Manoj purandare Stratergy towards an effective soc

A Strategy towards an Effective SOC - Manoj Purandare
Effective Security Operations Centre SOC building - by Manoj Purandare
This article tries to give a strategy towards building am
effective SOC using its 4 major points steps and 11 effective
steps recipe - for Organisation's / Govt's safety and security.

I - Background - Information Technology continues to evolve at a rapid pace. This article
describes a structured approach toward the formation of a government SOC that enables
organizations to integrate this capability into their overall Information Security Management
System (ISMS) and align with many of the requirements introduced by ISO/IEC 27001:2013.
So, why do we need a SOC ?

II- Creating the Roadmap – Since you can’t build a world-class SOC overnight, creating a
plan for incremental phases of implementation is critical to success.
• Budget
• Timelines
• What goes into such a roadmap?
• What comes first and what next?
• The goal can be execute regular incremental improvements based on your completed
gap analysis and to establish a series of prioritized milestones that lead the
organization towards optimized security and improved incident detection and
response.
• You need
• The Right People
• The Required Process
• The ever updating and precise Technology
• The Platform
• The Proactive and Real Time – Threat Intelligence

Let us see a basic design flow of the SOC requirements as below :

The gaps you uncover in that analysis can be translated into goals. Budget, personnel and
cultural constraints require that new processes and technologies be implemented in stages.

The Required SOC team members & their roles and responsibilities
1.The Right People

In addition to SOC analysts, a security operations center requires a ringmaster for its
many moving parts. The SOC manager often fights fires, within and outside of the SOC.
The SOC manager is responsible for prioritizing work and organizing resources with the
ultimate goal of detecting, investigating and mitigating incidents that could impact the
business. A typical SOC organization is illustrated in Figure 2.

The SOC Org Chart : The SOC manager should develop a workflow model and implement
standardized operating procedures (SOPs) for the incident-handling process that guides
analysts through triage and response procedures.

2. The required Processes

The Collective SOC Team.
Since not all skills and attributes will likely be found within each individual, capabilities
should be balanced across the SOC. Each shift should have a blend of skills and
temperaments, including “people” people; analysts that can communicate effectively with
the IT service provider or the organizational workforce.
Escalation and Complexity.
Every service will require graduated skill levels, and some services require a more
experienced “junior” level analyst than others. Staff shifts with a mix of experience levels
and seniority.
Advancement and Rotation.
• Establish growth paths for every position with the SOC.
• You will also need to plan for training and professional development
• Growth and training opportunities will help retain a professional workforce.
Trust Level.
• SOC analysts will have regular access to highly sensitive organizational information.
Implement a thorough regulations that require special background checks for people
with elevated access to IT systems.

3. The ever updating and precise Technology

4. The platform :
With known and unknown, advanced threat detection and prevention, URL filtering,
and mobile security—correlate all of these security functions and protect the
datacenter and the network perimeter.
The platform enables the government agency to take a whitelisting approach to their
applications, with the ability to segment government agencies
Alerts are drastically reduced significantly reducing the workload for the SOC analyst.

You may also need to considers the other controls as SOC Layered Security Controls and
the Physical Security Controls :

Beyond this, We need to be prepared with our SOC Service Service Catalogue that may
give a clear picture on SOC business operation and facilities available for a customer :

Initially, we have to define on various SOC Key tools, their integration, and their working

5.. The Proactive and Real time - Threat Intelligence
Mature SOCs continually develop the capability to consume and leverage threat
intelligence from their past incidents and from information-sharing sources
According to the 2015 SANS Cyberthreat Intelligence (CTI) Survey, 69% of respondents
reported that their organization implemented some cyberthreat intelligence capability,
with 27% indicating that their teams fully embrace the concept of CTI and integrated
response procedures across systems and staff.
Obstacles to Efficient SOC Incident Handling To achieve efficient incident handling, the
SOC must avoid bottlenecks in the IR process that moves incidents through Tier 1, into
Tier 2, and finally through Tier 3.
Bottlenecks can occur due to too much “white noise,” alerts of little consequence or
false-positives that lead to analyst “alert fatigue.”
Understanding of the government’s enterprise network topology, including all
connections (Internet, mission partners, cloud providers, vendor specific, etc.) is
needed for an understanding of attack vectors.
No intelligence exists without visibility—visibility across the whole network, including
endpoints, for all applications, all content, and all users.

Employing a platform like similar to that of Palo Alto Networks platform including
network and endpoint visibility and threat prevention can significantly increase that
visibility and subsequently accelerate the SOC’s intelligence capability.
The Palo Alto Networks platform detects ever changing threats, but more importantly
provides the ability to prevent them as soon as possible, ideally before they have
detonated on the network.
All insights feed onboard signature creation to detect and prevent future attacks. We
can accomplish this in a flexible and extensible platform that enables uniform
protection across traditional infrastructure at the network edge, the cloud and mobile
devices.
So define your road map clearly.

III. The SOC Governance, GRC and Process Framework
The framework for the Security Operations Center (SOC), like most organizational
capabilities, can be described in terms of its People, Processes, and Technology.
The people needed to staff the SOC are defined by an organizational structure, manning
levels, skill sets, and a professional development path to ensure the people grow as the
organization grows.
Clearly defined processes needed to sustain the organization and provide the services it
offers are essential to the successful accomplishment of the mission.
Technology is a critical enabler to the SOC mission; automated tools can be used to
correlate, reduce, and analyze the volume of data entering the SOC.
We will explain all four components in more detail, but we begin by presenting a high
level recipe for success.
Check for the 11-Steps Recipe for SOC Success here ahead

Below diagrams represent the SOC Governance model, GRC, Process Framework, etc.

The SOC GRC :

The SOC Process Framework :

IV. And finally, The 11-Steps Recipe for SOC Success
There are 11 recommended steps that form the foundation of a new or revitalized SOC.
This article assumes the government organization or a Private Organization, has already
decided to create an in-sourced SOC capability rather than seek it as a service from an
out-sourced provider or agency within the given government—a decision that involves
factors beyond the scope of this paper.
The first step is to identify an executable mission including whom the SOC will serve, and
where it will be located organizationally. Next the SOC should identify the services
offered. The service architecture should be evolutionary; fewer services delivered well at
the onset is better than many services offered poorly.
As the SOC and the supported organization mature, so can the services offered. Once
these foundational steps are completed, the organization can acquire and develop the
appropriate people, process, technology, and intelligence to align with the mission and
the services.
Concurrently, the SOC must establish and execute an effective communication strategy
to get buy-in at all levels within the organization.

The 11-Steps Recipe for SOC Success here ahead
A. Identify an Executable Mission
B. Identify the Services Offered
C. Basic Core SOC services:
D. Intermediate Core SOC services:
E. Advanced SOC services:
F. Supporting SOC services:
G. Document the Mission and Services
H. Adding Context to Security Incidents
I. Defining Normal Through Baselining
J. Acquire the necessary People, Processes, Technologies and Intelligence
K. Execute an Effective Communications Strategy

The SOC must establish itself as a mission enabler rather than an encumbrance.
Ultimately this distinction will be determined by action; initially it will be determined by
message.
Finally, the SOC may be required to establish relationships with partner organizations
within government domestic and international security frameworks, but even if not
mandated, should establish relationships with peer organizations. Reach out to similar
organizations and understand their approach to cybersecurity. If knowledge is power,
these peer relationships will increase both exponentially.
Summary :
Whether you have decided to create a SOC as part of the government organization’s
Information Security Management System (ISMS) for ISO/IEC 27001 certification, or just
recognizing a need to centralize IT security efforts, this whitepaper will provide a useful
map of your path to success. Understand the organization’s objective. Select the people,
process, and technology that fit the organization. Focus on Intelligence. Communicate
and Execute. Building a SOC may seem onerous, but the payoff—with improved visibility,
intelligence and protection for the government in these challenging times—will be well
worth it.

Some useful links :
https://blog.komand.com/how-to-structure-a-security-operations-center
https://www.mcafee.com/in/resources/white-papers/foundstone/wp-creating-maintaining-soc.pdf
Reference and Acknowledgements :
https://www.sans.org/reading-room/whitepapers/analyst/building-world-class-security-operations-
center-roadmap-35907
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf
https://www.sans.org/reading-room/whitepapers/analyst/benchmarking-security-information-event-
management-siem-34755
http://www.sans.org/reading-room/whitepapers/analyst/ninth-log-management-survey-report-
35497
https://www.sans.org/reading-room/whitepapers/incident/incident-response-fight-35342
https://www.sans.org/webcasts/cyberthreat-intelligence-how-1-definitions-tools-standards-99052
https://www.sans.org/reading-room/whitepapers/incident/incident-response-fight-35342
https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/white-papers/security-
operations-centers.pdf

An article on - Strategy for building an effective Security Operations Center [SOC]
Sincere Thanks .!!!
for all the experts in the Government, IT, Infosec & Cyber Security Industry
This article is a basic guideline towards –
Strategy for building an effective Security Operations Center [SOC]. I whole
heartedly and sincerely thank you one and all who provided me valuable
inputs, references and information to complete it for the benefit of
Government and Corporate Infosec and Cyber Security World
Treat this Slide dedicated and acknowledgement to one and all who I forgot
to mention, missed out their names, companies, website and other info here
in this presentation. I thank you and apologize if I had forgot to mention you
here.

Manoj Purandare
DCM, MCS, CISSP, PMP, PgMP, ITIL,
Cyber Crime Analyst, PCI DSS Security
Implementer, with more than 2 decades of IT and
Infosec experience and specialization
mail: technicalmanoj@gmail.com
Linkedin :
https://www.linkedin.com/in/manojypurandare
about –
Author & Presenter
Thank you

Manoj purandare Stratergy towards an effective soc

Recommended

Recommended

More Related Content

Similar to Manoj purandare Stratergy towards an effective soc

Similar to Manoj purandare Stratergy towards an effective soc (20)

More from Manoj Purandare ☁

More from Manoj Purandare ☁ (10)

Recently uploaded

Recently uploaded (20)

Manoj purandare Stratergy towards an effective soc