Security Operations Center:
Managing security events in today's corporate environment poses a series of challenges for beleaguered IT personnel and their organizations. A daily onslaught of security data from disparate systems, platforms and applications delivers the first challenge. Numerous point solutions such as antivirus software, firewalls, intrusion prevention systems, intrusion detection, access control, identity management, single sign-on, authentication systems all present information in different formats, store it in different places and report to different locations.
Most organizations deal with literally millions of messages daily from these incompatible security technologies, resulting in security information overload in security operations centers which, in turn, contributes to high overhead, duplication of effort, weak security models and failed audits. In a recent survey, almost half of the security administrators asked, could not determine how many critical security events required action in the past month as a result of this issue. And according to Forrester Research, "Security products available today for the perimeter, such as firewalls, IPSs, intrusion detection, antivirus gateways, content filtering, and a host of multipurpose security appliances, are making the network perimeter much more resilient but also more complicated."
As if this weren't enough, other challenges add complexity to the situation. Attacks are becoming increasingly more frequent and sophisticated against security operations centers, pushing existing security capabilities to the limit. New technologies and the rapid expansion of networks and services indicate that this information overload will only worsen. Finally, regulatory compliance issues place an increasing burden on systems and network administrators.
In the face of such overwhelming odds, how can you ensure that your vital business assets and operations are protected and there is security in your operations center? How do you guarantee privacy for your employees, partners, vendors and customers? How do you implement security policies? How do you get a handle on the vast amounts of data and on the incompatible technologies and devices that, while standing guard, generate an entire new set of challenges? How do you maintain accountability and corporate governance within the organization?
To redress the current fragmented approach to security event management and safeguard your business operations, security administrators require the kind of real-time, centralized integration and management capabilities associated with today's Network Operation Centers (NOCs). Security Operation Centers (SOCs) can provide a real-time view into a network's security status, making a proactive approach to security a reality via automated alerts, detailed reports, and remediation.
A SOC monitors and manages all aspects of enterprise security operations centers in real time, from a single, centralized location. It discovers and prioritizes events, determines risk level and which assets are affected, and recommends and/or executes the appropriate remediation solution. It delivers detailed reports at the local and network levels, meeting both real-time management and audit requirements.
To provide an example of a SOC in action, imagine a security operations center administrator sitting in a room at a Colorado University; the room is lit by the glow of several computer monitors each displaying physical areas of the campus. Each monitor is presenting data that is reporting from the distributed geographic sites of the University.
The administrator receives an alert on their main screen, clicks a button and then picks up the phone and puts in a call to a local operator in California. What happened? The security operations center administrator saw proprietary information being sent out of the University improperly, the user's access was locked out, the local operator was dispatched to remove the user from the building and an investigation into the incident was initiated. This sounds a bit futuristic but it's not this is the reality of today's security operations centers.
In this paper, we explore the business and technical requirements that security operations center organizations must consider when implementing a SOC.
