SOC Optimization

Security Operations Maturity Assessment and Continuous Improvement

Building a World-Class Security Operations Center
Highly visible breaches and attacks have brought an intense focus on organizations’ incident detection, investigation and mitigation capabilities. In today’s world of ”always-on” technology and insufficient security awareness on the part of users, cyber-attacks are no longer a matter of “if” but “when.” We live in an age where information security prevention is not an option.At the core of a successful SOC is a strong foundation for operational excellence driven by well-designed and executed processes, strong governance, capable individuals and a constant drive for continuous improvement to stay ahead of the cyber adversaries. A good SOC is one that supports business objectives and effectively improves a company’s risk posture. A truly effective SOC is one that provides a safe environment for the business to deliver on its core objectives in line with its strategic direction and vision. A well-designed and implemented SOC can maximize existing security investments by linking individual technical components (such as anti-virus, IPS, IDS, etc.) in a manner that extends the benefits these systems bring in isolation.

Current State Assessment and Optimization of Cyber SOC

NETSENTRIES has developed an internal framework for the Current State Assessment and Optimization of your Cyber SOC.
 
NETSENTRIES uses a three-phase approach for the Current State Assessment and Optimization of your internal Security Operation Centre.

This includes:

• Current State Assessment/Gap analysis
• Optimization and
• Continuous Improvement

Transition & Gap analysis

  • Audit of policies & Procedures
  • Gap Analysis Reports with high level recommendations for remediation
  • Development and maintenance of :
  • Activities Register
  • Process Documentatio
  • Optimization
  • Revision of existing security controls,
  • Create formal service level performance metrics document with a baseline for all negotiated service
  • levels.
  • Definition of new use cases and reports
  • Modification in type of data collected from existing event sources.
  • Integration of additional event sources
  • Patching and upgrading of servers and solutions
  • Revision of vulnerability scanning policies
  • Effectiveness review of existing Threat Intelligence Integrations
  • Building a local Network Security Platform for packet level analysis. (NSM)
  • Building of a local forensic analysis platform
  • Revision documented policies and creation of new documents
  • Monthly/Bimonthly internal Knowledge transfer sessions for IT staff
  • Building an internal Machine Readable Threat Intelligence Platform (TIP) capable of consuming multiple
  • threat intelligence feeds
  • SOC operations manual/Run Book/Playbook
  • Internal CIRT Response Plan
  • Device Management Work Instructions Manual
  • Change Management Practice Book
  • Escalation Matrix With Contacts Of Upper Management Resources
  • Device Licensing And Support Manual
  • Development of new Correlation Rules And Reports or Modification of the existing ones
  • Trend Analysis Reports
  • Development of new Compliance Scanning Policies or Modification of the existing ones
  • Image and Configurations Repository
  • Log Baselines
  • Event Source Integration Customizations needed

Optimization

Revision of existing security controls,
Create formal service level performance metrics document with a baseline for all negotiated service
levels.
Definition of new use cases and reports
Modification in type of data collected from existing event sources.
Integration of additional event sources
Patching and upgrading of servers and solutions
Revision of vulnerability scanning policies
Effectiveness review of existing Threat Intelligence Integrations
Building a local Network Security Platform for packet level analysis. (NSM)
Building of a local forensic analysis platform
Revision documented policies and creation of new documents
Monthly/Bimonthly internal Knowledge transfer sessions for IT staff
Building an internal Machine Readable Threat Intelligence Platform (TIP) capable of consuming multiple
threat intelligence feeds

Continuous Improvement

Periodic review of security policies by component area; Platform Arch, processes, organization,
metrics/reporting, governance etc.
Review current and planned SOC/SIEM projects/initiatives
Identify and prioritize gaps and opportunities for improvement
Review Use Case Models and rule architecture and design
Review current metrics, operational/executive reports
Finalize transformation states, service improvements, finalize strategy
Identify initiatives, group it into projects, develop a SOC Maturity roadmap
Performance analysis and Quality measurement reports