Establish and maintain a security operations center capability that operates 24/7, with allowance for remote/on-call staff.
A security operations center (SOC) is the focal point for security operations and computer network defense for an organization. The purpose of the SOC is to defend and monitor an organization’s systems and networks (i.e., cyber infrastructure) on an ongoing basis. The SOC is also responsible for detecting, analyzing, and responding to cybersecurity incidents in a timely manner. The SOC is staffed with skilled technical and operational personnel (e.g., security analysts, incident response personnel, systems security engineers); in some instances operates 24 hours per day, seven days per week; and implements technical, management, and operational controls (e.g., monitoring, scanning, and forensics tools) to monitor, fuse, correlate, analyze, and respond to security-relevant event data from multiple sources. Sources of event data include perimeter defenses, network devices (e.g., gateways, routers, and switches), and endpoint agent data feeds. The SOC provides a holistic situational awareness capability to help organizations determine the security posture of the system and organization. An SOC capability can be obtained in many ways. Larger organizations may implement a dedicated SOC while smaller organizations may employ third-party organizations to provide such a capability.
[NIST SP 800-61] provides guidance on incident handling. [NIST SP 800-86] and [NIST SP 800-101] provide guidance on integrating forensic techniques into incident response. [NIST SP 800-150] provides guidance on cyber threat information sharing. [NIST SP 800-184] provides guidance on cybersecurity event recovery.
Security operations centers are created to monitor and respond to suspicious activities across an organization’s IT applications and infrastructure. A SOC may be implemented in a variety of physical, virtual, and geographic constructs. The organization may also opt to not hire their own staff but to engage a third-party external service provider to serve as their SOC.
The SOC is typically comprised of multiple levels of cybersecurity analysts. Each tier of cybersecurity analysts works on increasingly complex aspects of Incident Response. The SOC may also have dedicated cybersecurity engineers to support configuration and management of defensive cyber tools. The SOC may work with staff in IT operations who provide support to the SOC.
SOC capabilities run 24/7, and while staff may not always be performing tasks for the SOC, the capability alerts staff members and directs them to go to a facility or perform SOC actions from a remote location. Staff members should be scheduled or on call to ensure they are available when needed.
You are the Chief Information Security Officer (CISO) of a medium-sized organization. To meet the goal of 24/7 SOC operation, you have decided to adjust the current SOC, which operates five days a week for 12 hours a day, by minimizing active staff members and hiring trusted expert consultants to have on call at all times (i.e., seven days a week, 24 hours a day) [a,b]. You design your SOC to be remotely accessible so your experts can access your environment when needed. You also decide to set up a very strong automated capability that is good at identifying questionable activities and alerting the appropriate staff. You create a policy stating that after an alert goes out, two members of the SOC team must remotely connect to the environment within 15 minutes to address the problem. All staff members also have regular working hours during which they perform other SOC activities, such as updating information to help the automated tool perform its functions [c].
Potential Assessment Considerations
- How does the organization enable 24/7 SOC capabilities? Does the organization have people in seats 24/7 or on-call members? If on-call members are used, what are the trigger and alerting mechanisms that allow for 24/7 coverage [a,b]?
- Does the organization have sufficient trained full-time equivalent staff to enable 24/7 SOC services [a,b]?