SecureWorks on Building and Sustaining a Security Operations Center

I received an email notifying me of a Webcast by SecureWorks titled Building and Sustaining a Security Operations Center. I'd like to highlight a few aspects of the Webcast that caught my attention.

First, the slide below shows the functions that SecureWorks considers to be in scope for a SOC. I noticed it includes device management. I think that function is mostly integrated with regular "IT" these days, so your SOC might not have to worry about keeping security devices running. Configuration is probably best handled by the SOC however.



Second, I liked seeing a slide with numbers of events being distilled into incidents.



Third, I thought this slide made a good point. You want to automate the early stages of security operations as much as possible (90% tech), but the response processes tend to be very skill-intensive (which translates into higher overall salary costs, i.e., you may have fewer IR handlers, but they could cost more than the event analysts). The "Adapt" section on the right seems to depict that mature operations end up spending about half of their budget on tech and half on people. Mature operations realize that their people must keep up-to-date with attacks and vulnerabilities, or they fail to "adapt" and become dated and ineffective.



Finally, SecureWorks spent a lot of time talking about "co-sourcing," or having an in-house team meeting its core security competencies, while an outside group (like SecureWorks, hey!) fills in the gaps. This is the MSSP industry response to the recent trend for companies to move their security function back in-house. I think it makes sense, however. Using outside vendors for security intelligence and high-end attack and artifact analysis is a smart way to spend your money.

Comments

Anonymous said…
I've used SecureWorks for managed IDS systems in the past and they aren't too bad. For a smaller company the more eyes you can have on the data, the better. From what I've been reading, they are redoing their customer portal system, and it'll be interesting to see what changes they come up with to make the visible information more efficient.
3:46 PM
Anonymous said…
It all comes down to the cost benefit comparison or risk analysis. If my car is only worth $1,000 why bother installing an alarm and tracking system costing $1,200? However, I always argue on the side of future precautions where assets may accumulate value over time.
2:44 PM
Anonymous said…
Thanks for the coverage Richard. I frequent your blog quite regularly (one of your many subscribers) and it was good to hear your thoughts about our webcast.

I agree with you on device management. We should have specified "security device management" on the diagram to make it more clear.

As you said, when it comes to maintaining the hardware, keeping it patched, etc. it's usually the responsibility of IT. In our experience, more specialized tasks like tuning IDS/IPS signatures and managing firewall rulesets are the tasks left to security.

Just to confirm what the anonymous commenter said re: our client portal -- Yes, since the merger with LURHQ two years ago we've been using their portal platform which was a significant upgrade. Lots of work has gone into giving it SIM reporting functionality in regards to useful metrics, customization, workflow management, etc.

Come by our website or contact us for a demo and we'd be happy to walk you through it :)

Thanks again Richard!
5:25 PM
Bozidar Spirovski said…
I would like to rely on a specific system to make periodic scans and suggest possible vulnerabilities and patches, and then place the patching into a workflow system to be tracked.
This way, you get a good overview of where you are on security of the infrastructure, what needs to be done and at what time.
And then you can do comparison scan afterwards

Spirovski Bozidar
http://www.shortinfosec.net
4:07 PM
Anonymous said…
This comment has been removed by a blog administrator.
11:28 PM
Anonymous said…
This comment has been removed by a blog administrator.
4:25 AM
Post a Comment

Popular posts from this blog

Zeek in Action Videos

Image
This is a quick note to point blog readers to my Zeek in Action YouTube video series for the Zeek network security monitoring project .  Each video addresses a topic that I think might be of interest to people trying to understand their network using Zeek and adjacent tools and approaches, like Suricata, Wireshark, and so on.  I am especially pleased with Video 6 on monitoring wireless networks . It took me several weeks to research material for this video. I had to buy new hardware and experiment with a Linux distro that I had not used before -- Parrot .  Please like and subscribe, and let me know if there is a topic you think might make a good video.
Read more

MITRE ATT&CK Tactics Are Not Tactics

Image
Just what are "tactics"? Introduction MITRE ATT&CK  is a great resource, but something about it has bothered me since I first heard about it several years ago. It's a minor point, but I wanted to document it in case it confuses anyone else. The MITRE ATT&CK Design and Philosophy document from March 2020 says the following: At a high-level, ATT&CK is a behavioral model that consists of the following core components: • Tactics, denoting short-term, tactical adversary goals during an attack; • Techniques, describing the means by which adversaries achieve tactical goals; • Sub-techniques, describing more specific means by which adversaries achieve tactical goals at a lower level than techniques; and • Documented adversary usage of techniques, their procedures, and other metadata. My concern is with MITRE's definition of "tactics" as "short-term, tactical adversary goals during an attack," which is oddly recursive. The key word in the tacti
Read more

New Book! The Best of TaoSecurity Blog, Volume 4

Image
  I've completed the TaoSecurity Blog book series . The new book is  The Best of TaoSecurity Blog, Volume 4: Beyond the Blog with Articles, Testimony, and Scholarship .  It's available now for Kindle , and I'm working on the print edition.  I'm running a 50% off promo on Volumes 1-3 on Kindle through midnight 20 April. Take advantage before the prices go back up. I described the new title thus: Go beyond TaoSecurity Blog with this new volume from author Richard Bejtlich. In the first three volumes of the series, Mr. Bejtlich selected and republished the very best entries from 18 years of writing and over 18 million blog views, along with commentaries and additional material.  In this title, Mr. Bejtlich collects material that has not been published elsewhere, including articles that are no longer available or are stored in assorted digital or physical archives. Volume 4 offers early white papers that Mr. Bejtlich wrote as a network defender, either for technical or pol
Read more