You bought the SIEM and are sure that the SOC is in your pocket, isn't it?
Once about a month ago, I was invited by my old acquaintance, the director of information security in one fairly large company, with the goal, in his words, “to surprise me.” I note that earlier we discussed with him the challenges faced by many companies in the field of cyber threats and the problems of building a SOC (Security Operation Center).
So begins my story about building a SOC in a company.
With the inherent ceremoniality, the director of information security escorted me to the open space of their IT department. And there they showed me a pile of boxes with expensive “iron”, as well as a printout of specifications. She pointed to the purchase of licenses of one well-known vendor included in Quadrant for SIEM . The genuine joy on his face indicated that the problems voiced from the last conversation had been resolved overnight. And later he told me that, in addition to this “treasure”, money was agreed to for the implementation of this system, and it is planned to hire three specialists to the staff for this activity. At the same time, he made a special emphasis on the "three experts", as if making it clear that he had worked the question deeply and had figured it all out. The calculation was really relatively robust, but unfortunately, not empirically proven.
We sat down and discussed both the structure of the SOC project and the proposed economic model. We tried to assess the allocated rates, roles and competencies necessary to reach the required level of service.
Initially, the idea was to delegate the IT department support to the hardware performance by sending their engineers to specialized vendor courses. Next, use the first rate under application engineer SIEM. It was expected that this comrade would be able to connect the sources of events after the training, and also “it is desirable to write connectors if necessary” (direct quotation). Also, at other times, to participate in the analysis of simple incidents. The second and third rates were planned by experts to dismantle incidents, form new correlation rules, and develop the direction as a whole. It also took into account the fact that there may be many incidents, and at the moment some of the experts may get sick or go on vacation.
To the question: “What was the forecast: in terms of the number of sources, incidents, complexity of events and expected response times?” A very confused answer was received, and then silence and in conclusion, with sadness in his voice: “Then we shall think of something! .. ".
This case can be called quite typical for those companies that for some reason realized the need to implement SOC, but could not comprehensively assess the “scale of the disaster”.
One of the prerequisites for the implementation of SOC is the achievement of a certain level of maturity of the company. This level made it possible to close the basic things earlier, according to the pyramid of needs, and realize that now for the holistic picture one important component is missing. Indeed, after the company has cleaned up the infrastructure (network architecture, segmentation, domains, update procedures and other useful things), and also introduced the necessary and sufficient set of information protection tools (protection layers, endpoint, etc.), it is involuntarily set the question: "How can I see all my household and how to evaluate what I see?".
At that time, the company allegedly already has established processes. Many of them are built in the best traditions of ITIL. The IT support unit (in some cases, information security) is divided into support lines, and perhaps there are even shifts with a 24 * 7 operating mode. However, it is worth noting that such companies are rare, and in my memory only 3 out of 10, with more than 1,000 workstations, can boast of all this list of achievements.
Yet, if, as an example, to take these 30% of the lucky ones, then they face the task of implementing an integration project, which should degenerate into a very important and critical service. In the framework of the project, describing with greasy strokes, it is necessary:
It would seem that everything is simple, detail each item, draw a plan and execute it in due time. But the devil is in the details.
Now in order.
SOC technologies are the tools that the service uses to automate data collection, correlation, and primary analytics. Of course, the toolkit is determined by the available features and functionality.
SOC experts are team members with competencies in the following areas:
SOC processes are a set of organizational and technical procedures that cover 4 areas:
All components are aimed at detecting and preventing cyber threats.
At the same time, the most important requirement for these processes is that they must be seamlessly implemented in the current business processes of the organization. In other words, SOC processes cannot stand apart "separately" and must, firstly, be built in a delicate way, and, secondly, effectively carry out their task - to bring the expected value. We also note that the “delicacy” of a critical service is understood as absolute clarity and consistency in the actions of employees of adjacent departments, in which the simple and violation of the set SLA parameters are not allowed even in case of force majeure. Not to mention the popular ones: “the employee was at lunch” or “could not get through”. The result must be clear and on time. For this reason, the SOC work model is similar to military service, and the adopted regulations and instructions are similar to the unconditionally executed charter.
Paradoxically, many are convinced that the main component of SOC is tools. In this case, it would be appropriate to give the following example. Imagine, you go, God forbid, an operation. The news is not joyful, and the clinic begins to encourage you with the words that some surgeon will do the surgery, but he has a stunning scalpel from one of the most expensive manufacturers. And about the "miracle scalpel" will tell you several times, and maybe even show a certificate confirming its sharpness and purity of the metal. I suppose that this argument will not reassure you very much and you will want to inquire about the doctor, as well as his experience in conducting similar operations.
Of course, the choice of the SIEM-system is extremely important and its functionality should clearly reflect the requests of the buyer. However, one should always remember that SIEM is only an automation, for tuning which requires deep competences and quite clear work logic.
From the above list of required competences, it can be understood that SOC specialists are versatile and highly qualified employees who must be at the junction of deep technical knowledge, as well as have analyst experience. In addition, the SOC direction is quite young for the Russian Federation and the CIS, which means that there are few experts in this subject area. It is extremely difficult to meet on the market literate and "free" specialists. First of all, such specialists are interested in working with new and interesting cases that allow you to develop. Need a thread. For this reason, they often “settle” in large service providers and rotate only between similar structures.
It is worth noting the level of salaries of these specialists. Previously, colleagues have repeatedly cited analytics. The information is quite relevant to this day, with the exception of only the level of wages - they have become higher, and in the market by an average of 15-20%. This means that a company that has declared to take on a staff of experts must pay quite serious money. How relevant is the money to the benefits brought, provided that few companies (the exception - "Service Provider") can utilize the time of such an expert by at least 70%? Even if such an expert was given a high salary, the likelihood that he would find a more interesting job would be high. In addition, there are statistics that team members of this kind of project-service for 3-7 years are completely updated. This is a reality and it must be considered.
So, the company bought a wonderful toolkit, a functional and efficient SIEM system, hired a talented and experienced SOC expert who was able to create a friendly and coordinated team of responsible specialists. Next, this team should take the system to support, develop the necessary procedures and regulations, implement them and begin to work on them. It is worth noting that even after a good consulting from an integrator who helped cost SOC (implemented the system, did the process audit, created the basic rules and wrote the necessary instructions), the SOC team drains a huge amount of work on optimizing the response center created for the company. Combing processes and patterns of work should be in the "case by case" mode.
If there was no consulting, and the team must build a SOC on its own, then the story becomes even more interesting and costly. It’s like a graduate student (albeit with a red diploma) in the first days of work in production to put on the most important section, and hope that he "will orient himself somehow."
It follows that in order to entrust the construction of a SOC to the team being created, one must be prepared for two scenarios:
Of the two scenarios, the first option is more budgetary, it is more likely that the first option will be due to the guarantee of the result and the timing for reaching the target service. Moreover, in the first version, the project sponsor already initially understands the number of necessary employees and the composition of the necessary roles (the number of support lines, including the operating mode 24 * 7 or 8 * 5; the number of analysts with functionality; support for SIEM and components and so forth). At the second - usually the sponsor reasons in the following categories: “We have 5 universal units of work, each expert can take 2 units of work at the moment, which means we take two experts and one student”. No matter how ridiculous this may seem, practice shows that in the bustle of the flow of tasks, some managers automatically make such decisions. And at the same time we are confident in the result, under the motto: “there would be good employees,
Now the Internet is replete with the latest trends: digital transformation (digital transformation), companies completely go to the “clouds”, non-core processes are being outsourced. Large companies are beginning to offer platforms with which you can recruit the necessary number of services to maintain and develop businesses of any size. Outsourcing in accounting, legal services, call-centers, IT "turnkey": this is only the beginning of global change. And the types of services can be absolutely any. Those that yesterday would have seemed incredible and original, such as “print outsourcing,” are in great demand today. Moreover, we can see the development trend of the service-oriented model in the Western market, which traditionally outperforms the Russian Federation and the CIS. It is huge and covers all industries.
SOC as a Service (SOCaaS) is no exception. There are enough players on the market, providers of information security services (Managed Security Service Provider, MSSP), who offer customers not to “reinvent the wheel”, but simply to take advantage of expertise and experience in this area. Experts here, on the "stream", fill their hands and get a great experience, which allows them to make clear and effective processes. They collect all the rakes to analyze all possible scenarios and offer options relevant to customer needs. The client does not need to invent anything, he just tries on the options offered and chooses the ones he needs.
What is "delicious" in this story is that:
For my friend, there are two options for a successful way out of this situation:
In any case, both options are commensurate with the cost of money spent on SIEM licenses and are many times more expensive than a managed service with the same parameters. It is a fact! That is why now this trend is developing so actively and is in great demand among interested companies.
However, it must be admitted that even the best service is not a universal means of solving all problems and pains of a client. And everything, as usual, remains at the mercy of a specific task, the size of the wallet and the pedantry of the customer SOC.
Denis Guschin, Deputy General Manager, Infosecurity.
So begins my story about building a SOC in a company.
With the inherent ceremoniality, the director of information security escorted me to the open space of their IT department. And there they showed me a pile of boxes with expensive “iron”, as well as a printout of specifications. She pointed to the purchase of licenses of one well-known vendor included in Quadrant for SIEM . The genuine joy on his face indicated that the problems voiced from the last conversation had been resolved overnight. And later he told me that, in addition to this “treasure”, money was agreed to for the implementation of this system, and it is planned to hire three specialists to the staff for this activity. At the same time, he made a special emphasis on the "three experts", as if making it clear that he had worked the question deeply and had figured it all out. The calculation was really relatively robust, but unfortunately, not empirically proven.
We sat down and discussed both the structure of the SOC project and the proposed economic model. We tried to assess the allocated rates, roles and competencies necessary to reach the required level of service.
Initially, the idea was to delegate the IT department support to the hardware performance by sending their engineers to specialized vendor courses. Next, use the first rate under application engineer SIEM. It was expected that this comrade would be able to connect the sources of events after the training, and also “it is desirable to write connectors if necessary” (direct quotation). Also, at other times, to participate in the analysis of simple incidents. The second and third rates were planned by experts to dismantle incidents, form new correlation rules, and develop the direction as a whole. It also took into account the fact that there may be many incidents, and at the moment some of the experts may get sick or go on vacation.
To the question: “What was the forecast: in terms of the number of sources, incidents, complexity of events and expected response times?” A very confused answer was received, and then silence and in conclusion, with sadness in his voice: “Then we shall think of something! .. ".
This case can be called quite typical for those companies that for some reason realized the need to implement SOC, but could not comprehensively assess the “scale of the disaster”.
We are “ripe”, we need SOC
One of the prerequisites for the implementation of SOC is the achievement of a certain level of maturity of the company. This level made it possible to close the basic things earlier, according to the pyramid of needs, and realize that now for the holistic picture one important component is missing. Indeed, after the company has cleaned up the infrastructure (network architecture, segmentation, domains, update procedures and other useful things), and also introduced the necessary and sufficient set of information protection tools (protection layers, endpoint, etc.), it is involuntarily set the question: "How can I see all my household and how to evaluate what I see?".
At that time, the company allegedly already has established processes. Many of them are built in the best traditions of ITIL. The IT support unit (in some cases, information security) is divided into support lines, and perhaps there are even shifts with a 24 * 7 operating mode. However, it is worth noting that such companies are rare, and in my memory only 3 out of 10, with more than 1,000 workstations, can boast of all this list of achievements.
Yet, if, as an example, to take these 30% of the lucky ones, then they face the task of implementing an integration project, which should degenerate into a very important and critical service. In the framework of the project, describing with greasy strokes, it is necessary:
- Implement and configure the SIEM system (integration with the service desk or analogue; setting up and connecting event sources; customizing and applying the basic correlation rules, etc., etc.).
- Hire and train personnel (specialized vendor courses on the siem system, conducting investigations, etc.).
- Document and implement response regulations / instructions (including incident albums, carry out a criticality / complexity ranking and a huge set of documents that are commensurate, in printed form, with the results of government contracts).
- Determine areas of responsibility between departments, clearly register the SLA and start the service.
- Uncork and taste the effervescent bottle when the first incidents arrive and will be clearly handled. This item is optional and depends solely on the internal culture of the company. It will be sufficient to verify that the service operates according to the specified SLA.
It would seem that everything is simple, detail each item, draw a plan and execute it in due time. But the devil is in the details.
SOC is the technologies used, experts and aligned processes.
Now in order.
SOC technologies are the tools that the service uses to automate data collection, correlation, and primary analytics. Of course, the toolkit is determined by the available features and functionality.
SOC experts are team members with competencies in the following areas:
- administration of OS, DBMS, AD and network components;
- administration of information security systems;
- administration of IT application systems;
- analytics (monitoring and 2nd line for SOC);
- Analytics with relevant experience and expertise (3rd line for SOC: from 3 years in specialized companies, as well as participation in incident investigations).
SOC processes are a set of organizational and technical procedures that cover 4 areas:
- SOC infrastructure support (infrastructure support);
- Monitoring security events;
- Investigation of incidents (incident investigetion / responce);
- Development (service development).
All components are aimed at detecting and preventing cyber threats.
At the same time, the most important requirement for these processes is that they must be seamlessly implemented in the current business processes of the organization. In other words, SOC processes cannot stand apart "separately" and must, firstly, be built in a delicate way, and, secondly, effectively carry out their task - to bring the expected value. We also note that the “delicacy” of a critical service is understood as absolute clarity and consistency in the actions of employees of adjacent departments, in which the simple and violation of the set SLA parameters are not allowed even in case of force majeure. Not to mention the popular ones: “the employee was at lunch” or “could not get through”. The result must be clear and on time. For this reason, the SOC work model is similar to military service, and the adopted regulations and instructions are similar to the unconditionally executed charter.
Paradoxically, many are convinced that the main component of SOC is tools. In this case, it would be appropriate to give the following example. Imagine, you go, God forbid, an operation. The news is not joyful, and the clinic begins to encourage you with the words that some surgeon will do the surgery, but he has a stunning scalpel from one of the most expensive manufacturers. And about the "miracle scalpel" will tell you several times, and maybe even show a certificate confirming its sharpness and purity of the metal. I suppose that this argument will not reassure you very much and you will want to inquire about the doctor, as well as his experience in conducting similar operations.
Of course, the choice of the SIEM-system is extremely important and its functionality should clearly reflect the requests of the buyer. However, one should always remember that SIEM is only an automation, for tuning which requires deep competences and quite clear work logic.
Experts and processes are the cornerstone for creating SOC
From the above list of required competences, it can be understood that SOC specialists are versatile and highly qualified employees who must be at the junction of deep technical knowledge, as well as have analyst experience. In addition, the SOC direction is quite young for the Russian Federation and the CIS, which means that there are few experts in this subject area. It is extremely difficult to meet on the market literate and "free" specialists. First of all, such specialists are interested in working with new and interesting cases that allow you to develop. Need a thread. For this reason, they often “settle” in large service providers and rotate only between similar structures.
It is worth noting the level of salaries of these specialists. Previously, colleagues have repeatedly cited analytics. The information is quite relevant to this day, with the exception of only the level of wages - they have become higher, and in the market by an average of 15-20%. This means that a company that has declared to take on a staff of experts must pay quite serious money. How relevant is the money to the benefits brought, provided that few companies (the exception - "Service Provider") can utilize the time of such an expert by at least 70%? Even if such an expert was given a high salary, the likelihood that he would find a more interesting job would be high. In addition, there are statistics that team members of this kind of project-service for 3-7 years are completely updated. This is a reality and it must be considered.
So, the company bought a wonderful toolkit, a functional and efficient SIEM system, hired a talented and experienced SOC expert who was able to create a friendly and coordinated team of responsible specialists. Next, this team should take the system to support, develop the necessary procedures and regulations, implement them and begin to work on them. It is worth noting that even after a good consulting from an integrator who helped cost SOC (implemented the system, did the process audit, created the basic rules and wrote the necessary instructions), the SOC team drains a huge amount of work on optimizing the response center created for the company. Combing processes and patterns of work should be in the "case by case" mode.
If there was no consulting, and the team must build a SOC on its own, then the story becomes even more interesting and costly. It’s like a graduate student (albeit with a red diploma) in the first days of work in production to put on the most important section, and hope that he "will orient himself somehow."
It follows that in order to entrust the construction of a SOC to the team being created, one must be prepared for two scenarios:
- To recruit a team of specialists who have already created a similar service (either with this composition, or each participant individually according to their role).
- Recruit experts from similar areas with relevant knowledge and “pour” the money out of erroneous decisions, flaws and uncoordinated actions.
Of the two scenarios, the first option is more budgetary, it is more likely that the first option will be due to the guarantee of the result and the timing for reaching the target service. Moreover, in the first version, the project sponsor already initially understands the number of necessary employees and the composition of the necessary roles (the number of support lines, including the operating mode 24 * 7 or 8 * 5; the number of analysts with functionality; support for SIEM and components and so forth). At the second - usually the sponsor reasons in the following categories: “We have 5 universal units of work, each expert can take 2 units of work at the moment, which means we take two experts and one student”. No matter how ridiculous this may seem, practice shows that in the bustle of the flow of tasks, some managers automatically make such decisions. And at the same time we are confident in the result, under the motto: “there would be good employees,
Or maybe SOC as a Service is better?
Now the Internet is replete with the latest trends: digital transformation (digital transformation), companies completely go to the “clouds”, non-core processes are being outsourced. Large companies are beginning to offer platforms with which you can recruit the necessary number of services to maintain and develop businesses of any size. Outsourcing in accounting, legal services, call-centers, IT "turnkey": this is only the beginning of global change. And the types of services can be absolutely any. Those that yesterday would have seemed incredible and original, such as “print outsourcing,” are in great demand today. Moreover, we can see the development trend of the service-oriented model in the Western market, which traditionally outperforms the Russian Federation and the CIS. It is huge and covers all industries.
SOC as a Service (SOCaaS) is no exception. There are enough players on the market, providers of information security services (Managed Security Service Provider, MSSP), who offer customers not to “reinvent the wheel”, but simply to take advantage of expertise and experience in this area. Experts here, on the "stream", fill their hands and get a great experience, which allows them to make clear and effective processes. They collect all the rakes to analyze all possible scenarios and offer options relevant to customer needs. The client does not need to invent anything, he just tries on the options offered and chooses the ones he needs.
What is "delicious" in this story is that:
- for quite reasonable money, the client receives the entire list of expensive experts in the volume he needs;
- the service is well-designed, schooled and tested on other companies;
- the service company is responsible for the implementation of the SLA and the "human factor";
- The client receives a turnkey service. This means that the client does not need to generate proposals for the development of the service, the service provider will come with them. And of course, no worries about the motivation of the SOC team or the "routine" of specialists. The selected partner will take care of this.
What is the result?
For my friend, there are two options for a successful way out of this situation:
- Get an additional budget for competent experts who have previously built SOC and expand the staff to at least 4 more people (and for 24 specialists in the 24 * 7 mode), then complete an ambitious internal project.
- Get an even bigger budget for building a turnkey SOC, where a qualified and experienced service provider will act as the executor. This is a whole novel worth tens of millions of rubles (capex), but with a guaranteed result. Opex will then also be commensurate with claim 1, but the required level of service will be received much faster.
In any case, both options are commensurate with the cost of money spent on SIEM licenses and are many times more expensive than a managed service with the same parameters. It is a fact! That is why now this trend is developing so actively and is in great demand among interested companies.
However, it must be admitted that even the best service is not a universal means of solving all problems and pains of a client. And everything, as usual, remains at the mercy of a specific task, the size of the wallet and the pedantry of the customer SOC.
Denis Guschin, Deputy General Manager, Infosecurity.