Companies spend significantly to set up information security controls for their business infrastructure. However, they often lack the resources as well as expertise to analyze logs generated by these controls—resulting in underutilization of these controls. Besides, the ever changing threat environment calls for 24/7 kind of monitoring capabilities. In such scenarios, a security operations center can become the apt solution for enterprises. Security operation centers offer continuous risk analysis by centralized analysis of firewall, antivirus and intrusion detection system (IDS) logs. It uses a combination of resources (personnel, dedicated hardware and specialized software) to analyze security controls, detect lapses or breaches in the system, and generate alerts (high, medium or low) according to the situation's criticality.
Enterprises can either build a security operations center inhouse, or outsource it to a managed service provider. In most cases, it might make sense to outsource the security operations center, as the typical organization lacks resources (time as well expertise) for such dedicated activity.
Organizations need to be very careful while selecting a managed service provider. These third parties will be aware of not just organizational processes and critical infrastructure, but also its vulnerabilities. So at times the best approach would be to outsource technology, but not its management. The CISO or security head should ensure that he holds the reins, as far as actions on any particular alerts are concerned.
Another important aspect is to ensure that system logs never go out of the security operations center. Enterprises must design strong service level agreements and non-disclosure agreements on this front. Before selecting a managed service provider, the company must undertake a thorough analysis of the provider. Aspects to evaluate on this front are the service provider's expertise, reputation in the market, and integrity of service delivery. Enterprises can get a third party to analyze and get assurance about the managed service provider.
The security operations center involves integration of different security technology and controls at a central location. Hence every organization must verify the service provider's integration capabilities, as well as the middleware which he plans to use.
Once the selection process is over, the managed service provider generally conducts a risk analysis of the enterprise's architecture. Based on the risk profile, the provider may suggest additional security controls. Organizations should take a phase-wise approach when it comes to covering different aspects of their security architecture under the security operations center. They can first start with perimeter devices, followed by servers and desktops. Apart from log management and analysis, the security operations center also provides capabilities such as threat (internal and external) and vulnerability assessment, penetration testing, phishing alert management, and patch updates.
(With inputs from Dr. Onkar Nath, the chief of information security for Central Bank of India. Dr. Nath is currently setting up a security operations center for Central bank of India.)
NSA reveals more about data security tools