I posted about 5 Steps to Building and Operating an Effective Security Operations Center (SOC) on the Ciscopress (HERE) and informit (HERE) websites. The concepts come from my recent Cisco press book. Below is a the first part of the article and link to continue reading.
As security threats in the wild continue to advance in capabilities, demand increases for organizations to develop a Security Operations Center (SOC, pronounced sock). Relying on basic security solutions such as firewalls and anti-virus software is not good enough; this minimal approach is equivalent to protecting a bank merely by locking the front door. Cyber security requires layers of defenses, similar to how a bank protects valuables with a security strategy that includes cameras, guards, safes, and other measures beyond locking the front door. Layering cyber security solutions requires somebody to be responsible for enabling and maintaining security, which leads to the demand for a SOC.
Starting the SOC Conversation
The biggest challenge in starting the conversation about the need for a SOC is justifying the cost to people who don’t understand the threat landscape or the value of being proactive rather than reactive about security. According to the 2015 Verizon Data Breach Investigation Report, “In 60% of cases, attackers are able to compromise an organization within minutes,” and “75% of attacks spread from Victim 0 to Victim 1 within one day (24 hours).” Waiting to react to a breach until after damage has been done will most likely lead to an extremely costly recovery. We have all seen in the news the amount of money lost from data breaches. Showcasing a few data breach examples from a source such as DataLossDB will surely make your point.
One way to help justify the SOC budget is by posing the following questions to the organization’s leadership:
- How can you detect a compromise?
- How do you judge the severity of the compromise?
- What is the impact of the compromise to your organization?
- Who is responsible for detecting and reacting to a compromise?
- Who should be informed or involved, and when do you deal with a compromise once it is detected?
- How and when should you communicate a compromise internally or externally? (Note that sometimes engaging the authorities is required by law.)
These questions are designed to make the organization’s leadership think about the impact of an incident and judge their existing cyber security capabilities. Many organizations find that they need to develop a better incident-response plan—one that requires a group within the organization to be responsible for it. That group should be the SOC.
Five major steps are involved in developing a SOC:
- Planning the SOC.
- Designing the SOC.
- Building the SOC.
- Operating the SOC.
- Reviewing the SOC.
The following sections review the actions required in each step of SOC development.
Step 1: Planning the SOC
Read more at http://www.ciscopress.com/articles/article.asp?p=2460771