Fine Tune Event Detection to AVOID an Event: Fundamental Reasons of Adoption for an Organization to Reduce SHOCK From SOC !
Security operation center is the strut for an organization’s threat detection. It is important to fine tune event and ensure how SOC is fitting in the operation to support the business goals.
Inevitably, the problem of being over flooded with security data is becoming a real challenge to deal with. While heterogeneity of security solutions is required as explained above, it also means that warnings, alerts, actions or even just plain logs include a wide range of formats and standards
One cannot simply take too much time to collect, detect, interpret and prioritize threats and warnings because by the time this procedure will be done, the results may already be disastrous. In order to deal with these problems of security information, organizations cover their needs with Security Operation Centers (SOC) either as an integrated part of the organization itself or as a service provided by an external collaborator/ company. The SOC’s role is mainly to provide situational awareness by continuous monitoring of the IT infrastructure and real-time alerting of security related incidents. There are multi fold of requirement but each area falls in below mentioned 10 Point of Consideration and Optimization
10 Points of Consideration and Optimization
1. What equipment must log data?
2. Which level of verbosity should we apply to each log source?
3. Is there a need for a dedicated component that will log activity on our system?
4. Where should we store the log data?
5. Which protocols and procedures should be used in order to establish proper log
transmission between the sources and the storage?
6. Define log monitoring retention and security requirements/policies.
7. What kind of procedure must be used then in order to be able to accept all vendor related data log?
8. The rules for such aggregations as well as the place where this procedure will take place have also to be well defined.
9. Events have to be correlated using specific rules that will create context against which future events will be checked and evaluated
10. We have to define who must be notified as well as the actual content of the alert
To achieve the balance between selection of technology always depends on the adoption of strategy to support the mission and vision statement. MITRE has clearly stated below strategy to adopt and implement a SOC which can support the organization to reduced the risk and level and ensure the effective and efficient monitoring of threat events.
10 Strategies to Adopt for SOC Decision Making
1. Consolidate CND (computer network defense) under one organization
2. Achieve balance between size and agility
3. Give the SOC the authority to do its job
4. Do a few things well
5. Favor staff quality of quantity
6. Maximize the value of technology purchases
7. Exercise discrimination in the data you gather
8. Protect the SOC mission
9. Be a sophisticated consumer and producer of Cyber Threat Intelligence
10. Stop, Think, Respond Calmly
Choose your solution to meet the needs of your organization and sidestep adoption based on the fantasy of having SOC as a practice, which is not having real value to the organization except SHOCK from SOC!