4 minute read
Cybersecurity Practice #8: Security Operations Center and Incident Response
Most cybersecurity programs begin by implementing controls designed to prevent cyberattacks against an organization’s IT infrastructure and data. This is a good place to start and there is a lot of value in basic cyber hygiene, implementing the cybersecurity practices that are discussed in this volume. However, in the modern age of cyber threats, not all attacks can be prevented with these basic controls. It is equally important to invest in and develop capabilities to detect successful attacks and respond quickly to mitigate the effects of these attacks. A good example is the threat of phishing attacks. Even if organizations followed every practice discussed in Cybersecurity Practice #1: E-mail Protection, they would still be susceptible to phishing attacks. It is therefore important to detect, in near real time, phishing attacks that successfully infiltrate your environment and to neutralize their effects before widespread theft of credentials or malware installation occurs. This is a classic example of what it means to shore up your detection capabilities (detecting the phishing attack that gets past your basic controls) and response capabilities (neutralizing the effects before serious damage to the organization occurs). Maintaining detection and response capabilities requires establishing an IR program and an SOC to manage the IR, along with security engineering that enhances an organization’s ability to detect and respond to cyberattacks.
Advertisement
Cybersecurity Practice 8: Security Operations Center and Incident Response
Data that may be PHI affected
8.M.A Security Operations Center Medium Sub- 8.M.B Incident Response Practices 8.M.C Information Sharing and ISACs/ISAOs 8.L.A Advanced Security Operations Center 8.L.B Advanced Information Sharing
Large Sub-
8.L.C Incident Response Orchestration Practices 8.L.D Baseline Network Traffic 8.L.E User Behavior Analytics 8.L.F Deception Technologies Phishing Attacks Ransomware Attacks Key Mitigated Loss or Theft of Equipment Risks Insider, Accidental or Intentional Data Loss Attacks Against Connected Medical Devices that May Affect Patient Safety
Sub-Practices for Medium-Sized Organizations
8.M.A Security Operations Center NIST FRAMEWKORK REF:
RS.RP An SOC is an organizational structure that leverages cybersecurity frameworks, people, tools, and processes to provide dedicated cybersecurity operations. SOCs are the areas within an organization that dedicate 100 percent of their time to cybersecurity prevention, detection, or response capabilities, providing the execution arm of cybersecurity IR.
73
An SOC is generally segmented into four main functions, depending on the organization’s level of maturity. These functions are as follows: Engineering: The process of building new cybersecurity capabilities into the existing toolsets in an environment. Examples include building new alerts within a security incident and event management (SIEM) system, establishing new log sources for log management systems, establishing new analytics patterns for detection, or simply implementing new cybersecurity systems to add capabilities into the environment. Operations: The process of managing and maintaining the cybersecurity tools within the SOC. This is sometimes referred to as keeping the lights on. Keeping the lights on generally means monitoring critical cybersecurity systems to ensure that they operate at agreed-upon performance levels. Threat intelligence: A specific function that focuses entirely on how to discover cybersecurity threats that may be relevant to the organization, along with the means and methods these threats may use to infiltrate the organization. This function focuses on the threat actors themselves, the tools they leverage, and the digital signatures they leave in the process of conducting their activities. Once these digital footprints, sometimes called indicators of compromise (IOCs) are established, engineering teams can use integrate IOC patterns into cybersecurity systems and establish IR plays to execute when the IOCs are activated. Incident response: the process of conducting a structured and consistent response to any IR plays that have been created. The goal of this function is to o validate an IR process that has been triggered; o contain any successful cybersecurity attacks to the organization; o eliminate the threat from the environment; o recover systems or data that might have been affected by the attack; and o ensure that any attack vectors that were exploited are well understood and fed back to the security engineering teams for future prevention or enhanced detection capabilities, further minimizing the impacts of those vectors. It is critical to create a continuous feedback loop between your IR and engineering teams so the organization continues to learn and grow based on the actual success of threats and threat actors. As SOCs are developed, a core concept is to ensure that IR teams and handlers apply consistent methods to execute response practices. SOCs and IR teams should establish playbooks, also known as runbooks, that describe existing detection mechanisms and the procedures to be followed if the mechanisms are triggered. For each detection, the triggered process may be referred to as a play, like plays that football teams maintain in their playbooks. Examples of plays that might be found in an IR playbook are provided in Table 10. The table provides high-level play details, including what the play seeks to accomplish and the types of source data that must be collected to successfully detect it. The list below will not
74
