It’s a great thing to live in the age of information. With a few clicks of a mouse or keystrokes on a keyboard, we can find out almost anything we want, purchase delightful products and communicate with friends and family on the other side of the world.
Unfortunately, the downside to this age of marvels is that the internet has become a nonstop cyberwar battlefield. Almost every day there are new and previously unheard of exploits threatening the operations and data of organizations and individuals.
This is a major problem here in India. We are one of the Top 5 destinations for cyberattacks. We rank third worldwide, behind China and the United States, as a source for malicious cyber activity. And the rate of “reported” cyberattacks on Indian targets has doubled year-over-year since 2005.
It doesn’t appear as if the situation will be changing for the better in the near future. The Modi Administration’s continued push for a massive increase in digital services may be good for the country overall, but such access to services is fast becoming a magnet for hackers and malicious activity.
Traditionally, warnings of new threats and advice on dealing with them have been shared among IT professionals and organizations in an informal manner via press releases and e-mail blasts. It was, “Hey! Here is a new cyberthreat. Good luck.” Often the alerts come too late to prevent damage to an organization. As the rate of cyberattacks continues to increase, such a process is no longer good enough.
Fortunately, there is a bright new development on the cyber battlefield — organizations of all sizes are establishing in-house Information Security Operations Centers (SOCs). An SOC is the physical location “where enterprise information systems (web sites, applications, databases, data centers and servers, networks, desktops and other endpoints) are monitored, assessed, and defended.”
The standard SOC is filled with skilled IT professionals whose responsibility is to provide situational awareness through detection, containment, and remediation of cyberthreats.
The main disadvantage of an in-house SOC is the expense of creating and maintaining it. It is common for it to take 18-to-24 months to fully build out a proper SOC. There is also the challenge of personnel; highly-skilled professionals are in demand and companies must pay top fees to keep them on board. In many locales, there may also be a costly and confusing morass of governmental regulations to follow.
The advantages include that your organization need not rely on an outside security-as-a-service firm. Because the SOC is responsible for IT security in your specific environment, it will be better able to prevent, identify, understand, and protect against threats in a quicker fashion.
As I said, highly-skilled SOC team members are hotly demanded and command large salaries, but working on a SOC team isn’t for everyone. SOC professionals enjoy the “fog” of cyberwarfare. They tend to be competitive and can work in stressful conditions for long periods of time.
So, what does it take to build a successful in-house SOC team? The three critical aspects of a SOC team are technology, processes and personnel. Each of these aspects is crucial, but for the purposes of this article I’ll focus on personnel and will only briefly touch on technology and processes.
Technology: Creating a central location with the ability to monitor and analyze cyberthreats requires cutting-edge equipment and security monitoring tools. Depending on budget and visibility requirements, companies can readily gather a comprehensive set of tools with open source or commercial solutions.
AlienVault, IBM QRadar, ArcSight, and LogRhythm are all solid sources for SOC tools.
Processes: It is crucial for an SOC team to have a repeatable incident management workflow that includes defined responsibilities for each member and actions to be taken from the initial cyberthreat alert to evaluation, escalation and remediation.
Thankfully, you need not reinvent the wheel. The most common and popular model for incident response is the one developed by the U.S. Department of Energy Computer Incident Advisory Capability (DOE/CIAC). It consists of six stages: Preparation, Identification, Containment, Eradication, Recover, and Lessons Learned. The DOE/CIAC has been in place since 1989 and has been consistently proven to work
Personnel: In my opinion, people are the most important aspect of a SOC. The reasoning is simple: Tools are only as good as the people using them, and processes only work if followed. Depending on requirements and the extent to which an organization wants to monitor its assets, SOC teams can consist of as few as four or five IT professionals, although larger SOC teams can include 50 or more individuals.
What is most important is that the team be comprehensively capable of handling their responsibilities. A general recommendation for a comprehensive SOC team is that it include individuals with the skills to cover the following four roles and tiers:
Tier-1 Detection Analyst — This is triage analysis, the first stage of protection. It involves daily monitoring of system logs, mitigating security alerts and creating and tracking tickets based on urgency and impact potential and escalating events to Tier-2 when applicable.
Team members will possess a strong knowledge base in programming, Linux, Windows security, packet analysis and system administration. Useful certifications include GCIA, GCIH, Security+, and CEH.
Tier-2 Detection Analyst — These are the incident responders who receive and begin actin on Tier-1 alerts that typically require deeper investigation and remediation. If the incident requires more than their Tier-2 actions, they will kick it up to the Tier-3 Team.
In addition to the certifications listed in Tier-1, incident responders will find the CISSP, GCFA, GCFE, ECSA, and OSCP certs useful. A strong background in Tier-1 skills is mandatory as well as the ability and willingness to dig deeper to resolve incidents quickly.
Tier-3 Detection Analyst — The “Threat Hunter” is the team member (or members) who acts on high alert and severity events passed up from Tier-2. Their responsibilities also include doing proof-of-concept reports to come up with new alerts and signatures for deployment.
Threat hunters need to possess all the above skills as well as the ability to act as a forensic investigator and think like a hacker. In addition to the above-mentioned certs, it’s helps to be a licensed penetration tester (LPT).
Tier-4 SOC Manager — This is the operational management stage where the SOC manager is responsible for guiding the team in their activities as well as providing on-going training and resource allocation for the SOC to operate effectively.
A strong SOC manager possesses all the skills and experience mentioned above as well as the ability to see the larger-picture, manage people and resources and make quick well-thought-out decisions. In addition to the above certifications, a CISA and/or CISM credential will help a SOC manager round out their skill-set.
The demand for SOCs has created a new breed of cyber security enthusiasts who like to get their hands dirty and work with cutting edge tools. In the U.S., a SOC analyst with two or more years can expect to earn between $80,000 and $110,000 depending on experience.
SOC managers can command an annual salary between $100,000 and $180,000 depending on experience. And, like every other aspect of cyber security, there are more jobs than qualified people to fill them. While salaries and the number of SOC openings in India are presently less than in the U.S. and Europe, demand is steadily increasing.
Costs aside, a SOC team with the correct tools and people can be invaluable for proactively protecting mission critical assets and data. This is a good time for Indian cybersecurity pros to begin preparing for a SOC career. Remember, it’s not a question of whether a hacker will strike, but when.