Security Policies

Top Tips: Adopting the right Security Operations Centre strategy

18-11-015-adopting-the-right-security-operations-centre-strategy-to-win-the-virtual-arms-raceDavid Calder is Managing Director of Security Practice at IT Services firm ECS. David has spent the last twenty years working to improve the security posture and threat management capabilities of his employers and latterly of his customers. Since being given his first security task as a graduate in the late nineties to build an Internet Banking security solution, David hasn’t looked back and has held technical, consultant and senior management security roles in several prominent financial organisations before becoming managing director of the ECS Security practice.

David shares his top tips on how to adopt the right Security Operations Centre strategy.

The proliferation in the number and type of cyber attacks being faced by organisations makes a Security Operations Centre (SOC) strategy essential in today’s virtual arms race.

Boards are aware of the threat and are willing to invest, but want confidence that they will get value from their investment.

So how best to approach this?

The first question is whether to outsource your SOC to a Managed Security Service Provider (MSSP) or to build one in-house. There are pros and cons to both approaches.

The typical MSSP’s Security Operations Centre offerings are a useful tool for many organisations, allowing them to outsource the establishment and maintenance of certain specialist skills sets and processes. However, some organisations are put off by the lack of organisational context and personalisation – a direct result of the fact that these SOCs are based on shared resources that operate most effectively using standardised interfaces to accomplish economies of scale.

Building your own Security Operations Centre avoids many of the downsides of the MSSP approach, but represents a major investment and costs can easily spiral. For the in-house team, avoiding being consumed by purely compliance-based tasks and low-value work (deemed by some as being the most appropriate work for an operations team) can be a challenge.

A hybrid of these also exists where a MSSP provides staff, process and service management based on the customer’s premises and using the customer’s systems, which can address much of the personalisation and skill set challenges.

Whether you are establishing a Security Operations Centre for the first time or reviewing your current solution, here are five tips that can help to ensure your organisation is always one step ahead of its attackers.

Be threat-led not compliance-led - Your organisation’s Information Security policy/scheme or regulatory requirements should give clear information on the control objectives of your organisation. However, compliance alone will not provide the Security Operations Centre with the capabilities it requires to prevent the success of threat agents. Threat agents will attempt to work around the general controls that you put in place.

A robust Security Operations Centre will regularly assess threats to the organisation and adapt or augment controls appropriately to ensure that it retains a relevant capability as threats, and the parent organisation, evolve. As part of that compliance, control requirements should be fulfilled - but only as a subset of threat management.

Build a SOC that integrates with your business - All IT organisations have common capabilities such as change and incident management. However, these capabilities have been adapted to fit with the organisation’s business needs and approach. Many have learnt that adopting ITIL to the letter will not work for their organisation. Similarly, many have found that integrating with a Security Operations Centre that will not adapt its customer interfaces or task-tracking approaches to meet their specific requirements results in a SOC that lacks business commitment and engagement.

Consider your interface and approach requirements carefully when considering a new Security Operations Centre. Do not dismiss them as someone else’s problem as this mistake will cost you in the run phase.

Carefully consider your sourcing model - A Security Operations Centre has many component parts and each could potentially be sourced differently, with different benefits and costs. A service could be provided using permanent staff, contract staff, service provider staff or a blend of all three. A service could be located on your own business premises, the service provider’s premises, on-shore, off-shore or near-shore - or a blend of all of these.

Each of these has nuances: what does this mean for my data; what does this mean to the IP that the Security Operations Centre establishes (your tuning should be considered part of your IP); and what does this mean to my long-term costs and service? It is important to consider each of these individually and apply the test of how this would survive a transition from one model to another. Whatever sourcing is chosen, it should specifically address your problem and not be limited to the point of failure by constraints in the sourcing approach.

Cyber-defence may seem glamorous, but your business needs a robust operational solution - Agility is key to managing threat, but consistency is also mandatory. A dependable Security Operational Centre capability requires strong processes that can cope with new requirements, while also ensuring that commitments are met in a consistent and high quality fashion.  Clever people with best of breed technologies may successfully fire fight emerging threats but good process and service management will create a sustainable service that will earn the respect of the business and establish the Security Operations Centre as a core part of the organisation’s risk controls. Standardisation of processes will also enable a ‘shift-left’ of repeatable, well-defined work and ideally allow more automation. This standardisation will free your most creative minds to manage emerging threats in a dependable and robust fashion.

There is no silver bullet technology - A good Security Operations Centre has to get your organisation ahead of the dark community in the virtual arms race. Focused technology solutions will not enable this, they will add value but, as in war, “No plan survives contact with the enemy”. The Security Operations Centre must be built with people, processes and technologies that are flexible and can adapt quickly to change. Open technologies, such as the Splunk Enterprise data intelligence platform, will help the Security Operation Centre adapt quickly, but more important than any technology is the right approach/process – this will ensure that the correct focus is in the correct place with the correct mission.

In conclusion, demands on Security Operations Centres have changed with the proliferation and evolution of attackers and attacks over recent years. Getting the right people, processes and technologies in place - and ensuring that these integrate seamlessly with the organisation – is critical to a successful defence.


« Software robots are here to help us, not take our jobs


Anonymous vs. ISIS: What does it really mean? »
IDG Connect

IDG Connect tackles the tech stories that matter to you

  • Mail


Do you think your smartphone is making you a workaholic?