In the previous post of this series "Measure your Readiness", I depicted a framework to assess, shape and accelerate a Threat-Driven Incident Response program useful for all kind of organizations to enhance their response capabilities and be ready to deal with unforeseen incidents.
The second post in the series aims to look at the "security monitoring" program, also considered the core service provided and overseen by a Security Operation Center. In this context the main goal and capability of a successfully implemented program is to detect, scope and report "behaviors" that require further investigation through the collection, correlation and analysis of data across a wide-range of systems, applications, security and network devices and "things".
Expanding the collection of data sources to acquire not only systems logs and application events but also network packets (including the most significant ingress/egress points), endpoint data and identity, assets and business contexts, clearly enable the SOC team to conduct deeper analysis, thereby identifying and containing more advanced threats (and dwell time reduced). This process should start using a top-down approach in order to identify first the enterprise's assets that contain sensitive data or privileged application functions (by also using previous Business Impact Analysis) and then develop a road map aligned with the priorities of the business, gradually expanding the monitoring capabilities to a broader range of assets. This approach is also cost-effective considering limited resources in the SecOps team.
As part of this strategy, the second element to consider for managing the security risks is the definition of the Threat Indicator (TI), patterns indicative of potential vulnerabilities and malicious behavior. Those TIs drive the design and implementation of the technology by factoring the assets to be monitored, the context-based data and logic needed to detect the threat, the asset residual risks (i.e. after countermeasures are applied) and actionable threat intelligence data.
Therefore, a simple and effective model takes into account the key elements below:
- TI scope, technical and business owner
- Residual risk
- Technical indicator pattern
- Context-enriched data (either internal or external)
The above model requires structured development and an ongoing effort to maintain, weight and optimize TIs in an enterprise, ingesting lessons learned by reviewing previously detected incidents, risk assessment and threat analysis activities. This approach enables the SecOps team to detect not only more advanced threats but also to evolve me with the IT department and the threat landscape.
To ensure a continuous security monitoring strategy is correctly implemented, maturity modeling can be used to evaluate where the organization stands and the longer-term roadmap requirements.
Level 1 - Initial (Processes unpredictable, reactive)
- Analytics - Limited visibility into the network with limited monitoring platforms; Out of the Box (OOTB) signatures only used and rarely updated.
- Governance - Monitoring policy focused on meeting compliance and regulatory requirements.
- Measurement - OOTB metrics and technical KPIs deployed; reports generated manually on demand.
- Operational - Monitoring operations (including correlation, analysis and alerts generation) limited to specific components, mostly manual correlation and driven by regulation and compliance.
- Organizational - Limited resources assigned to the security monitoring team and responsibilities shared with the IT department.
Level 2 - Managed (Processes developed but inconsistent, often reactive)
- Analytics - Varieties of monitoring and analytics platforms deployed and data collected on multiple repositories; "security baseline" identified and defined.
- Governance - Monitoring policies and procedures developed but inconsistently followed and communicated with other departments.
- Measurement - Customized tactical metrics available to drive operational decisions.
- Operational - Monitoring operations extended to almost all the full spectrum of IT/Security devices and driven by business risk; limited set of custom threat indicators developed.
- Organizational - Dedicated security monitoring team available during business hours; roles and responsibilities are assigned.
Level 3 - Defined (Processes consistent across the organization, and are proactive)
- Analytics - Analytics technologies deployed across-the-board and the data (including network packet capture) are centrally collected, stored and aggregated using a "single pane-of-glass".
- Governance - Monitoring procedures developed for each specific asset and shared with the IT department including telemetry data; Legal and HR are actively involved to determine the appropriate level of retention and privacy policies); procedures are proactively modified to reflect any business change.
- Measurement - Easy-to-access custom metrics and KPIs produced, communicated regularly and in support of business drivers, objectives and decisions;
- Operational - Complete visibility of the network and data flow; time to detect and investigate incidents significantly reduced over time; proactive approach to identify threats is established.
- Organizational - Dedicated monitoring team is available each business day during business hours (8x7) and specialized rapid response team available on-call.
Level 4 - Quantitatively Managed (Processes measured and controlled)
- Analytics - Context-aware security analytics platforms are deployed and daily maintained; long-term historical data available and continuously analyzed and cross-correlated with tailored internal and external threat intelligence.
- Governance - Monitoring procedures are categorized, communicated across the organization, accepted by business owners and aligned with the organization's business risk.
- Measurement - Meaningful risk and threat metrics constantly measured and available to support business decisions.
- Operational - Risk and threat based monitoring approach applied; custom threat indicators developed based on the residual risk of each "class of asset" and adopted to reflect any major asset change.
- Organizational - Dedicated 24x7 internal team available in a "follow-the-sun" model and spread at various locations with deep knowledge of network and platforms.
Level 5 - Optimizing (Focus on process improvement)
- Analytics - Scalable and distributed data processing platforms implemented; advanced threat analytics systems optimized focusing on the organization's business context and identity information; incidents prioritized calculating the potential business disruption and threats identified also monitoring metadata of encrypted traffic.
- Governance - Monitoring procedures are continuously reviewed and aligned with any major change of the organization's IT ecosystem to provide full visibility through analytics technologies.
- Measurement - Metrics and KPIs generated in real time and aligned with strategic objectives/risk profile; metrics used to drive (fact-based) tactical and strategic management decisions.
- Operational - Threat indicators are customized for each asset and proactively developed considering the evolving threat landscape, internal/external intelligence data, lessons learned and the risk posture of the organization.
- Organizational - Dedicated "around-the-clock" security monitoring team deployed in a central location with secondary site support; top notch talent in-house specialized also in machine learning and data science.
The development of a SOC team to detect and analyze suspicious events requires ongoing effort and agility to sustain the program due to the increased volume and variety of threats to networks, systems and other connected "things".
Similar to the development of a threat-driven incident response program, a security monitoring strategy lays the foundation for success by maturing towards a skilled, dedicated, technology-enabled team using up-to-date policies, processes and procedures.