eBook - ePub
Security Operations Center Guidebook
A Practical Guide for a Successful SOC
- 206 pages
- English
- ePUB (mobile friendly)
- Available on iOS & Android
eBook - ePub
Security Operations Center Guidebook
A Practical Guide for a Successful SOC
About this book
Security Operations Center Guidebook: A Practical Guide for a Successful SOC provides everything security professionals need to create and operate a world-class Security Operations Center. It starts by helping professionals build a successful business case using financial, operational, and regulatory requirements to support the creation and operation of an SOC. It then delves into the policies and procedures necessary to run an effective SOC and explains how to gather the necessary metrics to persuade upper management that a company's SOC is providing value.This comprehensive text also covers more advanced topics, such as the most common Underwriter Laboratory (UL) listings that can be acquired, how and why they can help a company, and what additional activities and services an SOC can provide to maximize value to a company.- Helps security professionals build a successful business case for a Security Operations Center, including information on the necessary financial, operational, and regulatory requirements- Includes the required procedures, policies, and metrics to consider- Addresses the often opposing objectives between the security department and the rest of the business with regard to security investments- Features objectives, case studies, checklists, and samples where applicable
Frequently asked questions
Yes, you can cancel anytime from the Subscription tab in your account settings on the Perlego website. Your subscription will stay active until the end of your current billing period. Learn how to cancel your subscription.
No, books cannot be downloaded as external files, such as PDFs, for use outside of Perlego. However, you can download books within the Perlego app for offline reading on mobile or tablet. Learn more here.
Perlego offers two plans: Essential and Complete
- Essential is ideal for learners and professionals who enjoy exploring a wide range of subjects. Access the Essential Library with 800,000+ trusted titles and best-sellers across business, personal growth, and the humanities. Includes unlimited reading time and Standard Read Aloud voice.
- Complete: Perfect for advanced learners and researchers needing full, unrestricted access. Unlock 1.4M+ books across hundreds of subjects, including academic and specialized titles. The Complete Plan also includes advanced features like Premium Read Aloud and Research Assistant.
We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 1000+ topics, weāve got you covered! Learn more here.
Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more here.
Yes! You can use the Perlego app on both iOS or Android devices to read anytime, anywhere ā even offline. Perfect for commutes or when youāre on the go.
Please note we cannot support devices running on iOS 13 and Android 7 or earlier. Learn more about using the app.
Please note we cannot support devices running on iOS 13 and Android 7 or earlier. Learn more about using the app.
Yes, you can access Security Operations Center Guidebook by Gregory Jarpey,Scott McCoy,Scott Mccoy in PDF and/or ePUB format, as well as other popular books in Social Sciences & Cyber Security. We have over one million books available in our catalogue for you to explore.
Information
Part I
Developing Your Security Operations Center
Outline
Chapter 1
What is a Security Operations Center?
Abstract
While many of you who currently have a security operations center of one kind or another may be tempted to skip ahead, confident that your current incarnation is sufficient for your needs, we encourage you to take additional time and walk through these first chapters and challenge your assumptions. You may, for instance, be convinced that since you already have a facility that you can focus on operations and improvement. From hard experience, weāve learned that a business case is not done once approval for a project or function is in place. As your company evolves through acquisition and change in leadership, you will need to justify all that you do and in some cases change those functions to better fit your new environment. In some cases this will require a downsizing, but expansion is also likely. Regardless, the answer can only be discovered if you challenge your assumptions and evaluate the new environment as if you had just taken over the security leadership role.
Keywords
Security leadership; corporate security; card access system; deck-to-deck walls; alarm monitoring; monitoring screens
While many of you who currently have a security operations center of one kind or another may be tempted to skip ahead, confident that your current incarnation is sufficient for your needs, we encourage you to take additional time and walk through these first chapters and challenge your assumptions. You may, for instance, be convinced that since you already have a facility that you can focus on operations and improvement. From hard experience, weāve learned that a business case is not done once approval for a project or function is in place. As your company evolves through acquisition and change in leadership, you will need to justify all that you do and in some cases change those functions to better fit your new environment. In some cases this will require a downsizing, but expansion is also likely. Regardless, the answer can only be discovered if you challenge your assumptions and evaluate the new environment as if you had just taken over the security leadership role.
When you hear the term security operations center (SOC), a picture will form in your mind, likely the picture of the first SOC you had experience with or the one you worked with the longest. Like companies, no two SOCs are the same. There are an infinite number of variations, but for our purposes we will focus on the most common delineations.
From an employee perspective, your SOC should be what they think about if they ever think about physical security, just like the help desk is what most employees think about when they have information technology (IT) issues. You arenāt just building a room full of stuff; you are building an easily identifiable entity for all things security in your company. Lost a badge? Call the SOC. See something suspicious? Call the SOC. Have something stolen? You get the idea. The phone number should be easy to remember and be located in many different places. Have it printed in the back of your badges or as part of a second card that goes with your badge. Have it located on the home page of your companyās internal website. Put stickers on the phones. Whatever it takes to get the word out and whatever works at your company. It may take a few years to become most peopleās first thought when a security issue occurs, but be persistent and creative and you will get there.
The first SOC we ever built was at an electric and gas utility. There was a room already built with CCTV monitors, workstations, and alarm receiver, and the server running the card access system. It had one person per shift sitting in it, but this was not a SOC. The room and equipment doesnāt make it a SOC, itās the people, processes, procedures, and most importantly, the awareness of its existence. A SOC must be useful to be used, and that takes time in order to build trust and prove competency.
It took a couple of years and a successful business case to get the funding to make that room the SOC that one company needed. By 2007, most employees had no idea that there was a security department other than the SOC. Frankly, they had no reason to know that there was still a group that conducted risk assessments, investigation, and other corporate security tasks. In fact, we prefer to delineate between physical security and corporate security functions. The SOC is firmly in the physical security side, which is basically guards and gates. Corporate security, who the SOC reports to, deals with policy, regulatory compliance, risk assessments, and investigations.
A SOC can be as small as a reception desk that is staffed only during business hours, or it can be a combination of multiple physical locations with dozens of staff working 24/7/365, and in physical or virtual locations all over the globe. It can be staffed by employees and located only on company property, or entirely outsourced. To figure out what you need, at least from a starting point, you will need to complete a needs assessment that is covered in Chapter 2. A large part of that assessment will be figuring out what you want the SOC to do for your company.
Most SOCs have at a minimum, alarm monitoring for the building they reside in and cameras to verify alarms, and verify the identity of employees requesting access at a remote entry and to conduct accident and theft investigations. For companies with one or more locations, the SOC is also a common location to manage the access control system (usually card-based) and often also the location badges are printed. Regardless of the number of locations, centralized control of a card access system and badge printing operation is the most cost-effective. Separating it out and having other groups perform those functions is dramatically more expensive and less secure than centralization, due to the redundancy in personnel and equipment. Speed is always a concern when on-boarding new staff, but even for a large company, photos can be taken at remote locations, printed off hours when the call volumes are down and shipped the next day interoffice or sent via courier. Temporary badges can be used for the few days it takes for the new badge to arrive.
Beyond those more common security-related functions that make sense in combining, there are other less obvious activities a SOC can perform to assist the company and make it more user-friendly or even help the company save money. One option is to be the 24/7 location where all material safety data sheets for the company are located. The SOC number is distributed to all workers and posted throughout the buildings on the safety boards and as part of their site procedures, and if there is an accident dealing with chemicals, employees need only call the SOC to get the instructions read and even sent via smart phone to the appropriate party.
A SOC is a great location to centralize all of the crisis communication for a corporation. Basically, any function when a person can receive a call and take a series of prescribed actions, without the need of making upper management-level decisions (because for many common occurrences, the response can be predetermined), the SOC can follow the procedure and take all of the actions listed. Call trees, documentation, alerting, testing, or whatever. Procedures, training, and documentation are the core strengths of any SOC. One company where we both worked had us take all employee-related vehicle accident reports, because again, they are there 24/7 and the number was selected to be easy to remember, and they advertised in multiple location and formats. For the employee-related car accidents, the safety department had a few thousand key chains made with the phone number of the SOC in the shape of a crashed car, so every company car would have one and everyone would know whom to call. These activities had to be performed by someone, and without a SOC, especially a 24/7 operation, there would be additional expense, usually with some third party who does not understand how your company works or who the proper personnel to contact are.
Once you have decided what type of activities you want the SOC to perform, you need to decide what type of operation you need to support them. Weāve listed the three most common variations of a SOC: Third Party, Hybrid, and Dedicated. Based on the scope you created, the type of SOC you need should become evident. If not, then you will need to wait until you move onto the business case portion to determine what is the most cost-effective solution that still meets all your requirements.
Third Party
The configuration and staffing levels of an outsourced SOC are irrelevant, because you only need to focus on two things, the price you pay for the service and whether the outsourced provider meets your service level agreements (SLAs). This may be a good option for a smaller company that canāt reasonably fund its own dedicated facility. Likely this type of company also is not a critical infrastructure and may not have many facilities. It is important to clearly define the SLAs to make sure you are getting the services you need in the time and at the quality you require. Contract negotiations are crucial, and if your company is too small to have a robust sourcing or legal department, make sure you get third-party assistance for help in procuring security services.
Itās likely that the third party will have some connectivity to your facility if they are to provide access control, monitoring alarms, or viewing cameras, so make sure you have a third party conduct an IT security assessment to ensure that the provider is not introducing additional risk into your environment by having a poorly run IT security program.
Hybrid
A hybrid approach would consist of having dedicated staff for part of the day, but transferring over to a third-party SOC or central station after hours or over weekends and holidays. In some cases, the in-house staff may program access and issue badges, while leaving alarm and video monitoring to someone else outside of normal working hours. Whatever combination, a minimal amount of functionality is required for the in-house staff and it is best to have a dedicated work area for this function. Electronic and physical control of access and monitoring systems must be maintained in the off hours to ensure that there is no abuse or subversion of the systems. This dedicated space has minimal requirements, but if possible, a card reader and camera should be installed to control and monitor access as long as the walls extend from deck to deck, in case there is a need to conduct an investigation. If for whatever reason you canāt have deck-to-deck walls, you would also need some form of motion detector inside the SOC to ensure that no one has climbed over the wall to gain access.
Dedicated
In order to have a dedicated facility, there needs to be a round-the-clock staffing to include weekends, or you are sending your alarms to a third party and fall under the hybrid model. Regardless of whether the staff are employees or contract, someone needs to be on site to monitor the alarms at all times. This is a constant expense referred to by contract security companies as a 168, or 24 hours a day by 7 days a week, including holidays. This can be difficult to staff internally since, unless there is a larger onsite guard force, it will be difficult to staff when people require vacation or sick days. Going to a purely dedicated internal model is a huge step in responsibility and expense for any company and should never be taken lightly. One way to mitigate this is to use contract security staff and require that the post always be staffed in the contract. The contract company will have a larger pool of people to call on to fill the post in those circumstances; however, this will require training multiple backups and putting up with degraded service. The SOC itself may be dedicated and run 24/7 but the staff can all be contract. There are pros and cons to contract an in-house security staff that we will discuss later; for now, weāre focused on the facility.
With no reliance from an outside provider, the SOC should, at a minimum, be in a secured location with deck-to-deck walls and have a card reader and camera at the entrance. As with the hybrid option, if deck-to-deck walls canāt be installed, some form of motion alarm is required. With dedicated staff on site, it may seem as if these controls were not needed, but with only one person on staff, there will always be some need to leave the SOC for periods of time regardless of how short, be it for bathroom breaks, meals, or to respond to some form of emergency.
This dedicated facility should have an access control workstation and a separate, alarm monitoring equipment, as well as a larger monitor, not only to view the video monitoring system in order to verify alarms but also to assist with granted remote access to a door if workers forget their access card, or to let in contract workers. These enclosed and dedicated facilities, regardless of their size, always seem to have issues with either heating or cooling, or both. There is a lot of equipment located in a small space and most times the SOC is a late addition to an already existing structure. Sufficient outlets are required and they should either be on the buildingās uninterruptible power supply (UPS) or have their own dedicated UPS on site.
If you decide that you are interested in going with an Underwriters Laboratories (UL) listed facility or for some reason itās required, the cost and logistics will be more than double. Two people must be in the SOC or at least one of them, with the other one nearby enough to be able to return within fifteen minutes. While itās expensive to double staff, there is also a lot of expense in constructing a facility, assuming that the building you want to use even qualifies.
The most common UL certifications are for Burglary, Fire, and Classified monitori...
Table of contents
- Cover image
- Title page
- Table of Contents
- Copyright
- Dedication
- Introduction
- Part I: Developing Your Security Operations Center
- Part II: Operations
- Part III: Making the SOC an Integral Part of Your Company
- Index