Sei sulla pagina 1di 6

Four Challenges Facing

Every Security Operations


Center Manager
A WHITE PAPER PRESENTED BY LEIDOS

Four Challenges Facing Every SOC Manager

There are no challenges


only opportunities.

All of these questions are applicable to most disciplines


and industries. The unique challenge for cybersecurity
is that these roles are still relatively new. Decades of
organizational research and development exist for most
industries; however, very little precedence and guidance
exist for the development of a SOC organization. This
creates a nearly insatiable demand for people with
these skills.

This statement, derived from a quote by General


Douglas MacArthur, illustrates the importance of
approaching IT security from a proactive posture, as
opposed to a reactive stance.
It has become increasingly essential that organizations
achieve a proactive, and even predictive, approach
to cybersecurity. Recent advanced persistent threats
(ATPs) in banking, for example, led to the loss of
billions of dollars of revenue by financial giants like
J.P. Morgan Chase. These incidents, particularly
their occurrence in organizations known to invest a
large portion of funding and time into security, can
be sobering to any company interested in either
constructing their first, or bolstering a current, security
operations center (SOC).

Another challenge associated with staffing an operations


center is geography. The information technology core
is often located near a companys headquarters in an
urban setting. The location proves challenging for SOC
managers with employees who want to work remotely
from home or a satellite location. The sensitive nature of
most SOC roles often makes managers hesitant to permit
work-from-home policies. However, with two-factor
authentication, good security practices and procedures,
and key individuals on site, the virtual workplace can
become an option. Establishing such policies allows
access to a larger pool of talent and, in turn, means
better alignment of staffing with demand and growth..

Within the cybersecurity industry, a SOC should


first have the capabilities to instill a proactive and
predictable approach that can blanket intellectual
property (IP) with 24x7 protection. The second half of
this equation entails support to understand attackers,
learn from them, and evolve with their changing tactics.

The key to having effective remote polices is a strong


organizational structure. Having a nucleus of leaders
and highly technical professionals onsite is essential
to the organizational development of the SOC. These
personnel must understand the culture of the company,
be well versed in the enterprise, and possess valued
skills, such as malware analysis, reverse engineering,
and intelligence processing that need to remain
internal to the organization.

Challenges arise in the development of such a


SOC: resource constraints, organizational silos,
misunderstood alarms and threat levels, and data
integrity and management.
At Leidos, we mitigate these challenges by
approaching them as opportunities to strengthen
a cybersecurity posture and better protect assets.
Understanding and intelligence improve an
organizations security to mitigate todays threats and
anticipate future challenges.

Secondary resources, often called support staff, such


as lower level analysts, intelligence analysts, and
malware support members can be located remotely.
Their roles often include steps that can be repetitive,
logical to follow, and easy to teach and transfer.

RESOURCE ALLOCATION

Managers are often under the impression that


efficiency entails a 24x7 human presence. Despite
the urge to have a person stare at screens all night
and struggle to stay awake, its important to explore
a more farsighted approach: removing the resource
productivity gap by leveraging finely tuned technology
monitoring services. Such services automatically and
immediately notify the appropriate staff when a critical
alarm goes off at night.

An ongoing concern of the cybersecurity owner is


personnel resources or the scarcity of them. Do we
have enough people? Do they have the right skills? Do
we have those people in the right types of roles? What
happens if someone leaves the organization? What can
we do to better support our computer network defense
posture?

Leidos. All rights reserved.

Four Challenges Facing Every SOC Manager

SOC MANAGER

SOC Nucleus

(must be on-site)
MALWARE
ANALYSTS

REVERSE
ENGINEERS

REPORTING & BUSINESS INCIDENT RESPONSE IDS & MANAGEMENT


ANALYST
SYSTEMS ANALYSTS
MANAGERS

MALWARE
SUPPORT TEAM

INTELLIGENCE
ANALYSTS

External SOC
Support Teams
(can be remote)

DATA & NETWORK


MANAGEMENT
SUPPORT TEAMS

THREAT ALERT MANAGEMENT

Maturing your organization in the use of alerts tuned to


specific environments removes the need for technical
staffing during an undesirable shift. Similarly, use of the
Intelligence Driven Defense approach and Cyber Kill
Chain solution can ensure the integrity of intellectual
property without an around-the-clock presence.

One of the more interesting aspects of recent


cybersecurity history is the pendulum swing of threat
and intelligence data. Within the last 10 to 15 years,
security operation centers have gone from a culture
of sharing very little intelligence with the information
security world to experiencing information overload.
In 2003, no onefrom the federal government to the
common companyshared information concerning
system breaches, malware, or threat attribution.
Today, the most common challenge is sifting through
all the alarms, emails, reports, and files to determine
authentic threat intelligence and act accordingly to stop
cyber incidents.

Adopting the Cyber Kill Chain as a guiding framework


for SOC operations will help prioritize alerts. An alert
indicating potential reconnaissance activity by a broad
based threat can be dealt with in the morning, but
confirmed command and control activity by a known
APT cannot. We term SOCs that operate on this type
of advanced level Security Intelligence Centers (SIC).
SIC organizations attract, and retain, talent by keeping
their analysts engaged with challenging work, rather
than staffing off hour shifts working off false positive
alerts from out of the box detections.

Leidos. All rights reserved.

INCIDENT RESPONSE
SUPPORT TEAMS

Four Challenges Facing Every SOC Manager

At the epicenter of all the data noise is the prioritization


of content. Data becomes noise when it cannot be
used to reach a conclusion, learn about an attacker, or
trigger an action. The numerous sources of intelligence
are part of the problem. Government sources, thirdparty vendors, media, users, and even industry
competitors are just a few of the various channels
where intelligence is gathered. To better sift through
the never-ending stream of data, its important to follow
these four guidelines:

VENDORS DEPENDENCIES
When a system detects suspected malware, a good
portion of SOCs usually contact their antivirus vendor.
The vendor requests the quarantined file, analyzes it, and
subsequently builds an update with a clean version of
the corrupted file. The challenge is that, over time, SOCs
become overly reliant on the vendor to protect them from
threats they encounter.
More importantly, SOC managers dont often realize
the vendor had to take results from their proprietary,
corrupted file to fix the problem and then applied the
solution to all its other clients. This discloses a lot of
information about the defenses that make up the SOC
infrastructure that suffered the initial malware encounter.

1. Trust: Some sources are more trusted than others.


Information from a trusted, collaborative partner
has high value compared to something submitted
via an unknown source. Therefore, prioritize your
data based on where the information comes from
and how the information was submitted.

To mitigate this issue, it is imperative to understand


that this data loss is a cost of doing business with
vendors. Take precautions to work closely with vendors
to minimize the exposure and maximize confidentiality
of information provided to vendors.

2. Echo Effect: Its important to take into account that


data and interpretation change with every new pair
of eyes. Intelligence handled by multiple sources
is, therefore, usually less clean than if it is received
from a primary source.

Other hidden costs associated with vendor


relationships in a SOC environment include
consultation services. There is seldom a turnkey
approach to cybersecurity, and purchasing technology
is often the first of many costs your organization
will incur. Reliance on vendor professional services
can be a crutch for a SOC because skills such as
malware analysis; extracting indicators of compromise;
or custom rule, signature design, and custom tool
creation are never developed in-house. Combine the
costs of training, ongoing consultation, future software
versions, and accompanying training and the result is
a more accurate total cost that often exceeds the initial
planned cost for vendor engagement.

3. Low-hanging Fruit: Address and prioritize information that has detailed context and is applicable
to your environment. For example, its faster to
crossreference a list of suspected IPs and domains than it is to call a source for further validation of possible intelligence.
4. Alert Overload: SOCs have teams of analysts that
work a host of technology from IDS, firewalls, and
mail scanners to endpoint security tools. The issue
is that vendors write alerts and detections. This
means that each tool and technology has different
alerts and thresholds, few of which are tailored for
your enterprise. A common example of this issue
is receiving 47,000 alerts per day and only having
a staff of five analysts. Reduce the noise by focusing on defense monitoring and response activities.
Tailor your alerts specifically to your environment
through an intelligence process. Pair this approach
with vendor alerts to identify value that applies to
your organization, and use custom detection to
pair your alerts with other intelligence sources.

Leidos. All rights reserved.

Address this issue by investing in enough staff to


become less vendor dependent. An advanced SOC
certainly needs a development team, and many times
there are free and open source alternatives to security
products. What may appear to be cost savings from
commercial off the shelf technology will many times
come back to haunt a SOC through greater total cost
of ownership and inferior or inadequate capability.

Four Challenges Facing Every SOC Manager

INTELLIGENCE STANDARDIZATION

This repository becomes particularly effective when


paired with a robust communication platform that
constantly improves the way your SOC communicates
internally to mitigate attacks and externally to gather
data. This focus on communication improvements
equips the SOC to collaborate more effectively as it
grows over time.

Standardization within the cybersecurity domain is a


challenge. The industry has reached a level where
sharing information is a common practice. However,
the struggle is now to determine and agree upon a
set of standards for how we classify, validate, and
communicate intelligence.

This level of defense results in an operations center


focused less on putting out fires and more on building
an actionable and predictive defense.

Common Naming Conventions and Common Indicator


Formats: Few steps are more crucial to building a
proactive and predictive SOC than the development
of a core competency around data and knowledge
management focused on naming conventions.

Building better indicator formats, improving campaigns


to share intelligence such as domains and emails
associated with APTs, and developing a robust
database on past attacks are just a few of the key
characteristics that help build a predictive SOC.

Something as simple as naming an advanced


persistent threat (APT) and indicator format can be
challenging for any SOC. Naming is difficult due, in
part, to the fact that many hacker groups dont have
prominent branding campaigns associated with their
attacks. Another reason is due to the cybersecurity
communitys unsynchronized approach to cataloging
and naming identified APTs, malware, and viruses

THE MATURE SOC


There is a tipping point that clearly separates proactive
and predictive operation centers from reactive
organizations driven by the status quo.
Proactive SOCs:

The result is a mix of different names and naming


conventions for malware, APTs, and campaign. For
example, one security firm uses names like magic
kitten, numbered panda, and energetic bear to describe
some of the most dangerous hacker groups; other
organizations may call the same groups something
completely different. The most effective way to save time
and become more efficient with naming conventions is
to build a knowledge management repository that allows
analysts to enter a name and compare that name to
other names commonly used for the named APT.

ffA clearly

built nucleus of people in key roles offer


the flexibility for other specialists to work remotely.

ffNoise

and productivity waste are removed by


replacing 24-hour staffing and out-of-the-box alerts
with tailored alerts and threshold settings.

ffThreats

are prioritized using guidelines to be used


when sifting through the data and pairing vendor
alerts and trusted sources with custom detection.

ffVendor

dependencies are removed, and data and


knowledge management support continuous learning from attacks and attackers.

Database on Past Attacks and Focus on Sharing


Data: Another component of an effective knowledge
management repository is a database of past attacks
and attackers. This is part of a greater strategic
direction to drive a bestpractices methodology within
the SOC environment based on intelligence and
focused more on the threat than the vulnerability.
Understanding, archiving, and analyzing the behavior
and characteristics of past attacks can help build an
understanding of how the next attack will look and feel.
It will also help to hone the level of skills and technology
the SOC will need to better defend from future attacks.

Leidos. All rights reserved.

ffCommunications

are improved and coalitions


developed with other trusted sources to speed the
flow of actionable data and knowledge.

Four Challenges Facing Every SOC Manager

Ultimately, understanding the attributes of a proactive


SOC can move an organization from a set-it and
forget-it mode governed by reacting to threats, to
a predictive and agile infrastructure. This migration
goes beyond blocking domains to using databases
and intelligence gathered over years to understand
patterns of behaviorhow attackers grow and change
over time, common tools they use, and the techniques
they employ.

Only then can you set alerts based on past data, while
also anticipating changes in an attackers approach.
And only then will you start to move an oldfashioned
and outflanked SOC to a more advanced SIC able to
combat, and even anticipate, the modern, advanced
threats that target your organization.

XX-LH:V0

For example, understanding the minutia concerning


APT behavior includes knowing whether they
send emails with a zip file attached or always start
emails with Dear Sir or Madam. Such intelligence
makes future threats more identifiable and quickly
categorized.

FOR MORE INFORMATION


855-56-CYBER / cyber.security@leidos.com
cyber.leidos.com
Leidos. All Rights Reserved. / 2016.07.0021.05 / PIRA# CMK201503004

Potrebbero piacerti anche