Build Your Own Security Operations Center - InformationWeek
12:10 PM

Build Your Own Security Operations Center

Don’t keep your defenses down; discover how you can fight intruders from the confines of a safe house.

You wouldn't go into battle without a trusted group of generals strategizing your best attacks and defenses, so why try to secure your data without an infosec team and plan? If you don't have a dedicated security operations center and staff, you'll be scrambling to shore up your defenses, even as the bad guys are invading your system.

A SOC can be as simple as a set of offices or cubicles next to each other, or as sophisticated as a standalone complex with extra-large displays, two-factor physical security and a budget to match. Typically, only the largest companies have the resources to build and staff a dedicated SOC. In a recent survey of Secure Enterprise readers, 72 percent of respondents with fewer than 5,000 employees had no plans to build a SOC. Among the 28 percent who have a SOC or plan to build one, 53 percent will collocate in the network operations center, which makes sense because an existing NOC provides the framework to build in the additional functionality required for a SOC. The rest plan to house the SOC in a separate location, either a building (25 percent) or a room (22 percent).

Most Wanted Skills
Click to Enlarge

The tasks the security operations center handles can range from typical event management and incident response to account administration, investigations and forensics. Some companies choose to outsource their SOCs, because they want the expertise and 24-hour monitoring of a dedicated security team without staffing and building a SOC. For many, it makes sense to maintain an internal SOC, especially when a NOC already exists. See "How To Set Up a War Room", for a checklist of the essentials. Make sure you've got the budget to build out and hire. But remember, not everyone can speak Perl and decode a TCP/IP packet in three seconds. In "Most-Wanted Skills," we outline the various skill sets needed.

SOC It to Them

The SOC facility, like any other critical operations center, must be secure--both electronically and physically. Building a separate infrastructure is expensive and probably not worth the effort. Instead, try to use an existing, secure infrastructure. In many cases, the data center is a good fit, because it already has manned guard stations, cameras, security clearance and sign-in/sign out requirements and other physical security controls. Everyone who enters and leaves the SOC must be tracked to provide an access audit trail. Even a simple login sheet is better than nothing.

Latest Issue of Secure Enterprise Magazine


And only specific employees should have access. Network engineers, application developers and business partners, for example, don't need physical access to the SOC. The SOC manager, or leader, provides access approval. While the CISO or CIO is too high a position to make day-to-day decisions, he or she would still be responsible for the governing policies.

Of course, the greatest threat to your SOC will come from malicious users gaining access to it over the network. Your SOC will access key security systems, such as firewalls, IDSs, IPSs (intrusion-prevention systems), and antivirus- and event-management consoles. It will also store confidential data, such as configuration information, trouble tickets and event logs.

So your security controls must ensure the integrity and confidentiality of the data and systems. Common and successful approaches to this end include having highly restrictive firewall policies for the SOC and placing an IDS--or better yet, an IPS--with restrictive policies inline between the SOC and the rest of the company network. A nonroutable internal address space inside the SOC will give it an additional level of obscurity. Also, make sure your firewall rules lock down the environment. If remote access to the SOC is needed from within the company network, require a VPN connection.

Devices within the SOC should be under the management of the SOC leader, and all changes to these devices must be tested and audited before being made. In addition, you might want to set up a VLAN (virtual LAN) to provide access to key network and security devices in the event the production network is unavailable or saturated with traffic so you can't get to it.

Network Connections

But it's not all about hiding the SOC. An additional network connection will give your SOC personnel an outsider's view of your network. This link could be a T1 line or even an inexpensive DSL connection, preferably from an ISP other than the one providing your primary Internet connections. With this external view, you can perform tests to determine vulnerabilities in the event of a perimeter compromise. And if your primary or secondary network connection goes down, the ancillary network connection can be used for sending e-mail, downloading updates and performing investigations.

Ideally, the account won't be tied to the primary company, nor will DNS entries indicate who owns the connection. This way, when investigating a suspected intruder or attacker, you can visit the Web site or server using an IP address that isn't traceable to your company so as not to let the culprit know you're aware of the attack.

This ancillary network connection must not be tied to your production network. If possible, use an air-gap approach where there's no physical connection between the two networks. You also can set up different VLANs on a single switch or different interfaces on a firewall with a strict set of rules in place. Undoubtedly, you'll need a wireless network in the SOC so workers can roam between conference rooms and offices. However, wireless access should be limited to only specific users and systems. One possible solution is to have wireless users access the SOC network over a VPN requiring two-factor authentication. The wireless network should have virtually no access to the SOC except over the VPN, ensuring that no wireless user can gain access to critical systems.

Coverage requirements are a key factor when proposing and designing a SOC. If you're seeking coverage past normal business hours, consider setting up a SOC in a remote time zone so its staffers can serve your after-hours needs without working the graveyard shift themselves. For some companies, it may make sense to maintain one SOC in North America and another in Asia or Europe, though additional security controls would have to be put in place to safeguard information flowing between the two.

1 of 4
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
Digital Transformation Myths & Truths
Transformation is on every IT organization's to-do list, but effectively transforming IT means a major shift in technology as well as business models and culture. In this IT Trend Report, we examine some of the misconceptions of digital transformation and look at steps you can take to succeed technically and culturally.
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll