This document provides an overview of security operations (SOC) for companies of all sizes. It discusses the basic questions companies should ask regarding their security needs, how to approach monitoring both business and system metrics, and an in-depth look at monitoring and establishing an internal SOC. It then discusses solutions for security operations, both free and enterprise options, and things to consider if solutions are not working as expected or fail. The document concludes with embedding security into IT operations, discussing overlapping processes, compliance standards, typical incident response plans, and automating security processes. It also covers different approaches to security testing programs.
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Security Ops for large and small companies
1. Security OPS
for large and small
companies
#PAYMENTSECURITY, Saint-Petersburg, Russia, 2017
2. #whoami
Mona Arkhipova
◎ Unit Manager of information security
architecture and monitoring at software
vendor and cloud services
◎ Co-owner at internet acquiring software
custom development company
◎ Independent security consultant
Past
• Head of SOC and OPS monitoring, Lead information security expert at QIWI
group;
• Security analyst at General Electric (GE Capital);
• Independent security consultant at fintech start-ups;
• *nix systems and network administrator
8. ”Working not as expected”
◎Gather references, mostly from hands-on
specialists
◎Try to pilot on large amount of various
data
◎Performance testing under overload
◎There’s no silver bullet
9. What’s about free solutions?
Small/Mid
◎Good point to start
◎…if your production would
stay the same size
◎May be supported by IT
◎(most) processes may be
easily changed
Mid/Large
◎Also good point to start
◎…if you don’t have
compliance requirements
on retention
◎And if you have enough
resources for internal
development
◎Calculate solution cost
on different lifecycle stages
10. Enterprise solutions
◎Support response speed
◎Patching speed
◎Amount of experts on solution
◎Professional services costs
Does the solution needed/may be
applied only for security?
11. If solution fails
◎Look for enhancements
◎Recheck the covered scopes
◎Solution criticality
◎Calculate TCO
◎Plan changes
15. Typical incidents
◎Prepare detailed response plans
◎Create kb on known issues
◎Alerts may be pushed outside
◎May be partially handled by duty/IT
monitoring team
◎Keep it simple
16. Automate all the things
◎Access workflows
◎CMDB/simple inventory
◎Hardening controls/self-healing
◎Patch management
◎Agents review
19. Common way
◎Limited scope and vectors
◎Single team/vendor
◎Well-known scenarios
◎Approved testing windows
◎Whitelisting as a requirement
20. Common way cons
◎Lack of coverage
◎Toolbox
◎Too much approvals
◎“This is for compliance only”
21. Red team vs Blue team
◎Good for large systems
◎Full coverage of internals
◎Scope is related to all security and
awareness processes (not only IT systems)
◎Greatest way to test your team and tools
◎Safe way to get a ’real’ incident and
apply appropriate mitigations
22. Red team cons
◎Price
◎DoS and urgent changes
◎Urgent reinstall
◎All employees are the target too
◎IT security team overload
◎24x7 attacks