25 Aug Incident Response Preparation: Management Buy-in
In our first Incident Response Preparation post we talked about some technical things that should be done as you are preparing to respond to events, investigations, incidents, and (hopefully not) breaches. We now address some of the management work that needs to happen as you are enabling and spinning up your Incident Response team: A CSIRT/SOC charter and management buy-in.
Management Buy-in/SOC Enablement/Authorization Required for SOC
Management can support SOCs by allowing information sharing and providing authorization, training, and tools to enable SOC team members. Management authorization for SOC personnel to have access to all data, events, and systems on a network is a critical first step. It allows SOCs to use data and not rely on signatures, correlations, or guesses to classify an event. Granting SOCs a budget to acquire tools and training is the classic next step to increase SOC effectiveness and prevent incidents from graduating to data breaches. Critical SOC tools include:
- SOC Charter/Vision
- SIEM/Correlation Engine
- Knowledge Base
- Network Sensors
- Security Automation Tools
- Endpoint Threat Detection and Response Tools
SOC training comes in two flavors: internal or external. The internal training regiment is the critical link to assuring the SOC team works as one. To maintain a team, management must support internal training and ensure the team is following through. External training can be achieved through organizations such as SANS, vendor-specific conferences, or industry groups such as ISACs or FIRST (first.org).
Management support for ISACs, or organizations such as FIRST, to share information and techniques is a method commonly reserved for advanced SOCs. As SOCs mature, they gain the ability to ingest intelligence. The pinnacle of SOC nirvana is to develop custom indicators based on specific threat actors or attack groups. Tracking actions of actors allow for the acquisition of intelligence on what attackers do, how they do it, and what information they target.
A SOC charter is an interesting document that describes the SOC’s scope and services. These charter documents are important for SOC team members to understand the SOC’s vision and should cover the following items:
- Constituents – Who the SOC supports (e.g. in higher-education does the SOC support the students, faculty/staff, or both?)
- Services – Many SOCs stop their service set at ‘walking the wall” when their services could also include vulnerability management, constituent education, and ingraining security into all forms of operations.
- Scope – What’s the scope of the SOC/where does the SOC demarc: is it the Internet? Maybe it’s a sensitive internal network. Either way, a boundary should be set for SOC maintenance edges.
- Authorization – Define the boundaries of actions and checks/balances required to assure SOC agility and maintain constituent privacy.