Security

Security Operations Center: Not just for huge enterprises

Patrick Lambert describes the role of the Security Operations Center (SOC) in an organization, and why its implementation is now in reach of smaller companies.

"Hacking" started out as something we heard about in geek circles, but it didn't impact our daily lives that much. Then, it featured in Hollywood movie plots, and today it's a word everyone is familiar with, especially those who work in IT. While many would like the "white hat" style of hacking to be the default type, the reality is that it's a constant battle raging between the good and the bad guys -- the security researchers trying to prevent malware and viruses from infecting systems throughout the web, and the criminal organizations trying to make money by causing all of this chaos.

With the increase in profit, we've seen an increase in sophistication as well. We're no longer talking about kids scripting from their basements, although that certainly still occurs, but now the focus is on large foreign crime syndicates, using complex means of breaking into systems and stealing sensitive data. In a word, the good guys aren't always on the winning side, and of course, all of this rages on in innocent businesses and homes. So if you do run a business, or if you are responsible for the security of a corporate network, should you start thinking about moving your ad hoc security measures into a full-fledged Security Operations Center (SOC)? We'll see what this means, when you should consider doing the switch, and how to do it.

What is a Security Operations Center?

The concept of a SOC is not new, but typically these used to be implemented in large sensitive organizations only, such as government buildings, financial institutions, or large backbone providers. But two things changed this in recent years. First, it has become a lot more affordable to set up an SOC up in your own organization. What used to cost millions of dollars can now be done for just a few thousand. Also, the technical and space requirements are lower than before. Simply said, a Security Operations Center is a centralized facility responsible for every aspect of security in an organization. Think of what a typical business has to deal with. First, you have the physical security layer, from cameras monitoring the working areas, to door locks, alarms, and so on. Then you have data security, things like physical servers, network cables that could be tapped into, network connections which allow people to plug their devices, and so on. There are a lot of different ways your sensitive data can be accessed, and as such there are many aspects of security you need to keep an eye on. Finally, you have virtual security, such as firewalls and intrusion prevention systems, methods that can prevent people on the Internet from breaching your security and getting into your network.

As a typical corporation grows, these security measures are typically implemented one at a time, in a fairly ad hoc way. There is no real centralization, and often a couple of savvy IT people become responsible for one or more security procedures. Cameras may be recording in a basement room, but you may not have the means to pay someone to actively keep a watch on them at all times. Your IDS, or intrusion detection system, may be running and protecting your network from some attacks, but you probably don't have someone spending their time watching logs for any anomaly, or any malware making it through. Your network ports may be configured not to allow unauthorized devices to connect to your network, but you may not have anybody who periodically checks routers and switches to make sure everything is running correctly. All of these tasks fall into the domain of an SOC. If this describes your current situation, with all sorts of security measures implemented but in a very decentralized way, then now may be the time to consider implementing a SOC.

Implementing an SOC

It used to be that in order to implement a SOC, you would need some serious equipment. In order to provide a central location that can keep an eye on all security for the whole organization, you need to make sure all relevant data is fed into a single room. Thankfully, modern devices and software all allow this type of capability. Windows Servers allow you to set up remote log monitoring using Performance Monitor, your routers can send SNMP messages to a central server, and the use of IP cameras instead of traditional analog ones means you can connect to them and view those feeds remotely. All of this fulfils the first of the two main roles of a SOC: vulnerability assessment.

The staff working in a SOC, which usually includes one or more persons working full time, will use all of that data in order to keep the organization safe from any intrusion. In a well designed SOC, several computers should gather and process logs in order to make it as easy as possible for the IT staff to monitor those systems. This starts by using good tools. One of the most useful tools for an SOC is Cacti, an open source network-graphing solution. Another popular tool is Nagios, also open source, and used to monitor an entire infrastructure. Finally, Zabbix is a great tool to monitor remote servers.

While the technical side of an SOC is fairly straightforward to understand, this facility should also play an organizational role as well. As security becomes a bigger and bigger concern, having good policies is a very important part of any security procedure. If your organization has several hundred employees, it's not realistic to expect all of them to practice good security on their own. An uninformed employee can compromise your security without even realizing it. And as you start adding policies, they can quickly become complex and hard to maintain if they are simply created by random management people, without being centralized. This is why a SOC should work with every other department to ensure these policies are well made and consistent. This includes everything from the type of passwords people should be using, to what devices they are allowed to bring to work, which documents or servers are sensitive, what happens if there are visitors in the office, etc.

By working with management teams, HR, possibly even unions, you can make sure your SOC will be making effective policies that everyone understands and can agree with. Remember that making a security policy that is too harsh will simply mean people will ignore it. This is why a centralized location that keeps in touch with every facet of the organization is so crucial.

About

Patrick Lambert has been working in the tech industry for over 15 years, both as an online freelancer and in companies around Montreal, Canada. A fan of Star Wars, gaming, technology, and art, he writes for several sites including the art news commun...

6 comments
AlarmsystemsHouston
AlarmsystemsHouston

Nice article, I love to read these type of articles. Every security operation center need advance technology. Thanks for sharing your views.

robo_dev
robo_dev

Just as we question why Harry Potter needed an actual library with paper books vs some sort of computer/tablet device, in 2013 the concept that staffers are sitting at a desk watching a console is a somewhat antiquated concept. First of all, this is VERY costly, and 99.99999% of the time they have nothing to do. It's more common to assign some of these duties to a NOC, if there is one, but more commonly the regular IT security team is simply on-call, and setup to receive things like IDS alerts, SNMP alerts, or email events from devices they are responsible for. The incident response plan is there, and if a real incident happened, they need to be there, of course. With two clicks of a Smartphone, a security analyist can connect to the network, view logs or alerts, and even start other processes, such as firing up a sniffer. There is no need to be there in person....

JCitizen
JCitizen

And I'm surprised such good open source resources exist for this subject matter. That Spiceworks site page is interesting as well. Thank Patrick and Michel! I can't help noticing that the Nagios site mentions security monitoring right on the front page - I'm impressed with that!

michel
michel

I am not in any way affiliated, but Spiceworks has done a great job for me in the last few years..

Dittyman8
Dittyman8

Patrick, about ten years ago, I wrote a feasibility report on building a SOC for my employers back then. One thing to note is that if you're going to staff one for 24/7 operations, be preprared to hire five analysts, watchstanders, etc for every seat in the SOC. This will cover three shifts for weekdays, plus weekends and holidays. CERT.org has a lot of good documents which provide guidance on standing up a SOC.

JCitizen
JCitizen

Only a very large corporation head quarters would have the resources to man such a thing. I would still like to have it to monitor when I have spare time. This could be a time filler for techs when they are in between jobs. Of course that reduces the effectiveness of such an implementation, but I figure it is better than nothing. I know I like to check my Kiwi console when I get the time, to see who has been attacking the perimeter gateway.