5 Preemptive Measures Your SOC Can Take to Protect Your Organization
Security tools are important for protecting your company and environment, but there are additional measures that you can take regardless of the security tools you have in place to help improve your chances of not being the target of an attack. All budgets are not created equally, but the good thing is that these measures can apply to SOCs that have generous budgets and those that have more ‘modest’ budgets. Below is a list of five preemptive measures that your SOC can take. This is not an exhaustive list, and if there is anything that you feel should be on it, please mention it in the comments section on any of our social media pages and we will write a part II with a reader feedback list!
Environment analysis and reduction of your attack surface
There are many cases in which a malicious actor gains access into an environment, and after some recon, the malicious actor knows the company’s environment better than the security team. You can take these three steps to block a majority of the attacks. The first step you can take is to understand your environment and its nuisances. You can work with your networking team to learn how your network is provisioned and where the critical assets/infrastructure are located in the network. Possible questions to think about are
- Is the production network segmented from development/non-prod environments?
- Are networks segmented by office/datacenter? Are they segmented by machine function i.e., servers, workstations, mobile, BYOD?
Another part of this measure is to understand your business from a data flow aspect and what can be done to interrupt that data flow. This is important because not all malicious actors are looking to exfil data, but some are looking to cause havoc and as a security team, keeping the production network up is just as important as keeping data secure.
Lastly, reducing your attack surface area is very important. If there are fewer ways for a malicious actor to gain access into your environment, they are more likely to go to a more appealing environment that requires less work (unless it is a targeted attack). You can think of it as securing your home…if you have locked doors, a security system, a fence, and a guard dog, a thief will be more tempted to go to a different home that has none of those safeguards in place. With the shift to hybrid and/or more cloud heavy environments, reducing your attack surface area is not as straightforward as before. Firewalls with continuously audited rules were the best way to do this in the past; however, this is no longer the case. Some of the things that you can look at are
- Are your firewall rules audited on a continuous basis?
- Is your cloud environment locked down? Are your routing rules, firewall rules, and access controls audited continuously?
- The domains that you own, do you still need them all? Are any of the old domains that are no longer needed still pointed to the production network?
- How is your physical access? Are unused network ports live? If so, do they need to be?
Many of the steps discussed and others that you may think of will require the participation of other teams outside of the SOC/security team. By performing these steps, you will quickly see how true the saying “security is everyone’s responsibility” is.
Understanding what your crown jewels are
It’s difficult to protect something when you don’t know what it is. Understanding what your crown jewels are can provide some context and also help with prioritizing security resources. If a company has an unlimited budget and unlimited staff, they don’t necessarily have to worry about prioritizing security resources. On the other hand, we know that this is not usually the case, so you need to be able to know where your focus needs to be.
So how do you find out what your most critical assets are? One way is to think about what will cause you to end up losing money, cause reputational harm, and more simply, end up on the news. Loss of PII/PCI/PHI? Downed production environment? Depending on what your company does, this answer can vary. Another way to figure this out is to look at other companies in your vertical and possible competitors. Have any of them been on the news in recent years? If so, for what? Look into those reports, understand what happened, and what the malicious actors targeted.
Now that you have a better understanding of what you need to protect, you can take a risk-based approach to protect your environment. Paths to your crown jewels should be assigned a higher risk score and be prioritized for security researchers.
Clear and repeatable procedures
One of the biggest pain points for leaders of security teams is staffing. It has been documented heavily that there aren’t enough security practitioners available and that the open positions will continue to rise. This leads to not having enough qualified staff to completely build out a team, but also leads to turnover. To prepare for this, you have to have clear and repeatable procedures in place. These procedures can be for complex situations like a confirmed incident or something smaller like user-reported phishing attempts. One is not necessarily more important than the other. Confirmed incidents need to be contained and have higher visibility, but don’t (usually) happen often. User-reported phishing attempts occur frequently but can be an indicator of a larger/confirmed incident.
Having clear and repeatable procedures allows for different analysts to work similar incidents and get to the same results. If you don’t have clear and repeatable procedures, you run the risk of one analyst performing a more thorough investigation than another. Clearly-defined procedures are good ways to get tribal knowledge out of the heads of senior analysts. If tribal knowledge isn’t documented, it is at risk of being lost when that analyst leaves given the high possibility of employee turnover. Lastly, clear and repeatable procedures help with the training of junior analysts and guides them through working investigations while gaining confidence.
Once you have procedures in place, you will want to continuously test them. A great option to test them is to run a tabletop exercise. A tabletop exercise is when you gather a team and run through a situation/incident and go through what will happen at each step of the situation/incident. All aspects will be covered from communications that will be done in addition to technical steps. Performing tabletop exercises helps to refine your procedures and find gaps that you might not have seen while creating the procedure. It will also find gaps not covered in certain technical procedures like clear-cut roles during an incident and audience and interval of communications. Here are some tips for conducting an effective tabletop exercise:
- Start with just the SOC/security teams. Once you’ve done one or two with just the security team expand it to include representatives from other teams that will be involved in security incidents like IT, networking and any other teams.
- Plan out the exercise so that it runs as smoothly as possible. You can look at new or current threats and use those to make the exercise more realistic. The more realistic the exercise, the more everyone will get out of it.
Networking and information sharing
Networking with others in your geographical area and your vertical is the last measure that will be discussed but is not any less important than the others listed. The security industry is one of the few places in which individuals that work for competing companies will work together and share information for the good of the entire industry. When malicious actors make attempts on one company in a vertical, there is a high probability that they will try that same attempt on others in the same vertical. Networking and information sharing can help you catch something you may have missed that another company may have seen and blocked.
Networking and information sharing can be done in official/paid ways like an ISAC (Information Sharing and Analysis Center). There are many different ISACs focused on specific verticals that you can join. However, this is not the only way you can learn from peers. Networking with others in your vertical can be without a paid membership through emails, joint exercises, or even just small summits with other security teams. Lastly, you don’t only have to network with your own vertical. You can join local security-related groups, go to local talks that may be held at colleges, or even host your own talk and invite others in your area for a meetup. Networking can be advantageous for all levels in security from the CISO who can network with other CISOs/security leaders to the junior analyst who can learn tips and tricks from other analysts. Find a couple of organizations that have events and regular meetings for both CISOs and all security professionals:
Events for everyone
As I mentioned earlier, this was not an exhaustive list, but just a sample of some measures your SOC can take to strengthen your security. Once again, if there is anything that you feel should be on a preemptive security list, please mention in the comments section on any of our social media pages and we will create a part II compiled strictly from reader feedback!