SecOps benefits and goals

Security and IT operations teams often work apart from one another, making the task of identifying cybersecurity threats and defending against them -- or, if they turn into attacks, mitigating them -- incredibly difficult. Combining security and IT operations into a dedicated SecOps team enables organizations to rapidly and intelligently predict and address security concerns.

SecOps has the followingbusiness benefits and goals:

• continuous protection;
• a quick and effective response;
• decreased costs of breaches and operations;
• threat prevention;
• security expertise;
• compliance;
• communication and collaboration; and
• an improved business reputation.

Key roles on a SecOps team

How an organization assembles its SecOps team determines how successful it will be at preventing cyber attacks. Putting roles together piecemeal, without an overarching strategy, will lead to a disjointed response. What CISOs need is a cohesive SecOps team with clear roles and responsibilities that cover the range of cybersecurity threats and attacks.

There arefive key roles every SecOps team needs:

1. incident responder
2. security investigator
3. advanced security analyst
4. SOC manager
5. security engineer/architect

A fewnew cybersecurity roles have emerged that might give a boost to an organization's SecOps efforts: cloud security specialist, third-party risk specialist and digital ethics professional. These positions address the influence of the cloud and thevulnerabilities of supply chain, as well as partner and privacy concerns.

Organizations that want to migrate employees into SecOps roles can check out theseSecOps certifications and training courses.

What does a security operations center do?

ASOC is a command center facility for the SecOps team. While the SecOps team might interact with other teams or departments, it is typically self-contained with highly skilled personnel (internal or outsourced). Most, but not all, SOCs operate 24/7 with SecOps teams working in shifts to log activity and mitigate threats.

Organizations can choose to deploy one offour SOC models:

1. avirtual SOC that operates online and is managed by staff or third-party SecOps professionals;
2. amultifunction SOC that has a dedicated physical space, but the internal team running the SOC is shared, working on SecOps and other IT tasks;
3. ahybrid SOC with a staff, third-party contractors or a mix to perform SecOps tasks full time or part time in a dedicated facility, virtual space or a combination of both; and
4. adedicated SOC with an internally staffed physical space that operates around-the-clock and is solely focused on SecOps functions.

A virtual SOC as a service enables enterprises tooutsource some or all SOC responsibilities to a managed service provider -- which has numerous benefits, according to Ashwin Krishnan, chief communicator at SecureDynamics. By outsourcing a SOC, companies with limited budget or in-house skills can better address compliance and regulations, bridge the talent gap and take advantage of a provider's aggregate experiences and resources.

No matter the model an organization selects, thetechnical capabilities of the SOC should be the same, enabling the SecOps team to perform threat detection andincident response. The SOC also should provide notification and alerting; security orchestration, automation and response (SOAR); and intelligent threat hunting.

Nemertes Research found in its 2019-2020 "Cloud and CybersecurityResearch Study" that successful cybersecurity organizations (those with a mean total time to contain security incidents of 20 minutes or less) were 52% more likely to have a SOC than unsuccessful organizations (those with an MTTC of greater than 20 minutes).

Common SecOps tools

Firewalls and VPNs were once considered strong and adequate defenses against cyber attacks. Not anymore. Kevin Tolly, founder of The Tolly Group, wrote that these technologies "are no longer a shield against more modern and sophisticated security threats."

To combat today's threats, organizations needSecOps software to cover five areas:

1. DNS security;
2. network detection and response;
3. anti-phishing;
4. data discovery; and
5. packet-level visibility.

Even security information and event management (SIEM) tools are just a start inbuilding a strong SecOps strategy: Organizations would need to add in orchestration, user and entity behavior analytics and more to create a more sophisticated and proactive defense.

Manage security in the cloud

Managing security in cloud environments can be somewhat different than managing security in a traditional enterprise, so SecOps teams need to adapt their tools and strategies accordingly. Dave Shackleford, principal consultant at Voodoo Security, wrote thatcloud-enabling a SOC requires SecOps teams to do the following:

1. Establish a separate cloud account or subscription entirely under their control.
2. Create least privilege accounts to perform specific actions in the cloud when needed.
3. Implement multifactor authentication for all accounts.
4. Enable write-once storage for logs and evidence.

Automation and AI tools

Automation and AI have made their way into SecOps tools, and organizations should try to automate as many functions as possible.

SecOps and SOC automation use cases are plentiful, including incident detection, response and analysis, landscape analysis, emergent threat mitigation, human SOC analyst augmentation and the gamification of security training.

Automated functions enable teams to mine data on security incidents, assign risk scores, cluster for commonalities, differentiate and prioritize different classes of threats, recommend response or remediation steps and more.

With automation, SecOps teams gain awareness of the current state, insight into what could happen and a plan for action. Increased threat vectors such asIoT devices demand SecOps teams have theperspective that AI can provide -- insight that helps improve detection and prevention. Automation also frees up humans from tedious, manual tasks to focus more on SecOps strategy.

Implementation best practices

The concept of pairing security and IT operations is growing in popularity among companies of all sizes, and best practices for structuring SecOps teams and SOCs are emerging.

A sampling of best practices follows:

Define the scope of SecOps

Organizations should determine what functions are within thescope of the SecOps team, taking into consideration the organization's use cases, security requirements and security gaps. Just because a task is out of the team's scope doesn't mean it can't be tackled -- just not by internal teams. Some tasks could be outsourced immediately or earmarked to be outsourced later.

Build or buy

Carefully consider whether tobuild a SOC or buy SOC services. Outsourcing might not get companies the dedicated attention they need based on their cybersecurity risk tolerance. They might need internal staff intimately familiar with the business to help make key decisions.

Smaller companies should not be afraid to outsource their SOCs, especially if they follow thisSOC selection criteria to evaluate potential providers.

Invest in SecOps talent

People can be one of thebiggest challenges for SOC implementation, especially due to staffing and skills shortages, according to John Burke, CIO and principal research analyst at Nemertes Research. Organizations should create a strategy aimed at recruiting and retaining SecOps talent.

Conduct red team vs. blue team exercises

SecOps teams need to keep their threat intelligence skills sharp, including the ability to detect and prevent attacks. One way to do this is by conductingred team vs. blue team exercises, where the red team is the aggressor and the blue team is the defender. The red team uses tactics such as penetration testing, phishing, social engineering or other credential theft mechanisms, port scanning and vulnerability scanning to infiltrate the network. The red team also often creates custom tools to test the blue team's ability to detect security issues. Once on the network, the red team will attempt to escalate privileges, and access or steal identities or assets.

The blue team, meanwhile, conducts normal SecOps activities, including analyzing enterprise systems, identifying vulnerabilities, and evaluating the effectiveness of security tools and policies.

Each team generates reports on their activities, and more advanced SecOps teams also will have a purple team to review those reports and improve their security posture, as oftentimes red teams and blue teams don't want to share secrets with one another.

The future of SecOps

Thefuture of SecOps will see AI and machine learning become a more central part of SecOps strategy. SOCs will be more automated, customized, intelligent, dynamic and proactive. In the future, organizations also will dedicate more time to developingsuccess metrics for their SOCs to evaluate performance and improve response times.

Further, SecOps teams will need to put a greater emphasis onthreat hunting to stay ahead of attackers, according to Johna Till Johnson, president and senior founding partner of Nemertes Research. SecOps teams also will likely need to spend more time monitoring and assessing threats in the outside environment by reviewing threat intelligence services going forward.

Organizations should begin now to launch or expand SecOps efforts, as cyber attacks inevitably will continue to threaten enterprise operations.

Continue Reading About What is SecOps? Everything you need to know

• Threat identification is IT ops' role in SecOps

• Inside the SOC: The nerve centre of security operations

• A view from the SOC: Maintaining security capabilities during the pandemic

• Clients deem MSSP companies ineffective in supporting SOCs

• Cutting SecOps breach response time is key to success