To some, metrics are the holy grail of information (also security information). Being able to monitor, measure and communicate the information security state of an enterprise can be powerful and seems to be an executive management requirement to report on the state of the business.
While some enterprises are still struggling with all of the metrics and the changing landscape of tools and processes used as data sources, one rapidly maturing area is security operations center (SOC), where defining parameters has been a challenge.
In this tip, we'll take a closer look at security operation center (SOC) metrics and ways to improve an enterprise's security posture.
Once enterprises realized that just looking at log data from their IT environment was a good starting point, soon you find out in itself it is insufficient, network operations centers (NOC) are evolving, and dedicated security operations centers are formed. Security operation centers are handling many more and different functions, like monitoring logs, responding to incidents and security administration, all coordinated via people, processes and technology.
Many SOCs are evolving from the just the enterprise SIEM systems used to fully monitoring environments, trends, and are trying to become predictive rather than reactive. Managed security service providers (MSSP's) and cloud services companies are creating services for enterprises to help, add, outsource or co-source an enterprise's internal resources. Remember there is a HUGE shortage of available skills in this market.
As SOCs start to mature, analytics and decision support are MUST HAVE to be included to drive more value for enterprises and to provide insight into how effectively security resources are being used. As SOCs continue to mature, the need for metrics and their supporting definitions is becoming more important, as is using the metrics to make changes and monitor the environment. Even defining what constitutes an incident is essential, as not all security incidents have the same impact or require the same response.
The SANS Institute offers several papers related to SOC metrics, and the NIST hosts the National Vulnerability Database, which provides parameters for tracked vulnerabilities.
When developing SOC metrics, identifying the highest value processes or areas that need the most resources can help determine where metrics and management attention may be needed the most. This identification may not be so hard if you think where the heart and soul of your enterprise is ....... (yes, you got, it is your ERP)
When SAP® is your ERP, monitoring SAP® should be part of continuous SOC monitoring to make sure these mission-critical systems, processes and data are protected.
Whether you insource, outsource or co-source this part of the SOC, it is critical to set these metrics upfront and include them in a contract (SLA) to ensure that the SOC can generate the data and support the required parameters.
Ways to improve an enterprise's security posture
Monitoring firewall alerts for example or failed logins alone may be useful if there is a sudden increase, and retaining that data for forensics or incident response is absolutely necessary. However, monitoring over time may not yield actionable information without correlation and analysis.
CyberSecurity is rapidly changing because of the digital transformation exponential speed of the curve. It is continuing to evolve to drive more value for enterprises. As SOCs also continue to develop, their importance to the enterprise is increasing and helping to drive more improvements to enterprise information security programs and improve the security posture of companies.
It forces SOC's and CISO's /CIO's to think about a few things:
- what are the TRUE critical systems and applications
- do we have them transparent enough from a monitoring point of view
- do we build out these competencies in-house
- when do we make the next step
- is there a partner who has done this before
Where does your SAP® security stand?
Picture ©: GettyImages-653137674-solarseven