How to build a cost-effective security operations centre
Building a cyber security operations centre (SOC) for threat hunting and incident handling can be a daunting project.
The starting point is to ensure users' actions as well as those of threat actors and system-to-system are distinguishable from each other, and presented in an easy to understand manner.
This is according to Muyowa Mutemwa, senior cyber security specialist at the CSIR, who will speak at ITWeb Security Summit 2019, to be held from 27 to 31 May, at the Sandton Convention Centre.
Mutemwa says organisation must define the primary functions and outputs of the centre through measurable key performance indicators and policies, and must define standard operating procedures for all the functions found within the centre.
"These will help in defining what is expected from the people, processes and technologies to be found in the centre."
For enterprises of all types, understanding the true cyber security posture of their IT environment is not only an important requirement, but a critical necessity, fundamental to the enterprise's ability to stay in business.
For businesses of all sizes, the misconception has been that they cannot afford to build and manage a SOC due to the costs that are associated with procuring SOC technologies and hiring appropriate staff.
However, most enterprises now realise cyber security is a necessity for all businesses, irrespective of size.
He cites the 2018 Verizon Data Breach Investigations Report, which revealed ransomware was found to be a culprit in more than 40% of cyber security incidents.
More hackers are seeing the effectiveness of ransomware in extorting money from their victims. It also has the capacity to cripple an enterprise by causing a denial-of-service to critical computer systems and could also affect the enterprise's financial budget.
So where are local businesses going wrong when it comes to incident handling?
According to Mutemwa, companies that perform vulnerability assessments and penetration testing often fail to implement the recommendations within such reports.
"Some of these recommendations take time to implement due to a lack of financial backing. Others, because C-level management, understandably so, cannot see the immediate return on investment from the huge amounts of money needed to implement them.
"What is important, is understanding the primary goal for cyber security recommendations, which is to allow an enterprise to continue doing business," he says.
In addition, there is often no tight integration between the SOC team and the other stakeholder teams, such as the server, service desk, or infrastructure teams, which leads to partial implementation of findings from even daily incidents.
"In some cases, the SOC team is seen as a silo organisation with a lot of general restrictions for the enterprise."
He lists the critical skills needed for effective threat hunting and incident management: the ability to recognise patterns and spot unusual patterns; the ability to perform data analytics using different tools and techniques; the ability to perform forensics; and the ability to reverse-engineer malware.
Delegates attending Mutemwa's talk will learn about the importance of building and managing a SOC, as well as the minimum requirements to do so.