A common problem faced by many organisations is how to work around the limitations of a small security team. It is often the case that the Security Operations Centre (SOC) of an organisation consists of just one person, even in larger organisations. In smaller ones, this could be reduced to a part-time role for someone in the IT team. In fact, according to an ISC2 survey, 56 percent of organisations confessed to having too few information security workers. Similarly, 65 percent of recruiters struggle to recruit these professionals.
The implications of one man or small security teams mean that there is often little or no double verification, resulting in an increase of false positives that waste precious time. Time that is needed to analyse the overwhelming amount of security information generated today, even from small networks. Without adequate time to address security properly it can have devastating effects on the entire business, something we have seen in the media all too regularly.
However, it is not so bleak as it may seem, there are several key factors that contribute to the success of small security teams: knowing your environment, good communications skills, automation, setting a routine and taking advantage of threat sharing.
Know your environment
This may seem obvious, but in order to protect your environment, you must understand it and what your users are doing in it. Answer questions like: What websites are popular with your users? This can help you pre-empt or prevent watering hole attacks. Where are your users located? A user logging in from an unusual location could be the first indicator of an intrusion. What games are they playing during down time? If those games are exposed to Flash exploits or the game owner has been compromised it can become a problem on your network. All of this is useful information to incorporate into the defence of your network. Remember though: it is not your goal to spy, only to monitor and protect.
Often overlooked, good communication skills are needed by the security practitioner to effectively create security awareness amongst senior management and staff. It's about communicating the right message to the right people in the right way. For example, when attempting to convey the urgency of a major vulnerability to senior management, it is vital to include the following:
1) A link to an explanation of the vulnerability (offering only the link keeps the focus on response)
2) Clearly defined assessment of risk to the organisation in approximately three bullet points
3) A statement of your solution to remedy the problem or immediate actions to mitigate its risk
4) Call to action for your manager to enact established Incident Response plans
Communication style will greatly impact how you are perceived within your organisation and in turn make you more effective at your job. After all, scaring everyone constantly about the 'next big zero day apocalypse' will only desensitise your organisation to the next threat and possibly inhibit cooperation between teams. Rather than fright, teaching and demonstrating proper security practice will give a higher return on the time you invest with your users. This return comes in the form of compliance and cooperation reducing the number of incidents.
In a small SOC, it is important to automate tasks whenever you can to help save time and resources. Projects like ad-hoc reporting, technology integration and data interfaces between other teams are great places to start. An experienced security professional will learn when and perhaps what not to automate because, remember, you can't automate everything. Security must always take priority, so don't let automation consume you. To help your automation tasks take the time to learn a scripting language, something popular that your servers are running and can be translated to other areas of your work.
Having a routine process for tasks on a daily, weekly maybe even hourly basis is phenomenal practice for a small security team. For example:
Alarms should be reviewed first and foremost every day. Do not stop until all critical and high severity alarms are closed. Secondly, review events. This can be done by taxonomy (exploit, malware, authentication), data source or simply by volume. Performing this review on a daily basis will help you get a feel for what is normal and make finding the unusual easier. This review process can also help you tune and create policies to refine your baseline of activity in a logical and consistent manor.
Vulnerability scans should be performed at least once a week. Scans should be targeted and you should group similar servers or subnets together. Scanning the entire environment at once will only increase the time of the scan and make it difficult for reporting. Before a vulnerability scan takes place, make sure you have an established remediation plan, otherwise you waste time and leave that portion of the network exposed while you scramble to come up with the procedure to patch.
Another aspect of establishing routines is organisation. This brings us back to knowing your environment: Identify your company's assets, know your users and know the role of servers and other devices. This information can be organised into asset groups, firewall policies and SIEM correlation rules. Other forms of organisation include making use of your SIEM's ticketing system or creating a wiki that you can add information from investigations or scripts to. When the security team (eventually) grows, this will all help new recruits get up to speed and learn quickly.
Finally, there are numerous threat intelligence sharing feeds security professionals can utilise to garner knowledge from thousands of others in the same boat as you. Access to threat intelligence puts the power of many systems into an easy to integrate and utilise form factor. The two-way interaction of sharing is vital to learning about the latest and most critical threats facing businesses.
Being a small or one man SOC can seem daunting, but with a little preparation and organisation, you can establish the habits to run it effectively.
Contributed by Joe Schreiber, solutions architect, AlienVault
Also see webinar, The one-man SOC: Habits of highly effective security practitioners