Security operations: sources

First of all, a belated happy New Year …

I’m shortly to facilitate an online meeting on the topic of Security Operations Centres (SOC). Not something I know a great deal about (an advantage for a facilitator, but there are limits …) so I undertook a little research from the usual sources and this note summarises what I found.

First: there is not, it appears, a great deal of content from the Insight services specifically about centralised security operations. There’s a great deal, of course, about the various elements of security: malware detection, incident response, perimeter protection (firewall) and so on. Gartner have a mid-last year online (free) webinar replay Top Security Trends and Take-Aways for 2013. There’s a Security Information and Event Management (SIEM) Technology Magic Quadrant. Perhaps the one to watch from Gartner is an analyst, Adam Hils: he’s recently returned to Gartner after a few years elsewhere, and SOC is one of the areas he expects to cover. And there’s a definition of the role of a Managed Security Service Providers (MSSP).

Forrester have a Security Architecture And Operations Playbook (collection of documents and tools) which, for clients, would repay exploration. They do have a report (not free) entitled SOC 2.0: Virtualizing Security Operations: but this dates from 2010. There’s a recent (August 2013) Forrester Wave on Emerging MSSPs, and a report (same date) on SOC staffing: so although the Playbook contents list isn’t very revealing it looks as if Forrester are up to speed on this topic. Forrester’s buzz phrase is the Zero Trust Model. Clients, have a conversation with your Sales Manager.

One or two of the smaller providers have some content. ESG (The Enterprise Strategy Group) have a very recent blog post: Enterprise CISO Challenges In 2014; this identifies some challenges and some players, and the need for efficacy linked to a strong security architecture, but doesn’t discuss organisational centralisation. Smart Directions publishes a Security Reference Diagram (architecture) which is worth a close look: based only on the online summary (you’ll need a subscription), there is a top layer here which can be interpreted as the function of an SOC.

But the two most helpful documents I’ve uncovered are not from Insight providers.

DEF CON is a hacker conference. Don’t let that put you off; “hacker” was a respectable attribute until it got hijacked by miscreants. DEF CON 18 included a useful presentation by Josh Pyorre and Chris McKenney entitled Build Your Own Security Operations Center for Little or No Money (the title on the slide deck is slightly different). Although this is also some years old (DEF CON 18 was in July-Aug 2010) this is a useful summary of the What and Why of an SOC. There are some useful hints such as the need for an internal (private) network to carry SOC secure communications. There’s some useful information too, though three and a half years old, on tools.

And probably the best paper, unusually, is from a vendor. Again it’s a year or two old: HP’s Building a successful Security Operations Center is dated 2011. It discusses the why and wherefore of not outsourcing this operation (basically, you get generalised, aggregated operations which while they may be 24×365 are not necessarily optimised to your business context); and its how-tos extend to the kind of staff you need, potential shift patterns, and how to respond to the likelihood that really good analysts will get mentally tired after two or three years, lose their effectiveness, and need to move on.

I’d be most pleased if any source or provider who feel they’ve been misrepresented or left out would add a comment.

Oh, and if searching: don’t forget that most material is American and they spell it Center.

• Forrester Research: The Security Architecture And Operations Playbook (this is a collection of documents, continuously updated); SOC 2.0: Virtualizing Security Operations (20 Apr 2010)
• Forrester Wave: Emerging Managed Security Service Providers, Q1 2013 (14 Feb 2013)
• Gartner: Top Security Trends and Take-Aways for 2013, free webinar (or download PDF); Glossary entry: Managed Security Service Provider
• ESG: Enterprise CISO Challenges In 2014, blog post, Jon Oltsik (10 Jan 2014)
• Smart Directions: Security Reference Diagram (report flyer), undated (probably 2013)
• DEF CON 18 (30 Jul-1 Aug 2010) Archive: page down to Build Your Own Security Operations Center for Little or No Money, Josh Pyorre, Chris McKenney (PDF download)
You can view or hear the recorded presentation as video or audio from the DEF CON page (see link above)
• HP: Building a Successful Security Operations Center, Enterprise Security white paper, 2011 (direct link, PDF download)
• Gartner Blog: Adam Hils