Chapter-1: Overview of Deploying SOC
Shahab Al Yamin Chawdhury
Cybersecurity Consultant | Enterprise Architect | Mentor by Life
Overview
Pull yourself together for the first step, you will never know what’s out there for you if you don’t take the first step, it’s all in your head!
The cybersecurity operations center (CSOC)?is a vital entity within any enterprise structure. Its responsibilities are governed by the size of the enterprise, whether the enterprise is multinational, the enterprise’s preference for centralized or decentralized cybersecurity management and operations, and whether the CSOC is in-house or outsourced. In addition, the CSOC mission and charter are highly correlated with how well the enterprise’s executive team understands the intricacies of cybersecurity. C-cybersecurity, A-Advanced SOC is some of the SOC types, and we will be sticking to simply SOC, and will repeat throughout the book.
The CSOC is valuable because it combines and maximizes skilled resources, best practices, and technology solutions for the purpose of timely detection, real-time monitoring and correcting, and responding to cyberthreats to protect the organization’s assets. In addition, the CSOC has the platform to collect the status of various incidents, infrastructure status and the effectiveness of the enterprise’s defense preparedness through the reporting of predesigned key performance indicator (KPI)?metrics intended for various stakeholders. Many factors play a role in establishing and investing in a CSOC. According to a 2019 survey by the SANS Institute, the greatest challenges in establishing a service model for a CSOC are:
1.????? Lack of knowledge and available documentation and frameworks.
2.????? Lack of skilled staff.
3.????? Lack of automation and orchestration.
4.????? Too many tools that are not integrable.
5.????? Lack of management support.
6.????? Lack of processes or playbooks.
7.????? Lack of enterprise-wide visibility.
8.????? Too many alerts that we can’t investigate (lack of correlation between alerts).
9.????? Non-compliance, depth of audit is not understood.
10.?? Unaware of insider threats: exposed code repo, code stolen, developer’s laptops are not secured, can clone git, can run scans on their own network for resource mapping.
11.?? Unaware of external threats: bad network design, Public-IP exposure can cause hits into your laptops and your servers as well, servers are exposed to external networks, ACL’s are not in place, faulty BGP announcements and authentications, NTP authentication is disabled and continuous sync cannot be established.
12.?? Unaware of advanced persistent threats (APTs) and zero days on all accords, not having knowledge on CVE’s and not caring to patch accordingly as update comes in, not following market research of current threats that can be found within the infrastructure but never scanning for potential ransomware & malware threats.
13.?? Potentially stolen IP: IP reputation is never checked, SMTP relays are open where attackers can bounce emails using those relays and SPF, DKIM, DMARC is misconfigured.
14.?? ITIL functions and practices are missing.
15.?? Infrastructure vulnerabilities are not assessed & remediated properly.
16.?? Threat defense requirements, documentations are not effectively mapped, properly communicated, stakeholder’s engagements are not controlled and not properly addressed and projected, operational challenges are not regularly presented or addressed by the senior management team etc.
17.?? Security monitoring and detection, Data protection and monitoring, Security administration, Remediation, devising Security roadmap and planning, SOC architecture and engineering (specific to the systems running your SOC from), Security architecture and engineering (of systems in your infrastructure environment), Threat research, Compliance support, Digital forensics, SOC team requirements, Incident response.
18.?? NOC and SOC are isolated and functioning independently.
19.?? Silo mentality between security, IR and operations.
20.?? Lack of context related to what we are seeing to take actions upon.
21.?? Regulatory or legal requirements.
22.?? Baseline SOC functions are inadequate - Application log monitoring, Continuous monitoring and assessment, Behavioral analysis and detection, Endpoint monitoring and logging, DNS log monitoring, Customized or tailored SIEM?use-case monitoring, AI or machine learning, E-discovery (support legal requests for specific information collection), lawful interception requests from regulators, External threat intelligence (for online precursors), Frequency analysis for network connections, Full packet capture, net-flow analysis, Network intrusion detection system (IDS)/Intrusion prevention system (IPS), network access control, priority based transmissions, Packet analysis (other than full PCAP), Network traffic analysis/Network traffic monitoring, Security orchestration and automation (SOAR), Threat hunting, Threat intelligence (open source, vendor-provided), User behavior and entity monitoring etc.
23.?? Device firmware updates are not up to date nor patched, installing these firmware updates before placing device in production mode is a necessity but mostly ignored.
PRO-TIP: Port and protocol controls aren’t enough to protect your critical and business-critical services. ACL's for trusted transmission only and must be in place. Enterprise risk management what we will be doing throughout the book.
We will be talking about these above items repeatedly, specially on PPTD, until it imprints into your brain, and that’s the reason why this study material is produced for.
When an enterprise is committed to establishing and investing in a CSOC, these pitfalls must be avoided, and valuable lessons can be learned from other enterprises. After all, what we are doing here is to minimize risks across the organizational networks, connected devices by securing them from misuse and for data protections, essentially ERM?(Enterprise Risk Management), BCP?(Business Continuity Planning)?& DRP?(Disaster Recovery Planning).
PPTD (People, Process, Technology, Data)
Let’s break down the importance of people, process, technology, and data in a Cybersecurity Operations Center (SOC):
?
People: The SOC is staffed by a team of skilled security professionals, including security analysts, incident responders, threat intelligence analysts, and security engineers. These experts are responsible for monitoring security events, analyzing alerts, investigating security incidents, and responding to them. They also improve the systems and processes needed to optimize and transform world-class security operations. A diverse team with a variety of backgrounds and experiences is required to handle the complexity of security.
Process: Well-defined processes and procedures govern SOC operations. These include incident response plans, escalation procedures, and incident handling guidelines. Effective processes ensure a systematic and organized approach to cybersecurity. The SOC manages operational cybersecurity activities and identifies, detects, protects against, responds to, and recovers from unauthorized activities affecting the enterprise’s digital footprint.
Technology: The SOC uses sophisticated technology to monitor, detect, and respond in real-time to cybersecurity threats. It combines and maximizes skilled resources, best practices, and technology solutions for the purpose of timely detection, real-time monitoring and correcting, and responding to cyber threats to protect the organization’s assets. The SOC also selects, operates, and maintains the organization’s cybersecurity technologies.
Data: Data is the lifeblood of a SOC3. It includes logs, alerts, network traffic data, and threat intelligence feeds. Analyzing this data provides insights into potential threats and vulnerabilities. The SOC also uses data analytics, external feeds, and product threat reports to gain insight into attacker behavior, infrastructure, and motives.
In summary, an efficient Cyber Security Operations Center is an orchestrated blend of sophisticated technology, carefully defined roles, synchronized communication, and a highly resilient team. It’s important to note that the effectiveness of a SOC is highly dependent on the interplay of these four elements. Each one is crucial and the absence or weakness of any one element could potentially hinder the SOC’s effectiveness.
By effectively balancing and integrating these four elements, a SOC can enhance its ability to detect and respond to cybersecurity threats, thereby improving the overall security posture of the organization.
Software Deployment Roadmap – 3yrs Planning Tool
With this excel file, plan ahead of your service and components deployment, you can change the layout as you see fit for SOC deployment services as well (the excel file is provided in the job aids named ‘software deployment planning’):
Why Enterprise Architecture
Technology groups need to be able to execute strategic projects that fundamentally alter the way the company operates and does business. A?2019-2021 study from Accenture?on enterprise technology strategies and their impact on company performance showed that leaders in tech adoption and innovation were growing revenues at 5x the speed of tech laggards. We believe the strategy and execution of that strategy is key to drive transformation.
The key word is ‘transformation & collaboration’ in digitalization. We are positioned to help CEOs, CISO’s, COOs, CIOs and CTOs become the chief transformation leader.?Enterprise Architecture (EA) is a transition to managing strategy and transformation as an anticipatory discipline. Transformation execution primarily stems from strategy, innovation, and facilitation.
EA can be the catalyst to bring together the current and future needs of the organization and develop a solid plan to make them a reality. This brings about meaningful change. Without the right approach, companies pursuing digital transformation risk failure. Failure can range from increased tech costs to a company’s inability to grow and reach its potential.
EA can avoid these pitfalls by balancing actionable projects with dynamic, long-term strategy and a practical approach. This new practical approach can help:
领英推荐
In Majority there are four key items that are hindrances to transformation:
The strategic appetite for a Cybersecurity Operations Center (CSOC) is essentially the level of cyber risk an organization is willing to accept in pursuit of its business objectives. This is typically articulated in a documented cyber risk appetite statement.
Business Goal Alignment to Technology
Business goal alignment to technology is the process of ensuring that the IT department’s objectives are aligned with the goals of the organization and each group within. It helps the IT team to deliver value to the business and the customers, improve agility and innovation, and optimize the use of resources and budget.
Some of the ways to achieve business goal alignment to technology are:
The Sad Story of Enterprise Architecture Formulation
In almost all the cases, the startup companies or the legacy companies which is in gigantic size now, they all went through such transformation from a bad setup to a service operational excellence. Carnegie Mellon & Microsoft has CoE based specialized pathways defined on how to enable and achieve center of excellence.
As the picture depicts, the investments went down the drain, portals couldn’t cope-up with the sheer volume of users, maintaining their access levels, employees waiting for hours for the T-SQL to complete for a report, this sort of thing happened in the past. Back then the architects could sleep well in the night as there were very little virus infections at large, didn’t destroy documents, only applications were targeted, which were easily removed. But as time passed, things got complicated, attacks on different layers confused architects, OEMs, so they adopted all the types of threats, started patching devices, applications, changed application designs, access layers were born or separated, scrutinization on data accuracy were re-calibrated, and a true server-client communications RFC’s got updated and got in place, and in time these outlines became the gold standard.
Developers can change how their product works, but it may not work always. The knowledge that created the problem must not be used to solve the problem. Integrating different imported libraries and building software using different platforms will almost always fail to produce desired results (the performance); and this isn’t the best way to do it. You will need to create your own libraries to fulfill your requirements, importing libraries will come with its flaws and vulnerabilities, and when a proper scan on code reviews and Pentesting takes place, these will lead to catastrophic failures, and you will end up developing something unrecognizable just like the picture!??
At that time, the frameworks, the standards, the whole workouts were completely absent. The people who understood this, rotated back to learn those, came back and updated or upgraded the same infrastructure over and over again for a king’s treasures cost. Organizations soon found out that the easiest found languages are not the best when a scalable application couldn’t be derived, even though it couldn’t serve the requirements, and then came the spider, multi-tenancy requirements were in the rise, and it became monumental that you need to design or architect your infrastructure in the right way to support your business needs, and applications which were built in a monolithic way started to design better architecture with microservices.
But still, arguably, if you can design it the right way, it will support the scale and the TPS requirements as well, and if you use Kubernetes, these comes with humongous challenges to maintain thousands of nodes, and at some point, you will announce to have professional services, which will lead you to spend more and more. Check before if you really need to have Kubernetes or not, save your life first! This is where the value of Enterprise Architecture Design comes in and once more, everything went upside down, there is no such thing if an adopted system architecture would be able to deliver or not. Now a days, every bit of engagement comes with a checklist, from project management to delivery and calculated with man-hours, WBS’s are getting more and more sophisticated as visibilities, cost involvements are included in every study, and now a days AI enable project management software is also on the rise.
I will try to formulate how best to derive and adopt to an EA and how to map some of the common requirements in the upcoming chapters.
______________________________________________________________________________________
???FREE eBook - 476 Pages
?? Complete Guide to Cyber Security Operation Center??
I’ve recently completed a book on SOC, a project close to my heart, that delves into the exciting realm of Security Automation, Orchestration, and Hyper-automation platforms in the SOC. If you’ve ever found yourself overwhelmed by the multitude of cybersecurity solutions, this post is designed to be your personal guide on developing a fully functional SOC. This eBook comes with plenty of examples and illustrations to help you understand complex concepts, data collection requirements to incident response, automations, playbooks, integrations requirements under the scope of IT, IS and Cybersecurity.
A big shout out to Brad Voris for his review of the book, his insights made this book even richer.
Knowledge Areas Covered
? Enterprise architecture strategy to better formulate your SOC.
? Visibility & data ingress requirements for your SOC
? SOC functions, KPI’s, processes, frameworks, and automation requirements
? Derive your Analyst-JD aligned to international frameworks
? SOC organogram with Red, Blue, Purple team’s maturity, tactics, functions, activities
? SIEM & SOAR architecture design guidelines to achieve more from these integrations.
? Detection engineering with OSINT, CTEM.
? Incident response with CSIRT, DFIR.
? Tabletop exercises explained and operationalized
? Artificial Intelligence & Data Science in SOC
? How to develop your Open-source based SOC, full hardware BoQ, Network Design is provided
? Bonus Chapters: IT Project Management, VA/PT Plan, ITIL Strategy Frameworks, Jurisdiction Assignment Matrix etc.
?? Download the eBook
???Download this eBook (pdf): https://lnkd.in/gTRnhmPp
???DM me for the DOCX version of the book.
???Join Discord: Please DM me on LinkedIn, I will Send you the link to join.???1000+ Job aids – download extra documentation.
???60 Body of Knowledge (BoK) links.
???1500+ curated list of VA/PT tools as job aids.
???200+ References to support your SOC operations even further.
?? Download all the available documents from here: https://lnkd.in/eNNUm9XW
?? Download Job Aids: https://lnkd.in/gCKq6R-D
If you find it useful and informative, please share/repost the book with your network.
#infosec #cyber #cybersec #cybersecurity #informationsecurity #enterprisearchitect #cybersecurityarchitect #csoc #soc #security #securityoperationcenter #securityoperations #blueteam #redteam #purpleteam #siem #soar #c2 #noc #threatintelligence #stride #iso27001 #cref #mitre #securityanalyst #eql #sigmarules #securitytriage #threathunting #detection #detectionengineering #cti #incidentresponse #ttp #ioc #playbook #runbook #osint #soc #csoc #csirt #dfir #ctem #cspm #tabletop #cognitivebias #opensourcesoc #vulnerabilityassessment #penetrationtesting #forensic #blackbox #greybox #whitebox #datascience #technology #siem #soar #bgdegovcirt #independentuniversity #artificialintelligence #governance #strategy
Senior Executive Officer (Assistant Manager)
11 个月Very useful