Protect Systems and Data
After completing this unit, you’ll be able to:
- Describe how to protect the network with a security operations center framework.
- Describe how to harden systems and manage configurations and change by enforcing security policy.
- Explain security operations services such as vulnerability assessment, penetration testing, and red teaming.
Put in Place a Security Operations Framework
In the previous unit, you asked the right questions to identify critical assets, and their associated vulnerabilities and threats. Now it’s time to put in place a framework to protect systems from attack.
As a security operations engineer, you protect people, technology, and data distributed across large geographic areas. Even engineers at small companies protect complex IT environments. Employees and customers access sensitive data on a variety of devices. They work on-site and remotely, and they use personal and company equipment. What happens if a threat actor is successful in compromising one of these entry points and accesses customer data? How can you keep track of everything you need to protect?
This is where a framework comes in. You use frameworks to guide your day-to-day work protecting the organization’s systems and data. A security operations center (SOC) framework consists of policies, standards, and procedures for performing the SOC’s core and support services. The framework standardizes activities, defines and assigns roles and responsibilities, and outlines metrics collected to drive systematic improvements.
The SOC framework covers governance and operational considerations. From a governance perspective, it outlines information such as roles and responsibilities in rolling out new technologies, onboarding new devices, integrating devices with existing monitoring tools, and updating and testing existing tools.
From an operational perspective, you use the framework to enforce the organization’s security policy across the IT environment. You use it to guide the configuration and maintenance of network sensors, which collect data that in turn helps the SOC monitor and detect malware and incidents. You also use the framework to organize the large amount of logs and data that are collected for analysis.
Use a Security and Event Management Solution
One common tool that helps you is a security information and event management (SIEM) solution. You use a SIEM to aggregate and analyze logs from the IT resources in the company’s environment (such as network devices, servers, domain controllers, and more), to better understand security events. The SIEM can also include internal and external threat intelligence tools, such as news feeds and vulnerability alerts. Part of the engineer’s job includes managing and tuning the rules, filters, and dashboards built into the SIEM that implement the chosen framework.
In providing guidelines for using effective technical controls, processes, and human resources, you as a security operations engineer use a framework to increase your organization’s resilience to an attack and increase the effectiveness of reporting mechanisms. By doing so, you are also able to decrease the time for detection and response to threats.
There are many SOC frameworks, and the one you use is dependent on the technology and approach specific to your organization. Some common frameworks include the Common Intrusion Detection Framework (CIDF), Incident Object Description and Exchange Format (IODEF), and Security Device Event Exchange (SDEE). No matter which framework you apply, the idea is to standardize policies, procedures, controls, and data collection so that you can manage and understand the organization’s security posture from a common baseline. Having a framework also enables you to better share security information with other security teams across relevant industries.
Harden Systems and Manage Configurations and Changes
Now that you’ve crafted your security operations framework, it’s time to harden your systems in order to prevent attacks. System hardening is the process of securing a system’s configuration and settings to reduce IT vulnerabilities and the possibility of compromise. The goal is to protect critical IT infrastructure from penetration by the adversary.
Meet Mira, a Security Operations Engineer
Let’s meet Mira. She is a security operations engineer at an airport. Her job is to protect the airport’s systems and data from compromise. She works with technical support teams across the organization to harden systems, manage configurations and changes introduced by new technology or code, patch systems, implement firewall policies, and update intrusion detection and prevention controls. She knows that this basic maintenance is as critical to keeping the company safe as maintaining a plane is to keeping passengers safe.
Note that Mira isn’t herself responsible for making all these changes, especially in a large and complex IT environment. Rather, she uses data to monitor the state of IT devices and the implementation of security policies, procedures, and controls. Then, if she notices something that is out of compliance or finds a vulnerability, she enters a ticket in a reporting system, so that the system owner can take appropriate action, such as implementing a patch or putting a monitoring sensor back online. It’s crucial that Mira works closely with system owners on patching and maintaining systems, so as to ensure both the security of the system and its availability for normal business operations.
For example, today Mira starts her workday by performing a compliance scan on the system the airport uses for security screening to ensure that it is properly configured. She works with the system owners to ensure they are aware of existing vulnerabilities, and have a mitigation plan in place to patch them, especially if they exist on publicly facing systems. If the system owner encounters a security issue, they contact Mira to help them troubleshoot, diagnose, and resolve the issue. If she discovers that a security policy is not being properly implemented, she updates security tools to ensure policies are enforced. She also investigates further to ensure the weakness has not been exploited by an adversary. She plays a crucial role in protecting the system from adversaries, and in keeping the airport’s customers safe.
Understand the Adversary’s Perspective
In addition to working with technology and functional teams across the organization to harden system protections, you as a security operations engineer often also provide additional security services. These services help the organization better understand the adversary’s perspective, and further strengthen system resilience.
Like a first responder, your primary role is to help the organization proactively identify risks of emergencies, protect systems from emergencies, and respond in case of an incident. SOCs also often perform outreach to technical and business system owners to proactively harden the organization’s assets and systems from an adversarial perspective. You offer services such as vulnerability assessment, penetration testing, and red teaming. While large organizations may have these services in house, smaller ones may outsource them to third parties. Let’s learn a little more about each service.
- Vulnerability assessment: In a vulnerability assessment, also known as a “blue team” engagement, you work with system owners and administrators to holistically examine the security architecture of a system. The terms “blue team” and “red team” (described further below) come from the military, and are commonly used to describe teams that use their skills to imitate the attack techniques that enemies might use (red teams) and other teams that use their skills to defend (blue teams). Blue teams scan the system for vulnerabilities, examine system configurations, and review design documentation. The goal is to identify and test potential points of entry from an adversary’s perspective. At the end of the assessment, you produce a report of your findings, along with recommended remediations. This type of engagement is an opportunity for the SOC to expand monitoring coverage and helps build your knowledge of the business systems you protect.
- Penetration testing: During penetration tests, members of the SOC conduct a simulated attack against a segment of the organization to assess the target’s resilience. Unlike vulnerability assessments, these are conducted with the knowledge and authorization of only the highest executives, without forewarning system owners, and simulate a specific known actor, such as a phishing attack. Afterward, the team produces a report with findings to help harden the system.
- Red teaming: Red team engagements are more comprehensive than penetration tests. A red team performs a full-scope, multilayered attack to measure the resistance of people and processes in the organization, in addition to testing traditional system security. Red teams use the cyber kill chain to conduct these attacks. The cyber kill chain is a technique used to define the steps an attacker uses to compromise a target, including: reconnaissance in which the attacker gathers information on the target; weaponization, where the attacker creates their attack; delivery, where the attack is transmitted to the victim; and so on. For example, in the delivery phase of the attack, a red team member may give a USB drive infected with malware to a receptionist, or plug a rogue device into an unsecured port in the building. At the end of the engagement, the red team provides a summary of the engagement that includes recommended updates to policies and procedures, or training, in addition to technical fixes.
No matter which type of adversarial testing is used, the idea is to think about how to better protect systems by getting in the mindset of the attacker. These types of engagements are also great opportunities to showcase the importance of the security operations function in protecting the business. When performing these types of services, you have an opportunity to learn more about the specific characteristics of the systems you are charged with protecting.
Ready to review what you’ve learned? The knowledge check isn’t scored—it’s just an easy way to quiz yourself. To get started, drag the function in the left column next to the matching category on the right. When you finish matching all the items, click Submit to check your work. To start over, click Restart.
Great work! In the next unit you learn more about how you as a security operations engineer detect risks and deviations from normal behavior that can indicate malicious activity in the IT environment. Let’s go!
- External Link: SANS Building, Maturing & Rocking a Security Operations Center
- External Link: MITRE: Ten Strategies of a World-Class Cybersecurity Operations Center
- External Link: SANS: Web App Penetration Testing and Ethical Hacking
- External Link: Center for Internet Security (CISC) Controls: Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers