Transcript
White Paper Best Practices forBuilding a SecurityOperations Center August 2006 Table of Contents Security Information Overload ........................................................................................................................................................................3What Does a Security Operations Center Do?............................................................................................................................................4Why “After the Fact” is Too Late ....................................................................................................................................................................5Business Requirements ......................................................................................................................................................................................5Reduce Risk and Downtime ..........................................................................................................................................................................5Threat Control and Prevention ....................................................................................................................................................................5Ease Administrative Overhead ....................................................................................................................................................................6People and Responsibilities ..........................................................................................................................................................................6Escalation Path ................................................................................................................................................................................................6Audit and Compliance Support ....................................................................................................................................................................6Incident Response and Recovery ................................................................................................................................................................7Technical Requirements ....................................................................................................................................................................................7Speed of Aggregation and Correlation ......................................................................................................................................................7Device and System Coverage ........................................................................................................................................................................7Ability to Respond Quickly ............................................................................................................................................................................824 x 7 Uptime ..................................................................................................................................................................................................8Support for Federated and Distributed Environments ............................................................................................................................8Forensic Capabilities ......................................................................................................................................................................................8Intelligent Integration with SOCs and NOCs ............................................................................................................................................8Security Operations Center: The Nerve Center for InformationSharing and Monitoring Enterprise Security ................................................................................................................................................8 2 Security Information Overload Managing security events in today’s corporate environmentposes a series of challenges for beleaguered IT personneland their organizations. A daily onslaught of securitydata from disparate systems, platforms and applicationsdelivers the first challenge. Numerous point solutionssuch as antivirus software, firewalls, intrusion preventionsystems, intrusion detection, access control, identitymanagement, single sign-on, authentication systems allpresent information in different formats, store it indifferent places and report to different locations. Mostorganizations deal with literally millions of messages dailyfrom these incompatible security technologies, resultingin security information overload which, in turn, contributesto high overhead, duplication of effort, weak securitymodels and failed audits. In a recent survey, almost halfof the security administrators asked, could not determinehow many critical security events required action in thepast month as a result of this issue. 3 And according toForrester Research, “Security products available today forthe perimeter, such as firewalls, IPSs, intrusion detection,antivirus gateways, content filtering, and a host ofmultipurpose security appliances, are making the networkperimeter much more resilient – but also morecomplicated.” 1 Figure 1. Security Information Overload. As if this weren’t enough, other challenges add complexityto the situation. Attacks are becoming increasingly morefrequent and sophisticated, pushing existing securitycapabilities to the limit. New technologies and the rapidexpansion of networks and services indicate that thisinformation overload will only worsen. Finally, regulatorycompliance issues place an increasing burden on systemsand network administrators.In the face of such overwhelming odds, how can youensure that your vital business assets and operations areprotected? How do you guarantee privacy for youremployees, partners, vendors and customers? How do youimplement security policies? How do you get a handle onthe vast amounts of data and on the incompatibletechnologies and devices that, while standing guard,generate an entire new set of challenges? How do youmaintain accountability and corporate governance withinthe organization?To redress the current fragmented approach to securityevent management and safeguard your businessoperations, security administrators require the kind ofreal-time, centralized integration and managementcapabilities associated with today’s Network OperationCenters (NOCs). Security Operation Centers (SOCs) canprovide a real-time view into a network’s security status,making a proactive approach to security a reality viaautomated alerts, detailed reports, and remediation.A SOC monitors and manages all aspects of enterprisesecurity in real time, from a single, centralized location.It discovers and prioritizes events, determines risk leveland which assets are affected, and recommends and/orexecutes the appropriate remediation solution. It deliversdetailed reports at the local and network levels, meetingboth real-time management and audit requirements.To provide an example of a SOC in action, imagine asecurity administrator sitting in a room at a ColoradoUniversity; the room is lit by the glow of several computermonitors each displaying physical areas of the campus.Each monitor is presenting data that is reporting fromthe distributed geographic sites of the University.The administrator receives an alert on their main screen,clicks a button and then picks up the phone and puts in acall to a local operator in California. What happened?The administrator saw proprietary information being sentout of the University improperly, the user’s access waslocked out, the local operator was dispatched to removethe user from the building and an investigation into theincident was initiated. This sounds a bit futuristic — butit’s not — this is the reality of today’s SOC.In this paper, we explore the business and technicalrequirements that organizations must consider whenimplementing a SOC. 3 UNIX Windows IDS andSysLogs SysLogs Access Logs 65,000 events* 1,036,800 events* 1,100,000 events* Firewall Antivirus 787,000 events* 12,000 events* 3 Million What Does a Security OperationsCenter Do? A properly configured and managed SOC acts as anintelligent brain gathering data from all areas of a network,automatically sifting through alerts, prioritizing the risksand preventing attacks before they can be executed andcause costly damage.The key to the SOC is to provide situational awareness —a correlated picture of what is occurring right now in anenterprise. By pulling together information from a varietyof devices (firewalls, antivirus, intrusion detectionsystems, etc.) then normalizing and correlating theinformation, the SOC provides real-time (or near real-time) reporting on what is happening so that operatorscan manage and respond to intrusions before they put theorganization at risk; when complete prevention is notpossible, the SOC reporting allows operators to identifyattacks and limit the damage before it spreads. Figure 2. Situational Awareness. Many organizations have already deployed NOCs thatmanage and monitor the network traffic, however still lacka method for centralized management of security events 3 .The primary function of the NOC is to establish andmaintain the health and wellness of an organization’sinfrastructure. A NOC concentrates on keeping thenetwork running while a SOC manages security events toprotect the network. According to the Yankee Group,Security Information Management “…is evolving byconverging with network and systems management.Organizations are looking to increase efficiency byimplementing security systems with greater autonomy torespond to virus infections, attacks or other losses ofnetwork integrity.” 2 While a SOC and a NOC can work ascompletely separate entities (see Figure 3) they workmore effectively when used in tandem.A SOC can feed information to a NOC for resolution of asecurity event (see Figure 4).The integration of the SOC and NOC allows organizationsto quickly respond to security events. NOCs can leveragenetwork activity in addition to the real-time securityevent data to avert security incidents, while the SOCcan similarly leverage network activity related to securityevents to further refine the identification of a specificsecurity event. Additionally, this integration enablescommunication between the NOC and SOC offering acentral console for network and security situationalawareness allowing organizations to quickly identify,respond and mitigate security events across theorganization. 4 IDSFirewallAVUnixSyslogNTSyslogAccessControl SOCNOC IDSFirewallAVUnixSyslogNTSyslogAccessControl SOCNOC SECURITY NETWORK Figure 3. NOC and SOC working independently.Figure 4. NOC and SOC communicating and managing security events in a bi-directional manner.
