks. This method demonstrates: the source of the incident IS; information assets in the corporate network exposed to attack; compromised accounts; possible connectivity of some IB incidents with others to identify the chain of attack.
New trends
Search for prerequisites for conducting an attack Recently, the focus of IS shifts from identifying already committed negative actions in the infrastructure to detecting prerequisites for conducting attacks. In other words, experts strive to identify attacks in earlier stages in accordance with the Kill Chain, which describes a universal scenario for the actions of an attacker.
In order to implement such a concept, SOUNDneeds tools that not only detect signature activity, but also capture and analyze abnormal behavior, thereby allowing the detection of targeted attacks using unknown malicious code, compromised accounts, file-free methods, legitimate applications and actions that do not carry anything suspicious. Gartner positions the NTA (Network Traffic Analysis), EDR (Endpoint Detection and Response), and SIEM bundle as a set of necessary technical tools to enable maximum infrastructure monitoring and threat detection aimed at bypassing traditional defenses.
EDRjobs remain the key target of intruders and the most common entry points to the company's infrastructure. Endpoints are connected to SIEM as events for incident monitoring rarely or partially - only the most critical. This is primarily due to the high cost of collecting and processing logs from all end stations, as well as the generation of a huge number of events for analysis, which often leads to overloading of SOUNDpersonnel. You can use an EDR class solution to detect endpoint events in the infrastructure to help identify abnormal behavior on the destination hosts.
NTAnetwork traffic is one of the important sources of events for detecting IB incidents. Often, instead of its full analysis, they are limited to collecting logs from standard network security tools and network equipment. You can automate the collection and analysis of events within the traffic using NTA class solutions. Unlike standard network attack detection tools, they operate on large volumes of traffic, which makes it possible to detect the entire chain of attack, and not be content with triggering a single signature. The NTA class system can be useful in detecting unknown threats through behavioral traffic analysis.
Deception ToolGartner researchers call Deception one of the most important new technologies in IB. Solutions of this class detect malicious actions committed during an APT attack in the IT infrastructure, which often remain invisible to standard IB tools. Deception systems create active traps and fake resources that fully simulate the continuous work of real users, software and software complexes operating in the IT infrastructure. Such traps give the attacker the opportunity to successfully attack them and achieve imaginary results of the attack, thereby winning time to respond to the SOUNDteam.
Reach and Attack Simulation (BAS) BAS-class systems are also actively developing, which allow you to partially automate the functionality of penetration testing. They can also be useful in conducting cyber exercises when you need to work out the practical skills of SOUNDpersonnel to quickly detect and respond to attacks.
What else is important not to forget
"Sandbox" The malware that broke free, which the analyst decided to analyze on the main machine, may be a serious threat. To analyze malicious code, you should not forget to put a completely isolated sandbox in the SOUNDproject.
Cyberground Cyber exercises will require a cyberpoligon - a simulator with which specialists can learn to repel attacks and investigate incidents in combat mode. In addition, it will be useful for testing new protections. In fact, this is a test infrastructure that does not interact with the main IT landscape of the company. It needs to provide the ability to simulate various scenarios of cyber attacks (DDoS, attacks on the OS, Web, telecom equipment and Wi-Fi) and deploy a protection system that allows you to identify and counteract them.
Protect the SOC itself A separate, more stringent, IB security standards need to be developed for SOC than for the rest of the company. The SoC infrastructure should be as separate as possible from the corporate, the network segment is separated by firewalls and built on separate network equipment. Simply put, you should assume that the entire IT infrastructure of the company is already compromised. When you build a SOUND, you need to remember that its eyes and ears are network sensors, various information protection tools scattered throughout the company. Safe access and protection must be carefully designed.
Instead of a conclusion
SOC construction is a long-term and resource-intensive project. The classic approach to such projects can be formulated as follows: "Eat an elephant in parts."
| | Before the start of the project, when forming the target model, we recommend developing a roadmap for the transition to it with the indication of intermediate models of the status of the RAC and the necessary projects to achieve them. It is better to begin to build SOs for the implementation of basic functionality: monitoring, identification, response and incident analytics. That is, to start with building the process of managing IB incidents and implementing the SIEM system. The next step in the improvement of the SOC is to increase the maturity of the incident management process by developing correlation logic and implementing automation procedures using IRP/SOAR, as well as building more expert processes, such as forenzics, proactive search for IB threats, cyber intelligence data management. Further development is possible in the case of making a decision to build a full-fledged service-oriented SOUNDfor the implementation of operational tasks in the field of IS. Rinat Sagirov, Lead Consultant, Jet Infosystems Information Security Center
| |
For more information on the nuances of the SOC, please contact the experts of the company "Infosystems Jet."
See also
| The site content is translated by machine translation software powered by PROMT. The machine-translated articles are not always perfect and may contain errors in vocabulary, syntax or grammar. Read original article If you find inaccuracies or errors in the results of machine translation, please write to editor@tadviser.ru. We will make every effort to correct them as soon as possible. |