FEATURE : SECURITY OPERATIONS CENTRE
Mark Orlando , Associate Instructor , SANS Institute , said the Middle East
“ Here is the real test ; ask yourself and the other C-level executives , can the business survive financially and reputationally , losing all data , a work stoppage of all information systems for days to weeks , the theft and leaking of all client information ? You might not need a SOC if you answered yes to all these . But if you answered anything else , then the answer is your business is ideally suited to use services provided by a SOC ,” he advised .
With CIOs and CISOs facing so many challenges when implementing SOCs within their organisations , pundits warn that they should avoid certain pitfalls when developing their own SOC or when outsourcing services from a SOC .
Brown said the first pitfall is prevalent ; outsourcing the SOC also means outsourcing the responsibility . “ Too often , C-level executives think that once a SOC is running or a service provider is providing SOC , their responsibility now lives with the SOC or the service provider , which is incorrect . Another common pitfall is that your security operations centre ’ s ‘ technology alone provides security .’ The truth is that the SOC core is based on risk assessment and security policies that align with the right people following proven processes . The technology play into this by enhancing and providing speed and agility to the security analyst . The third pitfall seen often is going cheap . Cybersecurity is a growing investment in your organisation ’ s future and has been treated that way ,” he said . “ It is not uncommon to see initial SOC implementations run over US $ 1 million in tooling and integration ; outsourcing can be effective cost-saving . Remember the idiom , ‘ you get what you pay for ’.
“ Some of the first policies that need consideration are the ones that have the notion of ‘ Protecting everything equally ’. This translates into protecting everything poorly ,” he remarked . Some of the first security policies to roll out are in data and asset classification policies . Data classification has two primary purposes : first , it allows defenders to understand the importance of data and second , provides defenders with instant prioritisation . Asset classification also has two primary goals : firstly , it gives defenders instant prioritisation , and secondly , it allows defenders to understand attack paths . These policies are independent of a SOC but provide vital information to all security operations and tooling . The notion here is to provide a higher and more focused level of protection for critical data and assets while delivering standard protections for everything else .
At SANS Institute , Orlando said CIOs and CISOs musthave well-defined goals for their SOC and provide the necessary resources , visibility , and authority to achieve those goals . “ Is the goal of the SOC to ensure regulatory compliance , identify and respond to threats , minimise disruption due to attacks , or all of the above ? Success is impossible without first defining these requirements and developing key performance indicators that the SOC is achieving its goals .
“ CIOs and CISOs must also be ready to respond to the insights the SOC provides . If the organisation is unwilling to transform IT infrastructure or alter strategy based on evolving threats and attack trends , then it is less likely the SOC will be able to provide real value . This lack of responsiveness also makes it difficult to hire and retain skilled staff who want to feel like they are doing meaningful work .”
He said before the security operations team can make decisions about what constitutes unusual or malicious activity , executives must set requirements for how enterprise IT is to be built and used . “ Organisational security policies should outline standard configurations , hardening guidelines , minimum security controls , regulatory and safety considerations , and activities that constitute abuse or misuse of corporate resources . The answers to these questions drive key SOC functions like data collection , alert triage , and incident response ,” he said .
In addition , Orlando added that security and incident response policies should also clearly define lines of authority for how incidents can be contained and remediated . “ Without this authority , the security team will be ineffectual regardless of its size and capabilities ,” he said .
Given the dire need for security skills in the IT industry in general and cybersecurity space in particular , CIOs and CISOs need to pay extra attention to the organisation ’ s recruitment and skills development initiatives in the Middle East .
For Orlando , he believes that candidates that have critical thinking , a learning mindset , and strong
42 INTELLIGENTCIO MIDDLE EAST www . intelligentcio . com