ISLANDIA, N.Y. – Managing security events in today’s corporate environment
poses a series of challenges for beleaguered IT personnel
and their organizations. A daily onslaught of security
data from disparate systems, platforms and applications
delivers the first challenge.
Numerous point solutions such as antivirus software, firewalls, intrusion prevention systems, intrusion detection, access control, identity
management, single sign-on, authentication systems all
present information in different formats, store it in
different places and report to different locations.
Most organizations deal with literally millions of messages daily
from these incompatible security technologies, resulting
in security information overload which, in turn, contributes
to high overhead, duplication of effort, weak security
models and failed audits.
In a recent survey, almost half of the security administrators asked, could not determine how many critical security events required action in the
past month as a result of this issue.3 And according to
Forrester Research, ?Security products available today for
the perimeter, such as firewalls, IPSs, intrusion detection,
antivirus gateways, content filtering, and a host of
multipurpose security appliances, are making the network
perimeter much more resilient ? but also more
complicated.
As if this weren?t enough, other challenges add complexity
to the situation. Attacks are becoming increasingly more
frequent and sophisticated, pushing existing security
capabilities to the limit. New technologies and the rapid
expansion of networks and services indicate that this
information overload will only worsen. Finally, regulatory
compliance issues place an increasing burden on systems
and network administrators.
In the face of such overwhelming odds, how can you
ensure that your vital business assets and operations are
protected? How do you guarantee privacy for your
employees, partners, vendors and customers? How do you
implement security policies? How do you get a handle on
the vast amounts of data and on the incompatible
technologies and devices that, while standing guard,
generate an entire new set of challenges? How do you
maintain accountability and corporate governance within
the organization?
To redress the current fragmented approach to security
event management and safeguard your business
operations, security administrators require the kind of
real-time, centralized integration and management
capabilities associated with today?s Network Operation
Centers (NOCs). Security Operation Centers (SOCs) can
provide a real-time view into a network?s security status,
making a proactive approach to security a reality via
automated alerts, detailed reports, and remediation.
A SOC monitors and manages all aspects of enterprise
security in real time, from a single, centralized location.
It discovers and prioritizes events, determines risk level
and which assets are affected, and recommends and/or
executes the appropriate remediation solution. It delivers
detailed reports at the local and network levels, meeting
both real-time management and audit requirements.
To provide an example of a SOC in action, imagine a
security administrator sitting in a room at a Colorado
University; the room is lit by the glow of several computer
monitors each displaying physical areas of the campus.
Each monitor is presenting data that is reporting from
the distributed geographic sites of the University.
The administrator receives an alert on their main screen,
clicks a button and then picks up the phone and puts in a
call to a local operator in California. What happened?
The administrator saw proprietary information being sent
out of the University improperly, the user?s access was
locked out, the local operator was dispatched to remove
the user from the building and an investigation into the
incident was initiated. This sounds a bit futuristic ? but
it?s not ? this is the reality of today?s SOC.
In this paper, we explore the business and technical
requirements that organizations must consider when
implementing a SOC.
What Does a Security Operations Center Do
A properly configured and managed SOC acts as an
intelligent brain gathering data from all areas of a network,
automatically sifting through alerts, prioritizing the risks
and preventing attacks before they can be executed and
cause costly damage.
The key to the SOC is to provide situational awareness ?
a correlated picture of what is occurring right now in an
enterprise. By pulling together information from a variety
of devices (firewalls, antivirus, intrusion detection
systems, etc.) then normalizing and correlating the
information, the SOC provides real-time (or near realtime)
reporting on what is happening so that operators
can manage and respond to intrusions before they put the
organization at risk; when complete prevention is not
possible, the SOC reporting allows operators to identify
attacks and limit the damage before it spreads.
Many organizations have already deployed NOCs that
manage and monitor the network traffic, however still lack
a method for centralized management of security events3.
The primary function of the NOC is to establish and
maintain the health and wellness of an organization?s
infrastructure. A NOC concentrates on keeping the
network running while a SOC manages security events to
protect the network. According to the Yankee Group,
Security Information Management ??is evolving by
converging with network and systems management.
Organizations are looking to increase efficiency by
implementing security systems with greater autonomy to
respond to virus infections, attacks or other losses of
network integrity.
While a SOC and a NOC can work as
completely separate entities they work
more effectively when used in tandem.
A SOC can feed information to a NOC for resolution of a
security event.
The integration of the SOC and NOC allows organizations
to quickly respond to security events. NOCs can leverage
network activity in addition to the real-time security
event data to avert security incidents, while the SOC
can similarly leverage network activity related to security
events to further refine the identification of a specific
security event. Additionally, this integration enables
communication between the NOC and SOC offering a
central console for network and security situational
awareness allowing organizations to quickly identify,
respond and mitigate security events across the
organization.
Why ?After the Fact? is Too Late
The phrase ?forewarned is forearmed? sums up the value
of situational awareness. Simply put, being aware is about
being prepared to act and respond. This concept in the
IT world is analogous to the physical world?s notion of
obtaining a regular physical at the doctor?s office. When
we visit the doctor, tests are run to monitor our current
state of health and if anomalies are detected ? action is
recommended.
As an example, a suspicious mole may
indicate skin cancer. A biopsy is taken and the mole is
removed before further harm can occur. Contrast this with
a patient who has not visited the doctor, is unaware the
mole is present resulting in a condition in which the cancer
has spread throughout the body. Diagnosis and response to
the situation early on potentially saves the patients life
rather than responding too late to the threat with dire
consequences.
We can look at a similar example, but from an IT security
perspective. Threats to the network environment occur
hundreds of times a day and are detected by intrusion
detection systems, antivirus systems, firewalls, system logs
and access logs. Many IT organizations struggle to compile
the resources needed to review the data coming from all of
these systems. IT m
