Posts

Why Your SOC and NOC Should Run Together but Separately

Man-in-control-roomThe similarities between the role of the Network Operation Center (NOC) and Security Operation Center (SOC) often lead to the mistaken idea that one can easily handle the other’s duties. Furthermore, once a company’s security information and event management system is in place, it can seem pointless to spend money on a SOC. So why can’t the NOC just handle both functions? Why should each work separately but in conjunction with one another? Let’s take a look a few reasons below.

First, their roles are subtly but fundamentally different. While it’s certainly true that both groups are responsible for identifying, investigating, prioritizing and escalating/resolving issues, the types of issues and the impact they have are considerably different. Specifically, the NOC is responsible for handling incidents that affect performance or availability while the SOC handles those incidents that affect the security of information assets. The goal of each is to manage risk, however, the way they accomplish this goal is markedly different.

The NOC’s job is to meet service level agreements (SLAs) and manage incidents in a way that reduces downtime – in other words, a focus on availability and performance. The SOC is measured on their ability to protect intellectual property and sensitive customer data – a focus on security. While both of these things are critically important to the success of an organization, having one handle the other’s duties can spell disaster, mainly because their approaches are so different.

Another reason the NOC and SOC should not be combined is because the skillset required for members of each group is vastly different. A NOC analyst must be proficient in network, application and systems engineering, while SOC analysts require security engineering skills. Furthermore, the very nature of the adversaries that each group battles differs, with the SOC focusing on “intelligent adversaries” and the NOC dealing with naturally occurring system events. These completely different directions result in contrasting solutions which can be extremely difficult for each group to adapt to.

Lastly, the turnover rate in a SOC is much higher than that of a NOC. Perhaps it’s the very nature of the role, but the average employment time for a level 1 SOC analyst is around 2 years or less. Tenure of a NOC analyst is much longer. It only stands to reason, then, that asking a NOC analyst to handle their own duties and also take on those of SOC will likely result in a much higher attrition rate overall.

The best solution is to respect the subtle yet fundamental differences between these two groups and leverage a quality automation product to link the two, allowing them to collaborate for optimum results. The ideal system is one where the NOC has access to the SIEM, so they can work in close collaboration with the SOC and each can complement the other’s duties. The SOC identifies and analyzes issues, then recommends fixes to the NOC, who analyzes the impact those fixes will have on the organization and then modifies and implements accordingly.





eBook: 5 Reasons You Should Automate Cyber Security Incident Response




How IT Automation Can Streamline Security Incident Response

How IT Process Automation Can Help Streamline Security Incident Response

By now, the entire world knows how utterly disastrous security breaches can be for large corporations (just as we discussed about retail giant Target).  Upon further inspection, it became clear that the reason for this most recent blunder was not so much that the store’s IT team deliberately looked the other way or dropped the ball on their duties. They, like so many other IT security professionals, were simply so overwhelmed with incoming alerts that they made a poor choice. So how can other corporations learn from Target’s mistake? Simple. Automate Security Incident Response.

A recent study conducted by threat detection solution provider Damballa, Inc. revealed that on any given day, a typical company can field up to 10,000 incoming security alerts. Some of the bigger organizations can see several times that many notifications – upwards of 150,000 per day. When faced with numbers that big, it’s easy to understand how overwhelmed IT groups can become. Even with a larger team, fielding that many notifications effectively is simply not possible.

IR-diagramSurvey respondents gave resounding approval to the idea of using automation to help ease the burden and improve security incident response ability and turnaround. In fact, 100% of security professionals polled agreed that “automating manual processes is key to meeting future security challenges.” Enter the increasing role of security incident and event management products (SIEM), which captures the important incoming data to be reviewed and investigated by security personnel. While this technology has certainly come a long way over the past decade or so, making it more flexible and scalable, it is still not proving to be enough to really combat the “big picture” problem.

One of the biggest issues with relying on security incident response and event management products alone is the lingering problem of false positives, which can bog down the security team and increase the likelihood of a real incident slipping through the cracks. The real solution is to marry SIEM with automated security incident response software. Combining these two together creates a more comprehensive and airtight approach to managing the influx of incoming alerts while weeding out false positives to focus on only those incidents that truly warrant attention.

To get the most out of security incident response and event management products, integration with automation is essential. This will help to not only manage incoming alerts more effectively, but also streamline security incident response and investigation workflows after the fact. The result is an increased level of intelligence for security personnel, and a much safer IT environment for the entire organization. Doing this successfully can also dramatically improve operational efficiency. Instead of the average of 90 days it takes to manually discover a security breach and the subsequent 4+ months to resolve it, automated incident recovery can be reduced down to just one day. This could potentially save an organization an average of 8,633 man-days each year.

What would your company do with that many extra man-days?

Find out today how easy it is to integrate your security incident response and event management products with IT process automation for enhanced incident management.





eBook: 5 Reasons You Should Automate Cyber Security Incident Response




The Importance of Maturity in Security Incident Response Automation

With cyber-attacks on the rise and becoming more and more sophisticated, the need for quality security incident response automation products is also increasing. As with any other technology product, there are a wide variety of vendors offering this type of solution, with many new players emerging at a rapid pace. It’s important to note, however, that not all automation products are created equal. Let’s consider the importance of choosing a mature, established IT Process Automation (ITPA) product and the risks associated with electing a newer option.

The lure of newer products typically stems from budgetary needs. An emerging software provider may offer an ITPA solution at a discounted rate to attract more business. The problem with this is, as the old adage states, you get what you pay for. While not all newer products are necessarily bad, there is an inherent risk involved with choosing a product based on price and ending up with something that isn’t quite up to par. The result is often a solution that doesn’t quite meet the needs of the business or cannot perform at the level desired.

The fact is, security incident response is one of the most important tasks for businesses today. Regardless of size or industry, every company in the world is at risk of having their sensitive data compromised, and the implications can be nothing short of devastating. Whether it’s an incident that causes widespread outages or costly system down time or a serious security breech in which confidential information ends up in the wrong hands, businesses can end up on the brink of losing everything.

For something so critical, it’s equally important that the product chosen to prevent such a catastrophic event be of the highest quality. The most effective way to ensure this is by carefully selecting a security IT Process Automation provider that has years of experience in IT Process Automation and can back their product up with real numbers and proof of performance.

One area in which maturity becomes even more crucial is that of integration. Most companies already have security incident and event management (SIEM) tools in place to monitor incoming threats. To maximize security and create a more close-looped, end to end process, the right ITPA product can be easily integrated with the existing monitoring tools. Newer products often lack this ability, or they are not developed and honed enough to integrate seamlessly. This leaves the business at a greater risk, defeating the purpose of the investment in IT Process Automation.

Ayehu has nearly a decade of experience in IT Process Automation and we are continuously exploring ways to bring that knowledge and experience into the SOC world. We have made some excellent progress with clients who run their SIEM tools with our eyeShare solution for SIM-SOC to automate the alert response, incorporate data enrichment into the SIM tools, as well as managed automated containment and risk mitigation. The below image demonstrates the process more clearly.
The Importance of Maturity in Security Incident Response Automation

You care about the security of your business. Don’t settle for less than a robust product from an experienced, mature IT Process Automation partner.

eBook: 5 Reasons You Should Automate Cyber Security Incident Response




10 Ways to Reduce Cyber Security Threats with Automation

How to Create an Effective Incident Response Plan to Avoid Cyber Security AttacksIn today’s day and age, especially given recent events, concern about cyber security is at an all-time high. Businesses, consumers and employees all want to be certain that their sensitive information remains safe and secure at all times. Just consider the recent security breech that occurred with major retailer Target, through which the sensitive financial information of millions of people was compromised by a hacker. So, how can you be sure that the confidential data your organization is responsible for will remain safe from a potential cyber threat? Simple: through Automation. Here’s how.

You probably already have some type of security information and event management (SIEM) system in place, which is designed to protect sensitive data from being accessed by unauthorized parties. The right IT process automation software can essentially integrate with that existing system to both enhance and extend its capabilities. The result is a closed-loop automated process that helps to identify security incidents the moment they occur so they can be addressed immediately. Furthermore, because this is no longer done manually, operational efficiency will improve as an added bonus.

The way it works is simple. Security threats are identified right away so they can be evaluated to determine their level of importance. With the right product, this part of the workflow can incorporate human decision making. The security analyst can review all detected threats, verify their severity and then determine the next step in addressing each one. IT Process Automation is then reinitiated and the workflow can continue instantaneously. The appropriate tasks can be executed over either physical, virtual or cloud environments. IT process automation can monitor security threats both on a case by case basis and via routine scheduled scans to proactively identify and prevent security vulnerabilities.

There are 10 distinct ways that IT Process Automation can help businesses reduce cyber security threats, as follows:
  1. Capture SIEM system security events and automatically execute specified procedures to extract additional information, manage incident resolution and communicate with relevant personnel as needed to solve more complex events.
  2. Capture antivirus system alerts and execute policies to prevent intrusions and the spread of viruses and other dangerous external threats.
  3. Monitor the availability and functioning of internal security systems.
  4. Remotely disconnect any unauthorized devices and/or computers from the network instantly via email or SMS.
  5. Remotely disable/lock access for hostile users immediately via email or SMS.
  6. Conduct remote, on-demand checks of users who are currently logged in to a certain workstation, using either email or SMS.
  7. Generate daily reports of Active Directory (AD) locked users.
  8. Generate daily reports of AD users that haven’t logged in to the domain during or within certain timeframes.
  9. Generate reports of AD users whose passwords are about to expire within the next few days, as well as send alerts via email/SMS.
  10. Enable/disable user logins within certain time frames to maintain better control over remote user connections.

These days, cyber threats are everywhere and businesses of every size and industry must be aware of the dangers, and take proactive measures to protect the sensitive data that they are in possession of.

By integrating IT automation with your SIEM solution, you can more effectively achieve this goal and provide an added level of protection to your sensitive information.





eBook: 5 Reasons You Should Automate Cyber Security Incident Response




Improve Security Information and Event Management (SIEM) with IT Process Automation

Improve Security Information and Event Management (SIEM) with IT Process AutomationWith the growing use of cloud technology today, risk management is becoming an increasing priority among businesses across the globe. But simply employing Security Information and Event Management (SIEM) isn’t enough to truly keep an organization protected. Critical security events require real-time responses to mitigate risks and reduce costs. After all, catching an incident after the fact isn’t much better than not catching it at all. So what’s the best way for businesses to manage their security events in the most effective and efficient way possible? The answer is IT Process Automation.

When a critical incident, security breach or security violation occurs, time is of the utmost importance. Every moment that passes following a security event can cost your organization. With automation, the very instance an incident occurs an alert notification is immediately sent and appropriately escalated. This eliminates the risk of human errors and inaccuracies and saves time by replacing the need for manual escalation.

Automated responses to security events help to:

  • Create standard security processes, reduce manual work and provide more consistent, reliable response actions
  • Reduce workload – respond to weaknesses or policy violations with automated review and remediation through automated processes while preserving best security practices
  • Reduce response times – integrate with both configuration assessments and event management to provide the fastest response to incidents with the maximum information available to your security administrators
  • Reduce costs of securing systems and networks while achieving compliance, enables more scalable, repeatable compliance programs and streamlines your organization’s compliance efforts

A few examples of automated Security Information and Event Management processes include:

  • Automatic response to security events such as password resets or privilege changes
  • Automated analysis processes using context for security events including assessment reports relevant to the event and remedies
  • Rapid and targeted escalation of monitoring for privileged user activity associated with insider threats

Not all IT Automation products are created equal…

While automation is, indeed, a highly effective method to manage security event response for your business, it’s important to point out that not all IT automation products  on the market are created equal. It’s not enough to simply send out notifications or provide a list of incidents. To truly be effective, the program you choose must be feature-rich and comprehensive. Some of the critical features to look for include:

  • Real-time status reports of all incidents across the organization
  • Distribution of incidents by severity and priority
  • Verified ownership assignment
  • Immediate contact with incident owners
  • Customizable escalation path
  • Remote respond and auto remediation

The more comprehensive the suite, the better your security event management will be handled. This means a significant reduction in mean time to resolution (MTTR), which means improved performance and mitigated damages. In fact, with the right product you can reduce downtime by as much as 90% simply by automating incident management processes, providing sophisticated notifications and escalations procedures, and delivering full transparency of the entire incident management process to all IT operational staff and management.





eBook: 5 Reasons You Should Automate Cyber Security Incident Response




More IT Process Automation Needed for Security Incident Response

Security Incident ResponseWe’ve mentioned it in many past articles, but unfortunately for Target, their massive security breach in 2013 has become somewhat of a poster child for poorly executed security incident response. Investigations of the breach revealed that multiple alerts of the malware infection were sent. They just weren’t addressed as they should have been…and we all know how that ended for the retail giant. But what does this mean for other businesses? Should you be worried about becoming the next ship to sink at the hands of hackers?

The answer to that question lies in the harsh reality of cyber-attacks. According to a recent report by threat detection vendor Damballa Inc., a typical organization faces an average of 10,000 security events each day. Some larger firms may face upwards of 150,000 events on a daily basis. Furthermore, the report also found that most of the companies surveyed are managing nearly 100 infected machines daily. Given such massive and eye-opening numbers, it’s easy to understand why these breaches occur. There simply are not enough trained people to handle such an influx of events.

Since bringing in additional human capital isn’t a viable option for most businesses, the best solution is to incorporate IT Process Automation into the security incident response process. In fact, 100% of the participants in the Damballa survey agreed that automating manual incident response is the key to managing security needs moving forward.

One solution many enterprises have adopted is a security information and event management (SIEM) strategy. While this is certainly a good place to start, relying solely on an SIEM plan will likely leave businesses more vulnerable than they may realize. Damballa’s CTO, Brian Foster, describes it this way: “With SIEM, you’re getting partial pictures of an elephant, but never the entire elephant.” Much time is also often wasted on false positives and whittling down which incidents truly require attention.

As a more favorable alternative, Foster recommends taking a more comprehensive approach to security incident response by introducing IT automation into the process. The ideal scenario would involve not just pinpointing legitimate alerts, but doing so in a way that is proactive. If an enterprise can implement a security incident response strategy that includes IT Process Automation and can manage incidents in a way that mitigates issues before they develop into an actual problem, the process will be a resounding success.

IT Process Automation can also save a company massive amounts of wasted human capital. According to the 2013 Ponemon Institute Report, it takes IT personnel an average of 90 days to discover a security breach manually. Once discovered, it can then take four months or more to actually resolve the issue. With the right technology in place, the time it takes to discover incidents can be reduced to just one day. As a result, that organization can realize a reduction in “man-days” of approximately 8,633. That’s a pretty compelling statistic.

Obviously, there’s no way to automate everything. Human input will always be needed to some degree. But by incorporating automation into a strong security incident response plan, your business will be much better equipped to deal with the many security challenges it will inevitably face moving forward.

Don’t take chances with your enterprise security. Protect your data and your future with IT Process Automation.





eBook: 5 Reasons You Should Automate Cyber Security Incident Response