Cybersecurity Practice #8: Security Operations Center and Incident Response Most cybersecurity programs begin by implementing controls designed to prevent cyberattacks against an organization’s IT infrastructure and data. This is a good place to start and there is a lot of value in basic cyber hygiene, implementing the cybersecurity practices that are discussed in this volume. However, in the modern age of cyber threats, not all attacks can be prevented with these basic controls. It is equally important to invest in and develop capabilities to detect successful attacks and respond quickly to mitigate the effects of these attacks.
Cybersecurity Practice 8: Security Operations Center and Incident Response Data that may be affected Medium SubPractices
Large SubPractices
Key Mitigated Risks
PHI 8.M.A Security Operations Center 8.M.B Incident Response 8.M.C Information Sharing and ISACs/ISAOs 8.L.A Advanced Security Operations Center 8.L.B Advanced Information Sharing 8.L.C Incident Response Orchestration 8.L.D Baseline Network Traffic 8.L.E User Behavior Analytics 8.L.F Deception Technologies Phishing Attacks Ransomware Attacks Loss or Theft of Equipment Insider, Accidental or Intentional Data Loss Attacks Against Connected Medical Devices that May Affect Patient Safety
A good example is the threat of phishing attacks. Even if organizations followed every practice discussed in Cybersecurity Practice #1: E-mail Protection, they would still be susceptible to phishing attacks. It is therefore important to detect, in near real time, phishing attacks that successfully infiltrate your environment and to neutralize their effects before widespread theft of credentials or malware installation occurs. This is a classic example of what it means to shore up your detection capabilities (detecting the phishing attack that gets past your basic controls) and response capabilities (neutralizing the effects before serious damage to the organization occurs). Maintaining detection and response capabilities requires establishing an IR program and an SOC to manage the IR, along with security engineering that enhances an organization’s ability to detect and respond to cyberattacks.
Sub-Practices for Medium-Sized Organizations 8.M.A
Security Operations Center
NIST FRAMEWKORK REF: RS.RP
An SOC is an organizational structure that leverages cybersecurity frameworks, people, tools, and processes to provide dedicated cybersecurity operations. SOCs are the areas within an organization that dedicate 100 percent of their time to cybersecurity prevention, detection, or response capabilities, providing the execution arm of cybersecurity IR.
73
