Sunday, August 17, 2008

SecureWorks on Building and Sustaining a Security Operations Center

I received an email notifying me of a Webcast by SecureWorks titled Building and Sustaining a Security Operations Center. I'd like to highlight a few aspects of the Webcast that caught my attention.

First, the slide below shows the functions that SecureWorks considers to be in scope for a SOC. I noticed it includes device management. I think that function is mostly integrated with regular "IT" these days, so your SOC might not have to worry about keeping security devices running. Configuration is probably best handled by the SOC however.



Second, I liked seeing a slide with numbers of events being distilled into incidents.



Third, I thought this slide made a good point. You want to automate the early stages of security operations as much as possible (90% tech), but the response processes tend to be very skill-intensive (which translates into higher overall salary costs, i.e., you may have fewer IR handlers, but they could cost more than the event analysts). The "Adapt" section on the right seems to depict that mature operations end up spending about half of their budget on tech and half on people. Mature operations realize that their people must keep up-to-date with attacks and vulnerabilities, or they fail to "adapt" and become dated and ineffective.



Finally, SecureWorks spent a lot of time talking about "co-sourcing," or having an in-house team meeting its core security competencies, while an outside group (like SecureWorks, hey!) fills in the gaps. This is the MSSP industry response to the recent trend for companies to move their security function back in-house. I think it makes sense, however. Using outside vendors for security intelligence and high-end attack and artifact analysis is a smart way to spend your money.

6 comments:

Anonymous said...

I've used SecureWorks for managed IDS systems in the past and they aren't too bad. For a smaller company the more eyes you can have on the data, the better. From what I've been reading, they are redoing their customer portal system, and it'll be interesting to see what changes they come up with to make the visible information more efficient.

Bouch said...

It all comes down to the cost benefit comparison or risk analysis. If my car is only worth $1,000 why bother installing an alarm and tracking system costing $1,200? However, I always argue on the side of future precautions where assets may accumulate value over time.

Stacy Shelley said...

Thanks for the coverage Richard. I frequent your blog quite regularly (one of your many subscribers) and it was good to hear your thoughts about our webcast.

I agree with you on device management. We should have specified "security device management" on the diagram to make it more clear.

As you said, when it comes to maintaining the hardware, keeping it patched, etc. it's usually the responsibility of IT. In our experience, more specialized tasks like tuning IDS/IPS signatures and managing firewall rulesets are the tasks left to security.

Just to confirm what the anonymous commenter said re: our client portal -- Yes, since the merger with LURHQ two years ago we've been using their portal platform which was a significant upgrade. Lots of work has gone into giving it SIM reporting functionality in regards to useful metrics, customization, workflow management, etc.

Come by our website or contact us for a demo and we'd be happy to walk you through it :)

Thanks again Richard!

Bozidar Spirovski said...

I would like to rely on a specific system to make periodic scans and suggest possible vulnerabilities and patches, and then place the patching into a workflow system to be tracked.
This way, you get a good overview of where you are on security of the infrastructure, what needs to be done and at what time.
And then you can do comparison scan afterwards

Spirovski Bozidar
http://www.shortinfosec.net

sanjay said...
This comment has been removed by a blog administrator.
Anonymous said...
This comment has been removed by a blog administrator.