SOC helps in unifying various functions of security operations to monitor, detect, and respond to complex cyber incidents continuously. To be truly effective, the maturity of SOC is very critical. However, most SOCs function below optimum maturity levels and are unable to detect advanced attacks.
The lack of maturity makes an organization vulnerable, placing their most sensitive and valuable assets at risk. Increasing regulatory and compliance needs also demand the maturation and improvement in SOC capabilities.
In this DIY Guide, you can learn how to assess the current maturity levels of your SOC, establish the desired standards, and chalk out the developmental roadmap. The guide focuses on the Security Information and Event Management (SIEM) solution for maturity modeling.
9 reasons to implement SIEM
- Ensure continuous 24x7 security operations.
- To meet compliance requirements, perform log collection, correlation, & monitoring.
- Provide alerts for incidents & function as an early warning indicator for monitor threats, detect & ensure real-time incident response.
- Augment capability to respond & recover from an attack with minimal impact to the business.
- Traceback to the vulnerability post occurrence of attack & fabricate the process to deal with similar incidents ensuring minimum Recovery Time Objective (RTO) and defining the Recovery Point Objective (RPO).
- Incorporate the best cybersecurity governance practices.
- Provide meaningful metrics, reporting & dashboards to reflect SOC performance, operational efficiencies, and incident response and management.
- Drive end-to-end security policy management.
- Constant review of multiple/various devices in use.
SIEM objectives can be achieved if SOC components - Governance, Services, People, Process, and Technology are defined and aligned with risk, maturity, and business needs. SOCs world over is adopting innovations like automation, security analytics, machine learning, and several other applications of cognitive computing.
How should you adopt these technologies? What is the extent of using them? These are critical questions you should ask to improve SOC effectiveness.
It is best to have a balanced approach that augments your people, processes, and technologies through the right mix of automation, analytics, real-time monitoring, and hybrid staffing models.
Aujas SOC maturity model
Aujas security experts have recommended the following balanced SOC maturity model. The model is based on real-world data and experience in helping various security teams measure the capability and maturity of their SOC.
- Establish SOC objectives to identify immediate & futuristic needs.
- Strong executive involvement consisting of decision makers & stakeholders.
- Design the plan, devise a budget, outline the resources, platform and processes, SOC framework, and roadmap to execute the framework.
- Target customers (internal and external) and create a service catalog.
- Design strategy & develop a vision to provide a secure environment that enables the business to deliver.
- Drive collaborative breach detection and coordinated response.
- Incident management comprising of processes for monitoring and notification, triage and escalation, incident response and recommendations, knowledge management, shift handover, and roster management.
- Log management having process capabilities to retain system logs as per company policy, regulatory and legal mandates.
- Problem management process, Threat intelligence & hunting process to track emerging Indicators of Compromises (IoCs).
- SIEM administration process – High Availability (HA), user creation, device onboarding, & role-based reporting, E.g., Executive reports/dashboards, analyst dashboards, compliance dashboards, reporting, use case management, etc.
- Change management plans and processes to ensure the sustenance of business operations in the event of unexpected incidents and outages.
- Patch management processes capabilities to ensure patches are up-to-date.
- Risk management abilities to ensure proper configurations of systems ((SIEM & SOC components) to mitigate risk.
- Log management, alert management, case management, escalation, and reporting.
- Incident management, security vulnerability management & malware management.
- Compliance management for Security Monitoring including Reporting and “State of Security” definition.
SOC Resource Management
- Shift management
- Training and skill management
- Performance management
- SOC people metrics
SOC Technology Enablement
- SIEM technology maturity assessment
- Assess security portfolio and create log baseline.
- Log source integration & custom parser/connector development.
- Use case management of a single device, multi-device & compliance use cases.
- Flow Management and SIEM integration.
- Full packet capture for forensics.
- Vulnerability integration for asset, incident, and vulnerability visualization.
- Threat Intelligence
- Tactical threat intelligence integration with SIEM.
- Strategic and actionable threat intelligence and analysis.
- Threat intelligence platform deployment, analysis, and contextual mapping with assets/crown jewels.
- Security Analytics
- User and Entity Behavior Analytics (UEBA)
- Network Threat Analytics
- Incident management tools
- Visualization, reporting, trends and dashboard integration
- Incident response orchestration
- Endpoint Security Analytics and Integration
- Endpoint Detection & Response (EDR) / Endpoint Protection Platform (EPP)
No SIEM? No SOC? Aujas is here to help
Managing security operations without SIEM or SOC can be a daunting task. Aujas security experts can help you outline a roadmap to enable SIEM/SOC operations within three years.
Year 1: Log collection, enrichment, and management, along with out-of-the-box rules/compliance rules for monitoring and threat detection.
- Design and deploy a basic SIEM with capabilities of log collection, correlation, visualization, and basic workflow integration.
- Consider log baseline and log source integration with the focus on critical assets as mentioned below:
- Network devices like core router, core switches, key network management components.
- Perimeter security devices like Firewall, IPS, Proxy Servers, URL Filters, etc.
- Authentication devices like AD, VPN Servers, databases used for authentication, TACAS/ Radius servers.
- Public-facing servers like web applications used for transactions from middleware and backend limited to security logs.
- DNS Servers.
- Critical applications like CRM, core banking channels, API intersection but limited to security logs.
- Use Cases
- Monitor “what matters the most” (web apps, core OS, PCI related application, databases, credit card information, customer and employee PII, etc.) from a data security point of view.
- Keep the number of correlation rules in the order of risk, initially 10-12 Use cases each with 3-6 SIEM rules/alerts in a kill chain model.
The solution will include out-of-box rules for alerting on threats found in log or network data (account changes, expirations, port scans, suspicious file names, default usernames, default passwords, security tools, AV signature updates, successful authentications, bandwidth by IP, email senders, failed privilege escalations, VPN failed logins, group management system configuration changes, traffic to non-standard ports, etc.)
- Monitor all privilege activities.
- Monitor key system file changes.
- Website home page, file auditing, and its alerts.
- All anomalous authentication activities.
- System reboot followed by Audit logs cleared and Audit logs cleared, and the system rebooted; Failed Windows logins for multiple (3) user names from a single workstation.
- Add/Remove AD admin group membership privileges.
- Forced password reset.
- Account management (A user account was locked out/A user account was unlocked/A member was added to a security-enabled local group/A member was removed from a security-enabled local group). Monitor terminated users - these could be users whose employment is terminated or will be terminated.
- Audit Privilege Use and enable Privilege Auditing – Audit (- CREATE TABLE; - DROP TABLE; - ALTER TABLE).
- Correlate log drop user and revoking of rights from a user.
- Large web file sent and log HTTP request and response.
- SQL Injection and XSS detected.
- Big spike in DNS request.
- A single machine receiving authentication failures from multiple servers.
- Create three basic processes
- Monitoring and notification process.
- Triage and escalation management.
- Incident response and service desk/ticketing management.
- Create basic reporting and trends, alerts, and notification, and IR summary.
Year 2: Advance event/flows, application (layer-7) level monitoring correlations, threat detection/hunting, and threat modeling
- Add flow monitoring and create use cases with flows like large HTML packets, clear text usernames, and passwords, clear text card information, etc.
- Perform 100% coverage for critical log sources; Include enterprise applications in the order of risk.
- Customization and integration of application log sources via parsers/uDSM.
- Leverage SIEM User Behavior Analytics functions with authentication sources.
- Improve alert management with context.
- Improve use cases to include multi-device use cases
- Privileged Access Monitoring – Monitor administrative activities and alerts for violations. Accounts having privileged access to be monitored for activities performed by ID. Any unauthorized activity or suspicious activity must be alerted.
- Malware, back doors and remote known exploits to be detected.
- Communication with known malware sites such as Botnet Cnc, Phishing, Watering hole, etc., for tactical threat feed integration.
- Detect vulnerabilities by scanning of hosts.
- Identify anomalous behaviors
- Identify DNS traffic generated from non-DNS Servers or non-standard ports.
- Report any remote host attempts of reconnaissance or suspicious connections on local webserver ports to more than 60 hosts in 10 minutes.
- Detect DOS/DDOS attacks, such as sudden spikes in network bandwidth usage.
- Monitor and alert for configuration and system file changes on critical servers, applications, and network devices.
- Verify physical security access logs for multiple failures and integrate with logical authentication logs for violation and context.
- Business policy violations such as logons during non-working hours, direct database connections/queries.
- Detect file transfer activity from sensitive servers such as DB/SAP servers/file servers.
- Create a Run Book for each use-case, define validation, containment, eradication, and recovery steps.
- Perform simulations of the run books.
- RCA and Lessons Learned and back to operations processes and analysis.
- Threat Intelligence
- Add tactical threat Intelligence via TAXII protocols.
- Have a threat hunter to look for IOCs.
Year 3: Machine Learning driven Advanced security and business analytics, High performance big data compute
- Add full packet capture for forensics.
- Advanced firewall rule simulations and corresponding suggestions for optimized and noise-free networks using the risk analysis modules.
- Improve and automate alert management.
- Advanced asset baselining to prioritize the response and recovery of assets over the other low-risk assets in case of cyber attack/incidents.
- Integrate with CMDB and perform auto change management.
- Integrate with vulnerability management and provide internal threat intelligence and prioritization of vulnerability stature, asset criticality, and incidents.
- Compliance driven reporting based on the customer’s line of business E.g, HIPAA, PCI-DSS, GLBA, FISMA, GDPR, NYDFS, etc.
- Use Cases
- Monitor and adapt rule bases.
- Create additional 10-12 use cases for business-focused applications, correlate them with the flows which provide more in-depth contextual information for threat modeling and incident forensics.
- Threat Intelligence and Threat Hunting
- Automate tactical threat intelligence and response.
- Define threat intelligence process for threat hunting, asset criticality, and vulnerability identification & remediation (achieved by implementing BigData platforms like ELK or other BigData threat hunting platforms to look for IOC, etc.
- Leverage threat intelligence platform to fuse threat feeds from multiple sources, contextualize with asset criticality and provide actionable remediations.
- Proactive threat hunting deployment using machine learning and automation like port-protocol mismatches, user behavior, and threat intelligence information for executing hunt missions.
- Security Analytics
- Implement user and system behavior analytics.
- Additional reporting and visualization for key systems and data.
- Network analytics using full packet capture.
- Consider Endpoint Protection (EPP/ EDR) tools that leverage machine learning, intelligence integration, and IOC Management at the endpoints.
Use cases of security analytics can vary and is leveraged based on relevance; this includes:
- Employee monitoring.
- Analyze user behavior to detect potentially suspicious patterns.
- Analyze network traffic to pinpoint trends indicating potential attacks.
- Identify improper user account usage, such as shared accounts.
- Detect data exfiltration by attackers.
- Detect insider threats.
- Identify compromised accounts.
- Investigate incidents.
- Threat hunting.
Aujas SOC maturity model is a good start point for building and maturing your SOC. However, it is not a one-size-fits-all solution. The model can be customized and enabled to help you begin your organization’s SOC journey. When your operational needs grow and mature, your SOC needs to adapt and evolve.