Pull up your SOC's - Monitoring and Mandatory breach notification
Updated: May 15, 2018
So you have a security operation centre (SOC) and they are monitoring your security - right?
One of the biggest challenges in managing security is to sort the wheat from the chaff - also known as Signal to Noise Ratio (SNR). Anyone who has looked at network, application or platform events will know that a lot of what gets recorded in a log is next to useless.
In addition to this 'data white-space' the context, relevance and meaning of an event often gets lost. e.g. There is a URL request, but it is unclear where it came from (real IP address), and how (e.g. the HTTP Referrer).
This information is often vital in determining the difference between a valued customer and (for example) an attacker mirroring your website in the lead-up to a phishing attack.
So what has changed now, and what conversations and questions should be raised with an internal or external Security Operations Centre...
1) What is actually being monitored?
2) Are there any gaps, what are they and why?
3) What is the reliable window of information?
4) What tuning has been performed, is it too low / high?
5) In the event of a suspected incident, what is the process?
6) What days / hours are covered, and how will we be made aware of an issue (is this different after hours or on a public holiday)?
7) Are there different priorities assigned to different log sources, events and alerts?
8) In the event of a suspected data breach, what evidence can be provided, how quickly can this be done, would it be admissible in court, is it sufficient to support a full investigation?
9) Who would / will present evidence, are they experienced and credible as a witness?
Many SOC's suffer from the same set of risks. These include:
1) Not having enough of the right data or logs to detect an incident.
2) Having alerts too incorrectly tuned or filtered.
3) Not understanding the organisational value or context of a system or piece of information.
4) Over-reliance on key skilled individuals.
5) Not having the necessary hardware, software or processes to support likely investigations and responses.
6) Not understanding, or having a relationship with all of the parties which may be involved.
Here are a few tips to get better value from your SOC:
1) Ensure your SOC always has an up to date version of your CMDB, Org Chart, Active Directory, Network Map and Vendor / Supplier List
2) Ensure that your SOC knows what are considered high value Assets and Services, so that they can help to prioritise alerts and response.
3) Ensure that you involve your SOC in any security incident tabletops, simulations and exercises to better integrate this with people, processes and technologies.
4) Keep your SOC informed about new suppliers/partners, technologies, applications and networks so they can be prepared to respond to new events.
Specific areas of preparation to consider for Mandatory Breach Notification include:
1) Understanding all 3rd parties who may be connected to your networks and systems, and what data, if any they have access to
2) Having a defined security incident response process that has been practiced, (and ideally drilled and independently evaluated)
3) Understanding what personal information is stored, processed or transmitted and where to help A) Rule out a potentially compromised system or network and B) Quickly contain and respond to a breach.
4) Understanding reporting requirements, timelines and processes for acquiring information to support notification.
5) Conducting covert red-team / security testing to ensure they are well prepared to detect and respond to an incident.
In the shadow of the recent Facebook Data Breach discussions, another question we must also ask is:
Are there any 3rd parties which your SOC uses or are connected to which may need to be included in an investigation (as it could include their service), e.g. Internet Service Providers, Hardware / Software / Service vendors etc?
Another, related question is:
Does your SOC have sufficient contact information (and authority) to coordinate an investigation and response (including 3rd parties, law enforcement and others)?
eSecure can assist organisations to Evaluate and improve their existing SOC, Augment their existing SOC or expand its hours or coverage, or Establish/Outsource these services.
Contact us for more information on any of our SOC services.
Author: Clinton Smith