Cyber-Security-Monitoring-Guide

More documents

Recommendations

Info

Cyber Security Monitoring and Logging GuideSecurity engineers are often critical in the delivery of Security Device Managementservices that are extremely common, particularly amongst MSSPs. Such services takeon the ongoing management and maintenance of the security devices that are criticalto effective monitoring.Bringing this into the SOC can be extremely effective since well-maintained securitydevices can improve both the efficiency and effectiveness of monitoring. Indeedpoorly-maintained security devices can significantly reduce the value of anymonitoring carried out on the output of those devices.PeopleMost respondents placed considerable value on many different types of people being employed by SOCs, as shown in thechart below.What value would you place on each of the following types of peoplebeing employed in Security Operations Centres (SOC)?Tier 2 (subject matter expert) analystsIncident managersSecurity engineersTier 1 (front line) analystsSystem administratorsCustomer/client relationship managersOther key roles0.0 0.5 1.0 1.5 2.02.5 3.0 3.5 4.0 4.5 5.0There was an extremely high level of requirements for expert analysts (Tier 2) and expert providers concur that goodanalysts are worth their weight in gold.Indeed, many expert providers of specialist technical security services agree that the People component is the mostimportant, backed up by a balanced solution combining all four elements.“A good analyst can detect the low and slow anomalous events”40
Cyber Security Monitoring and Logging GuideProfessional SOC qualificationsThere are many different professional qualifications available for a range of technical security services, such as penetrationtesting and cyber security incident response. However, there are few, if any, available for the provision of SecurityOperations Centres or the analysts they employ.Analysis of responses to the project survey showed strong support for suppliers of SOC (and NOC) services to be supportedby professional qualifications, accreditation and a code of conduct – as outlined by the high average responses shown inthe table below (scores are shown as a possible rating of 1 to 5).Requirement SOC-related NOC-relatedHolding a professional certification (similar to that used by CREST for theproviders of penetration testing and cyber security incident response services)3.73 3.41Employing individuals with professional qualifications 3.67 3.26Being supported by a professional code of conduct (eg. to gain assuranceover the quality and integrity of services provided and to administer anindependent problem resolution process)3.52 3.24In some cases, professional services companies are accredited to particular codes of conduct, but do not use qualifiedindividuals to conduct cyber security monitoring services, so the required quality of cyber security monitoring may not beachieved. In other cases, an individual may be qualified but not work for an accredited organisation, meaning that thereare fewer assurances about the protection of confidential information or the overall quality of the service provided - andany complaint may be difficult to resolve.The optimum combination is shown in the green box in Figure 10 below. This is the only combination that provides youwith a tangible level of protection should things go wrong – and also reduces the likelihood of a problem occurring in thefirst place.INDIVIDUALQualifiedindividualUnaccredittedorganisationUnqualifiedindividualUnaccredittedorganisationQualifiedindividualAccredittedorganisationUnqualifiedindividualAccreditted organisationORGANISATIONFigure 10: Combinations of accreditation for organisations and the individuals they employProject research identified that there are some existing qualifications and learning options available (eg. SANS) that willneed to be examined and contextualised.41
Page 1: Cyber SecurityMonitoring and Loggin
Page 4 and 5: Cyber Security Monitoring and Loggi
Page 60: The quadrants in this diagram outli

Cyber-Security-Monitoring-Guide

Create successful ePaper yourself

Delete template?

Save as template?