Building a modern SOC: The importance of SIEM
Building a modern SOC. Security Information and Event Management (SIEM) technologies are not new, but there remains plenty of misinformation and misunderstanding about how to use them.
How SIEM delivers significant operational efficiencies
Critics focus on them being little more than log collector and storage tools that due to their management overhead gives little in the way of return on investment (ROI). What these critics fail to acknowledge is that by rethinking how security operations centres (SOCs) operate, SIEM technologies deliver significant operational benefits and efficiencies. Do you know what it takes to deploy a SIEM and upgrade your security to enable proactive threat hunting?
Building a modern SOC with SIEM
By integrating a SIEM into the core of your SOC and re-engineering some of the processes you can start to improve your cyber assurance and realise a highly favourable ROI. Let’s start with staffing; you might already have a security team looking after firewalls, antivirus products and intrusion prevention systems. That’s a lot of “security systems” to monitor and the addition of a SIEM may just add yet another thing to do. But what if you look at the SIEM from the perspective of a consolidation technology which merges information from all these systems to a single screen.
Instead of going straight to security operations, start talking to your network, server and desktop teams, and maybe even your database team, to see which aspects of security operations would sit more naturally with them. For example, adjusting the rule-set on a firewall is not unlike changing the configuration on a router or core switch. Your network team almost certainly knows all about firewall administration already. Firewalls are simply another networking device. If you can move the operation and management of your firewalls to the networking team, you’ll have freed up the time for your security operations team to focus on threat management and assurance.
A second example might be to consider reallocating responsibilities for your antivirus technology to your server and desktop team. That team usually manages the configuration and software build of operating systems, along with software distribution and general systems administration, so adding your antivirus technology to their portfolio makes logical sense. These small changes are starting to free up enough time for your security team to initiate proactive threat hunting practices and develop more rigorous vulnerability assessments.
A SIEM will allow you to streamline processes
Reallocating workflows and IT management activities to other technical teams can free up valuable security resources to refocus on streamlining processes and making proactive improvements; but don’t stop there. Run the next phase of modernising security operations as a project. Appoint a project manager, set the scope and identify all the requirements of a contemporary security operations centre.
Now you can focus on getting the best out of your SIEM platform. The scope of your operational activities includes maintaining compliance, detecting and reporting on threats, and incident response. To achieve these deliverables you will be collecting and analysing significant amounts of data to allow your operations team to undertake two kinds of activities:
- Historical log analysis used for audits and forensic investigations;
- Real-time alerting, based on identifying threats from individual records or correlations that fire when a series of security events are detected.
Your design team should produce workflows and process documentation for all the activities the security operations team will undertake, including any incident management and compliance reporting that the organisation needs to consider.
Integration of operational security processes with the rest of your service management team’s processes is essential to optimise successful security outcomes. The security team needs representation on your Change Approval Board (CAB) so that they are aware of any changes to the infrastructure or network that might impact the SIEM application directly or indirectly.
Security analysts can also use the CAB approval of a database update to trigger a proactive response, for example, to run exercises with the database administrators to identify any vulnerabilities in the new system (producing specific events when identified attacks occur).
Integrate Security Incident Management processes into your SOC
If you already have an effective incident management procedure, make sure you integrate security incident management processes into it so that first-line resolver groups (service desk) know how to handle all types of incident. Equally, if you have a problem management process, extend it to include resolution of security problems. All of this becomes an extension of the SOC.
Working closely with other operations managers from diverse areas of the business is critical to make sure security obligations and requirements are coordinated and delegated appropriately. Enlist them as stakeholders and train them to understand security requirements. In doing so, you will improve general operations and streamline the processes to deliver proactive security, as well as pushing security awareness throughout the IT management team.
By performing consistent and comprehensive infrastructure monitoring and having an efficient change management process, the SOC team can focus on reporting by exception rather than simply indicating change-related activities. This shift in emphasis will take hold over a transition period as the number of incidents starts to reduce (cutting false positives). The quality of security reporting will also improve, and you’ll notice better collaboration between the SOC and the rest of your service management team.
The establishment of formal processes and workflows will enable performance measurement and form the basis for continuous process improvement and ongoing refinement of your security capability.
Continue to focus on process improvements
Now that you have installed your SIEM at the heart of the SOC, analysts can add the specialist oversight necessary to drive the delivery of new and improved outcomes. Continual improvement of analysts’ processes and training them in threat modelling and threat hunting skills will ensure cyber-readiness across the team. Your SOC now monitors the pulse, blood pressure and temperature of your organisation, and as soon as it gets sick, your analysts will know about it. Welcome to a modern security operations centre.