Get Instant Access
to This Blueprint

Security icon

Develop a Security Operations Strategy

Transition from a security operations center to a threat collaboration environment.

  • There is an onslaught of security data – generating information in different formats, storing it in different places, and forwarding it to different locations.
  • The organization lacks a dedicated enterprise security team. There is limited resourcing available to begin or mature a security operations center.
  • Many organizations are developing ad hoc security capabilities that result in operational inefficiencies, the misalignment of resources, and the misuse of security technology investments.
  • It is difficult to communicate the value of a security operations program when trying to secure organizational buy-in to gain the appropriate resourcing.
  • There is limited communication between security functions due to a centralized security operations organizational structure.

Our Advice

Critical Insight

  1. Security operations is no longer a center, but a process. The need for a physical security hub has evolved into the virtual fusion of prevention, detection, analysis, and response efforts. When all four functions operate as a unified process, your organization will be able to proactively combat changes in the threat landscape.
  2. Functional threat intelligence is a prerequisite for effective security operations – without it, security operations will be inefficient and redundant. Eliminate false positives by contextualizing threat data, aligning intelligence with business objectives, and building processes to satisfy those objectives.
  3. If you are not communicating, you are not secure. Collaboration eliminates siloed decisions by connecting people, processes, and technologies. You leave less room for error, consume fewer resources, and improve operational efficiency with a transparent security operations process.

Impact and Result

  • A unified security operations process actively transforms security events and threat information into actionable intelligence, driving security prevention, detection, analysis, and response processes, addressing the increasing sophistication of cyberthreats, and guiding continuous improvement.
  • This blueprint will walk through the steps of developing a flexible and systematic security operations program relevant to your organization.

Develop a Security Operations Strategy Research & Tools

Start here – read the Executive Brief

Read our concise Executive Brief to find out why you should enhance your security operations program, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

1. Assess your current state

Assess current prevention, detection, analysis, and response capabilities.


Member Testimonials

After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research helped them achieve. See our top member experiences for this blueprint and what our clients have to say.

10.0/10


Overall Impact

$78,749


Average $ Saved

28


Average Days Saved

Client

Experience

Impact

$ Saved

Days Saved

Wellpath

Workshop

10/10

$31,499

5

Ministry of Industry, Innovation, Science and Technology

Guided Implementation

10/10

$125K

50

Sedgwick Cms

Workshop

9/10

N/A

N/A

Australian Catholic University

Guided Implementation

9/10

N/A

N/A


Workshop: Develop a Security Operations Strategy

Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

Module 1: Assess Operational Requirements

The Purpose

  • Determine current prevention, detection, analysis, and response capabilities, operational inefficiencies, and opportunities for improvement.

Key Benefits Achieved

  • Determine why you need a sound security operations program.
  • Understand Info-Tech’s threat collaboration environment.
  • Evaluate your current security operation’s functions and capabilities.

Activities

Outputs

1.1

Understand the benefits of refining your security operations program.

1.2

Gauge your current prevention, detection, analysis, and response capabilities.

  • Security Operations Preliminary Maturity Assessment Tool

Module 2: Develop Maturity Initiatives

The Purpose

  • Begin developing and prioritizing gap initiatives in order to achieve the optimal state of operations.

Key Benefits Achieved

  • Establish your goals, obligations, scope, and boundaries.
  • Assess your current state and define a target state.
  • Develop and prioritize gap initiatives.
  • Define the cost, effort, alignment, and security benefits of each initiative.
  • Develop a security strategy operational roadmap.

Activities

Outputs

2.1

Assess your current security goals, obligations, and scope.

  • Information Security Strategy Requirements Gathering Tool
2.2

Design your ideal target state.

2.3

Prioritize gap initiatives.

  • Security Operations Maturity Assessment Tool

Module 3: Define Operational Interdependencies

The Purpose

  • Identify opportunities for collaboration.
  • Formalize your operational process flows.
  • Develop a comprehensive and actionable measurement program.

Key Benefits Achieved

  • Understand the current security operations process flow.
  • Define the security operations stakeholders and their respective deliverables.
  • Formalize an internal information-sharing and collaboration plan.

Activities

Outputs

3.1

Identify opportunities for collaboration.

  • Security Operations RACI & Program Plan Tool
3.2

Formalize a security operations collaboration plan.

  • Security Operations Collaboration Plan
3.3

Define operational roles and responsibilities.

  • Security Operations Cadence Schedule Template
3.4

Develop a comprehensive measurement program.

  • Security Operations Metrics Summary

INFO-TECH RESEARCH GROUP

Develop a Security Operations Strategy

Transition from a security operations center to a threat collaboration environment.

Info-Tech Research Group, Inc. is a global leader in providing IT research and advice. Info-Tech’s products and services combine actionable insight and relevant advice with ready-to-use tools and templates that cover the full spectrum of IT concerns.
© 1997-2017 Info-Tech Research Group Inc.

ANALYST PERSPECTIVE

“A reactive security operations program is no longer an option. The increasing sophistication of threats demands a streamlined yet adaptable mitigation and remediation process. Protect your assets by preparing for the inevitable; unify your prevention, detection, analysis, and response efforts and provide assurance to your stakeholders that you are making information security a top priority.”

Phot of Edward Gray, Consulting Analyst, Security, Risk & Compliance, Info-Tech Research Group.

Edward Gray,
Consulting Analyst, Security, Risk & Compliance
Info-Tech Research Group



Our understanding of the problem

This Research Is Designed For:
  • Chief Information Officer (CIO)
  • Chief Information Security Officer (CISO)
  • Chief Operating Officer (COO)
  • Security / IT Management
  • Security Operations Director / Security Operations Center (SOC)
  • Network Operations Director / Network Operations Center (NOC)
  • Systems Administrator
  • Threat Intelligence Staff
  • Security Operations Staff
  • Security Incident Responders
  • Vulnerability Management Staff
  • Patch Management
This Research Will Help You:
  • Enhance your security program by implementing and streamlining next-generation security operations processes.
  • Increase organizational situational awareness through active collaboration between core threat teams, enriching internal security events with external threat intelligence and enhancing security controls.
  • Develop a comprehensive threat analysis and dissemination process: align people, process, and technology to scale security to threats.
  • Identify the appropriate technological and infrastructure-based sourcing decisions.
  • Design a step-by-step security operations implementation process.
  • Pursue continuous improvement: build a measurement program that actively evaluates program effectiveness.
This Research Will Also Assist:
  • Board / Chief Executive Officer
  • Information Owners (Business Directors/VP)
  • Security Governance and Risk Management
  • Fraud Operations
  • Human Resources
  • Legal and Public Relations
This Research Will Help Them
  • Aid decision making by staying abreast of cyberthreats that could impact the business.
  • Increase visibility into the organization’s threat landscape to identify likely targets or identify exposed vulnerabilities.
  • Ensure the business is compliant with regularity, legal, and/or compliance requirements.
  • Understand the value and return on investment of security operations offerings.

Executive summary

Situation

  • Current security practices are disjointed, operating independently with a wide variety of processes and tools to conduct incident response, network defense, and threat analysis. These disparate mitigations leave organizations vulnerable to the increasing number of malicious events.
  • Threat management has become resource intensive, requiring continuous monitoring, collection, and analysis of massive volumes of security event data, while juggling business, compliance, and consumer obligations.

Complication

  • There is an onslaught of security data – generating information in different formats, storing it in different places, and forwarding it to different locations.
  • The organization lacks a dedicated enterprise security team. There is limited resourcing available to begin or mature a security operations center.
  • Many organizations are developing ad hoc security capabilities that result in operational inefficiencies, the misalignment of resources, and the misuse of their security technology investments.
  • It is difficult to communicate the value of a security operations program when trying to secure organizational buy-in to gain the appropriate resourcing.
  • There is limited communication between security functions due to a centralized security operations organizational structure.

Resolution

  • A unified security operations process actively transforms security events and threat information into actionable intelligence, driving security prevention, detection, analysis, and response processes, addressing the increasing sophistication of cyberthreats, and guiding continuous improvement.
  • This blueprint will walk through the steps of developing a flexible and systematic security operations program relevant to your organization.

Info-Tech Insight

  1. Security operations is no longer a center, but a process. The need for a physical security hub has evolved into the virtual fusion of prevention, detection, analysis, and response efforts. When all four functions operate as a unified process, your organization will be able to proactively combat changes in the threat landscape.
  2. Functional threat intelligence is a prerequisite for effective security operations – without it, security operations will be inefficient and redundant. Eliminate false positives by contextualizing threat data, aligning intelligence with business objectives, and building processes to satisfy those objectives.
  3. If you are not communicating, you are not secure. Collaboration eliminates siloed decisions by connecting people, processes, and technologies. You leave less room for error, consume fewer resources, and improve operational efficiency with a transparent security operations process.

Data breaches are resulting in major costs across industries

Horizontal bar chart of 'Per capita cost by industry classification of benchmarked companies', with the highest cost attributed to 'Health', 'Pharmaceutical', 'Financial', 'Energy', and 'Transportation'.

Average data breach costs per compromised record hit an all-time high of $217 (in 2015); $74 is direct cost (e.g. legal fees, technology investment) and $143 is indirect cost (e.g. abnormal customer churn). (Source: Ponemon Institute, “2015 Cost of Data Breach Study: United States”)

'% of systems impacted by a data breach', '1% No Impact', '19% 1-10% impacted', '41% 11-30% impacted', '24% 31-50% impacted', '15% more than 50% impacted
Divider line.
'% of customers lost from a data breach', '61% Lost <20%', '21% Lost 20-40%', '8% Lost 40-60%', '6% Lost 60-80%', '4% Lost 80-100%'.
Divider line.
'% of business opportunity lost from a data breach', '58% Lost <20%', '25% Lost 20-40%', '9% Lost, 40-60%', '5% Lost 60-80%', '4% Lost 80-100%'.
(Source: The Network, “ Cisco 2017 Security Capabilities Benchmark Study”)

Persistent issues

  • Organizational barriers separating prevention, detection, analysis, and response efforts.
    Siloed operations limit collaboration and internal knowledge sharing.
  • Lack of knowledgeable security staff.
    Human capital is transferrable between roles and functions and must be cross-trained to wear multiple hats.
  • Failure to evaluate and improve security operations.
    The effectiveness of operations must be frequently measured and (re)assessed through an iterative system of continuous improvement.
  • Lack of standardization.
    Pre-established use cases and policies outlining tier-1 operational efforts will eliminate ad hoc remediation efforts and streamline operations.
  • Failure to acknowledge the auditor as a customer.
    Many compliance and regulatory obligations require organizations to have comprehensive documentation of their security operations practices.

60% Of organizations say security operation teams have little understanding of each other’s requirements.

40% Of executives report that poor coordination leads to excessive labor and IT operational costs.

38-100% Increase in efficiency after closing operational gaps with collaboration.
(Source: Forbes, “The Game Plan for Closing the SecOps Gap”)

The solution

Bar chart of the 'Benefits of Internal Collaboration' with 'Increased Operational Efficiency' and 'Increased Problem Solving' having the highest percentage.

“Empower a few administrators with the best information to enable fast, automated responses.”
– Ismael Valenzuela, IR/Forensics Technical Practice Manager, Foundstone® Services, Intel Security)

Insufficient security personnel resourcing has been identified as the most prevalent challenge in security operations…

When an emergency security incident strikes, weak collaboration and poor coordination among critical business functions will magnify inefficiencies in the incident response (IR) process, impacting the organization’s ability to minimize damage and downtime.

The solution: optimize your SOC. Info-Tech has seen SOCs with five analysts outperform SOCs with 25 analysts through tools and process optimization.

Sources:
Ponemon. "2016 State of Cybersecurity in Small & Medium-Sized Businesses (SMB).”
Syngress. Designing and Building a Security Operations Center.

Maintain a holistic security operations program

Legacy security operations centers (SOCs) fail to address gaps between data sources, network controls, and human capital. There is limited visibility and collaboration between departments, resulting in siloed decisions that do not support the best interests of the organization.
Venn diagram of 'Next-Gen Security Operations' with four intersecting circles: 'Prevent', 'Detect', 'Analyze', and 'Respond'.

Security operations is part of what Info-Tech calls a threat collaboration environment, where members must actively collaborate to address cyberthreats affecting the organization’s brand, business operations, and technology infrastructure on a daily basis.

Prevent: Defense in depth is the best approach to protect against unknown and unpredictable attacks. Diligent patching and vulnerability management, endpoint protection, and strong human-centric security (amongst other tactics) are essential. Detect: There are two types of companies – those who have been breached and know it and those who have been breached and don’t know it. Ensure that monitoring, logging, and event detection tools are in place and appropriate to your organizational needs
Analyze: Raw data without interpretation cannot improve security and is a waste of time, money, and effort. Establish a tiered operational process that not only enriches data but also provides visibility into your threat landscape. Respond: Organizations can’t rely on an ad hoc response anymore – don’t wait until a state of panic. Formalize your response processes in a detailed incident runbook in order to reduce incident remediation time and effort.

Info-Tech’s security operations blueprint ties together various initiatives

Stock image 1.

Design and Implement a Vulnerability Management Program

Vulnerability Management
Vulnerability management revolves around the identification, prioritization, and remediation of vulnerabilities. Vulnerability management teams hunt to identify which vulnerabilities need patching and remediating.
Deliverables
  • Vulnerability Tracking Tool
  • Vulnerability Scanning Tool RFP Template
  • Penetration Test RFP Template
  • Vulnerability Mitigation Process Template
Stock image 2.

Integrate Threat Intelligence Into Your Security Operations

Threat Intelligence
Threat intelligence addresses the collection, analysis, and dissemination of external threat data. Analysts act as liaisons to their peers, publishing actionable threat alerts, reports, and briefings. Threat intelligence proactively monitors and identifies whether threat indicators are impacting your organization.
  • Maturity Assessment Tool
  • Threat Intelligence RACI Tool
  • Management Plan Template
  • Threat Intelligence Policy Template
  • Alert Template
  • Alert and Briefing Cadence Schedule
Stock image 3.

Develop Foundational Security Operations Processes

Operations
Security operations include the real-time monitoring and analysis of events based on the correlation of internal and external data sources. This also includes incident escalation based on impact. Analysts are constantly tuning and tweaking rules and reporting thresholds to further help identify which indicators are most impactful during the analysis phase of operations.
  • Maturity Assessment Tool
  • Event Prioritization Tool
  • Efficiency Calculator
  • SecOps Policy Template
  • In-House vs. Outsourcing Decision-Making Tool
  • SecOps RACI Tool
  • TCO & ROI Comparison Calculator
Stock image 4.

Develop and Implement a Security Incident Management Program

Incident Response
Effective and efficient management of incidents involves a formal process of analysis, containment, eradication, recovery, and post-incident activities. IR teams coordinate root-cause analysis and incident gathering while facilitating post-incident lessons learned. Incident response can provide valuable threat data that ties specific indicators to threat actors or campaigns.
  • Incident Management Policy
  • Maturity Assessment Tool
  • Incident Management RACI Tool
  • Incident Management Plan
  • Incident Runbook Prioritization Tool
  • Various Incident Management Runbooks

This blueprint will…

…better protect your organization with an interdependent and collaborative security operations program.

Phase 01

Assess your operational requirements.

Phase 02

Optimize and further mature your security operations processes

Phase 3a

Develop the process flow and specific interaction points between functions

Phase 3b

Test your current capabilities with a table top exercise
Briefly assess your current prevention, detection, analysis, and response capabilities.
Highlight operational weak spots that should be addressed before progressing.
Develop a prioritized list of security-focused operational initiatives.
Conduct a holistic analysis of your operational capabilities.
Define the operational interaction points between security-focused operational departments.
Document the results in comprehensive operational interaction agreement.
Test your operational processes with Info-Tech’s security operations table-top exercise.

Info-Tech integrates several best practices to create a best-of-breed security framework

Legend for the 'Information Security Framework' identifying blue best practices as 'In Scope' and white best practices as 'Out of Scope'. Info-Tech's 'Information Security Framework' of best practices with two main categories 'Governance' and 'Management', each with subcategories such as 'Context & Leadership' and 'Prevention', each with a group of best practices color-coded to the associated legend identifying them as 'In Scope' or 'Out of Scope'.

Benefits of a collaborative and integrated operations program

Effective security operations management will help you do the following:

  • Improve efficacy
    Develop structured processes to automate activities and increase process consistency across the security program. Expose operational weak points and transition teams from firefighting to an innovator role.
  • Improve threat protection
    Enhance network controls through the hardening of perimeter defenses, an intelligence-driven analysis process, and a streamlined incident remediation process.
  • Improve visibility and information sharing
    Promote both internal and external information sharing to enable good decision making.
  • Create and clarify accountability and responsibility
    Security operations management practices will set a clear level of accountability throughout the security program and ensure role responsibility for all tasks and processes involved in service delivery.
  • Control security costs
    Security operations management is concerned with delivering promised services in the most efficient way possible. Good security operations management practices will provide insight into current costs across the organization and present opportunities for cost savings.
  • Identify opportunities for continuous improvement
    Increased visibility into current performance levels and the ability to accurately identify opportunities for continuous improvement.

Impact

Short term:

  • Streamlined security operations program development process.
  • Completed comprehensive list of operational gaps and initiatives.
  • Formalized and structured implementation process.
  • Standardized operational use cases that predefine necessary operational protocol.

Long term:

  • Enhanced visibility into immediate threat environment.
  • Improved effectiveness of internal defensive controls.
  • Increased operational collaboration between prevention, detection, analysis, and response efforts.
  • Enhanced security pressure posture.
  • Improved communication with executives about relevant security risks to the business.

Understand the cost of not having a suitable security operations program

A practical approach, justifying the value of security operations, is to identify the assets at risk and calculate the cost to the company should the information assets be compromised (i.e. assess the damage an attacker could do to the business).

Cost Structure Cost Estimation ($) for SMB
(Small and medium-sized business)
Cost Estimation ($) for LE
(Large enterprise)
Security controls Technology investment: software, hardware, facility, maintenance, etc.
Cost of process implementation: incident response, CMBD, problem management, etc.
Cost of resource: salary, training, recruiting, etc.
$0-300K/year $200K-2M/year
Security incidents
(if no security control is in place)
Explicit cost:
  1. Incident response cost:
    • Remediation costs
    • Productivity: (number of employees impacted) × (hours out) × (burdened hourly rate)
    • Extra professional services
    • Equipment rental, travel expenses, etc.
    • Compliance fine
    • Cost of notifying clients
  2. Revenue loss: direct loss, the impact of permanent loss of data, lost future revenues
  3. Financial performance: credit rating, stock price
    Hidden cost:
    • Reputation, customer loyalty, etc.
$15K-650K/year $270K-11M/year

Workshop Overview

Contact your account representative or email Workshops@InfoTech.com for more information.

Workshop Day 1 Workshop Day 2 Workshop Day 3 Workshop Day 4 Workshop Day 5
Activities
  • Kick-off and introductions.
  • High-level overview of weekly activities and outcomes.
  • Activity: Define workshop objectives and current state of knowledge.
  • Understand the threat collaboration environment.
  • Understand the benefits of an optimized security operations.
  • Activity: Review preliminary maturity level.
  • Activity: Assess current people, processes, and technology capabilities.
  • Activity: Assess workflow capabilities.
  • Activity: Begin deep-dive into maturity assessment tool.
  • Discuss strategies to enhance the analysis process (ticketing, automation, visualization, use cases, etc.).
  • Activity: Design ideal target state.
  • Activity: Identify security gaps.
  • Build initiatives to bridge the gaps.
  • Activity: Estimate the resources needed.
  • Activity: Prioritize gap initiatives.
  • Activity: Develop dashboarding and visualization metrics.
  • Activity: Plan for a transition with the security roadmap and action plan.
  • Activity: Define and assign tier 1, 2 & 3 SOC roles and responsibilities.
  • Activity: Assign roles and responsibilities for each security operations initiative.
  • Activity: Develop a comprehensive measurement program.
  • Activity: Develop specific runbooks for your top-priority incidents (e.g. ransomware).
    • Detect the incident.
    • Analyze the incident.
    • Contain the incident.
    • Eradicate the root cause.
    • Recover from the incident.
    • Conduct post-incident analysis and communication.
  • Activity:Conduct attack campaign simulation.
  • Finalize main deliverables.
  • Schedule feedback call.
Deliverables
  1. Security Operations Maturity Assessment Tool
  1. Target State and Gap Analysis (Security Operations Maturity Assessment Tool)
  1. Security Operations Role & Process Design
  2. Security Operations RACI Chart
  3. Security Operations Metrics Summary
  4. Security Operations Phishing Process Runbook
  5. Attack Campaign Simulation PowerPoint

All Final Deliverables

Develop a Security Operations Strategy

PHASE 1

Assess Operational Requirements

1

Assess Operational Requirements

2

Develop Maturity Initiatives

3

Define Interdependencies

This step will walk you through the following activities:

  • Determine why you need a sound security operations program.
  • Understand Info-Tech’s threat collaboration environment.
  • Evaluate your current security operation’s functions and capabilities.

Outcomes of this step

  • A defined scope and motive for completing this project.
  • Insight into your current security operations capabilities.
  • A prioritized list of security operations initiatives based on maturity level.

Info-Tech Insight

Security operations is no longer a center, but a process. The need for a physical security hub has evolved into the virtual fusion of prevention, detection, analysis, and response efforts. When all four functions operate as a unified process, your organization will be able to proactively combat changes in the threat landscape.

Warm-up exercise: Why build a security operations program?

Estimated time to completion: 30 minutes

Discussion: Why are we pursuing this project?

What are the objectives for optimizing and developing sound security operations?

Stakeholders Required:

  • Key business executives
  • IT leaders
  • Security operations team members

Resources Required

  • Sticky notes
  • Whiteboard
  • Dry-erase markers
  1. Briefly define the scope of security operations
    What people, processes, and technology fall within the security operations umbrella?
  2. Brainstorm the implications of not acting
    What does the status quo have in store? What are the potential risks?
  3. Define the goals of the project
    Clarify from the outset: what exactly do you want to accomplish from this project?
  4. Prioritize all brainstormed goals
    Classify the goals based on relevant prioritization criteria, e.g. urgency, impact, cost.

Info-Tech Best Practice

Don’t develop a security operations program with the objective of zero incidents. This reliance on prevention results in over-engineered security solutions that cost more than the assets being protected.

Decentralizing the SOC: Security as a function

Before you begin, remember that no two security operation programs are the same. While the end goal may be similar, the threat landscape, risk tolerance, and organizational requirements will differ from any other SOC. Determine what your DNA looks like before you begin to protect it.

Security operations must provide several fundamental functions:
  • Real-time monitoring, detecting, and triaging of data from both internal and external sources.
  • In-depth analysis of indicators and incidents, leveraging malware analysis, correlation and rule tweaking, and forensics and eDiscovery techniques.
  • Network/host scanning and vulnerability patch management.
  • Incident response, remediation, and reporting. Security operations must disseminate appropriate information/intelligence to relevant stakeholders.
  • Comprehensive logging and ticketing capabilities that document and communicate events throughout the threat collaboration environment.
  • Tuning and tweaking of technologies to ingest collected data and enhance the analysis process.
  • Enhance overall organizational situational awareness by reporting on security trends, escalating incidents, and sharing adversary tools, tactics, and procedures.
Venn diagram of 'Security Operations' with four intersecting circles: 'Prevent', 'Detect', 'Analyze', and 'Respond'.
At its core, a security operations program is responsible for the prevention, detection, analysis, and response of security events.

Optimized security operations can seamlessly integrate threat and incident management processes with monitoring and compliance workflows and resources. This integration unlocks efficiency.

Understand the levels of security operations

Take the time to map out what you need and where you should go. Security operations has to be more than just monitoring events – there must be a structured program.

Foundational Arrow with a plus sign pointing right. Operational Arrow with a plus sign pointing right. Strategic
  • Intrusion Detection Management
  • Active Device and Event Monitoring
  • Log Collection and Retention
  • Reporting and Escalation Management
  • Incident Management
  • Audit Compliance
  • Vendor Management
  • Ticketing Processes
  • Packet Capture and Analysis
  • SIEM
  • Firewall
  • Antivirus
  • Patch Management
  • Event Analysis and Incident Triage
  • Security Log Management
  • Vulnerability Management
  • Host Hardening
  • Static Malware Analysis
  • Identity and Access Management
  • Change Management
  • Endpoint Management
  • Business Continuity Management
  • Encryption Management
  • Cloud Security (if applicable)
  • SIEM with Defined Use Cases
  • Big Data Security Analytics
  • Threat Intelligence
  • Network Flow Analysis
  • VPN Anomaly Detection
  • Dynamic Malware Analysis
  • Use-Case Management
  • Feedback and Continuous Improvement Management
  • Visualization and Dashboarding
  • Knowledge Portal Ticket Documentation
  • Advanced Threat Hunting
  • Control and Process Automation
  • eDiscovery and Forensics
  • Risk Management
——Security Operations Capabilities—–›

Understand security operations: Establish a unified threat collaboration environment

Stock image 1.

Design and Implement a Vulnerability Management Program

Security operations is part of what Info-Tech calls a threat collaboration environment, where members must actively collaborate to address threats impacting the organization’s brand, operations, and technology infrastructure.
  • Managing incident escalation and response.
  • Coordinating root-cause analysis and incident gathering.
  • Facilitating post-incident lessons learned.
  • Managing system patching and risk acceptance.
  • Conducting vulnerability assessment and penetration testing.
  • Monitoring in real-time and triaging of events.
  • Escalating events to incident management team.
  • Tuning and tweaking rules and reporting thresholds.
  • Gathering and analyzing external threat data.
  • Liaising with peers, industry, and government.
  • Publishing threat alerts, reports, and briefings.

Info-Tech Best Practice

Ensure that information flows freely throughout the threat collaboration environment – each function should serve to feed and enhance the next.

Stock image 2.

Integrate Threat Intelligence Into Your Security Operations

Stock image 3.

Develop Foundational Security Operations Processes

Stock image 4.

Develop and Implement a Security Incident Management Program

The threat collaboration environment is comprised of three core elements

Info-Tech Insight

The value of a SOC can be achieved with fewer prerequisites than you think. While it is difficult to cut back on process and technology requirements, human capital is transferrable between roles and functions and can be cross-trained to satisfy operational gaps.

Three hexes fitting together with the words 'People', 'Process', and 'Technology'. People. Effective human capital is fundamental to establishing an efficient security operations program, and if enabled correctly, can be the driving factor behind successful process optimization. Ensure you address several critical human capital components:
  • Who is responsible for each respective threat collaboration environment function?
  • What are the required operational roles, responsibilities, and competencies for each employee?
  • Are there formalized training procedures to onboard new employees?
  • Is there an established knowledge transfer and management program?
Processes. Formal and informal mechanisms that bridge security throughout the collaboration environment and organization at large. Ask yourself:
  • Are there defined runbooks that clearly outline critical operational procedures and guidelines?
  • Is there a defined escalation protocol to transfer knowledge and share threats internally?
  • Is there a defined reporting procedure to share intelligence externally?
  • Are there formal and accessible policies for each respective security operations function?
  • Is there a defined measurement program to report on the performance of security operations?
  • Is there a continuous improvement program in place for all security operations functions?
  • Is there a defined operational vendor management program?
Technology. The composition of all infrastructure, systems, controls, and tools that enable processes and people to operate and collaborate more efficiently. Determine:
  • Are the appropriate controls implemented to effectively prevent, detect, analyze, and remediate threats? Is each control documented with an assigned asset owner?
  • Can a solution integrate with existing controls? If so, to what extent?
  • Is there a centralized log aggregation tool such as a SIEM?
  • What is the operational cost to effectively manage each control?
  • Is the control the most up-to-date version? Have the most recent patches and configuration changes been applied? Can it be consolidated with or replaced by another control?

Conduct a preliminary maturity assessment before tackling this project

Stock image 1.

Design and Implement a Vulnerability Management Program

Sample of Info-Tech's Security Operations Preliminary Maturity Assessment

At a high level, assess your organization’s operational maturity in each of the threat collaboration environment functions. Determine whether the foundational processes exist in order to mature and streamline your security operations.

Stock image 2.

Integrate Threat Intelligence Into Your Security Operations

Stock image 3.

Develop Foundational Security Operations Processes

Stock image 4.

Develop and Implement a Security Incident Management Program

Assess the current maturity of your security operations program

Prioritize the component most important to the development of your security operations program.

Screenshot of a table from the Security Operations Preliminary Maturity Assessment presenting the 'Impact Sub-Weightings' of 'People', 'Process', 'Technology', and 'Policy'.
Screenshot of a table from the Security Operations Preliminary Maturity Assessment assessing the 'Current State' and 'Target State' of different 'Security Capabilities'.
Each “security capability” covers a component of the overarching “security function.” Assign a current and target maturity score to each respective security capability. (Note: The CMMI maturity scores are further explained on the following slide.) Document any/all comments for future Info-Tech analyst discussions.

Assign each security capability a reflective and desired maturity score.

Your current and target state maturity will be determined using the capability maturity model integration (CMMI) scale. Ensure that all participants understand the 1-5 scale.
Two-way vertical arrow colored blue at the top and green at the bottom. Ad Hoc
1 Arrow pointing right. Initial/Ad Hoc: Activity is not well defined and is ad hoc, e.g. no formal roles or responsibilities exist, de facto standards are followed on an individual-by-individual basis.
2 Arrow pointing right. Developing: Activity is established and there is moderate adherence to its execution, e.g. while no formal policies have been documented, content management is occurring implicitly or on an individual-by-individual basis.
3 Arrow pointing right. Defined: Activity is formally established, documented, repeatable, and integrated with other phases of the process, e.g. roles and responsibilities have been defined and documented in an accessible policy, however, metrics are not actively monitored and managed.
4 Arrow pointing right. Managed and Measurable: Activity execution is tracked by gathering qualitative and quantitative feedback, e.g. metrics have been established to monitor the effectiveness of tier-1 SOC analysts.
5 Arrow pointing right. Optimized: Qualitative and quantitative feedback is used to continually improve the execution of the activity, e.g. the organization is an industry leader in the respective field; research and development efforts are allocated in order to continuously explore more efficient methods of accomplishing the task at hand.
Optimized

Notes: Info-Tech seldom sees a client achieve a CMMI score of 4 or 5. To achieve a state of optimization there must be a subsequent trade-off elsewhere. As such, we recommend that organizations strive for a CMMI score of 3 or 4.

Ensure that your threat collaboration environment is of a sufficient maturity before progressing

Example report card from the maturity assessment. Functions are color-coded green, yellow, and red. Review the report cards for each of the respective threat collaboration environment functions.
  • A green function indicates that you have exceeded the operational requirements to proceed with the security operations initiative.
  • A yellow function indicates that your maturity score is below the recommended threshold; Info-Tech advises revisiting the attached blueprint. In the instance of a one-off case, the client can proceed with this security operations initiative.
  • A red function indicates that your maturity score is well below the recommended threshold; Info-Tech strongly advises to not proceed with the security operations initiative. Revisit the recommended blueprint and further mature the specific function.

Are you ready to move on to the next phase?

Self-Assessment Questions

  • Have you clearly defined the rationale for refining your security operations program?
  • Have you clearly defined and prioritized the goals and outcomes of optimizing your security operations program?
  • Have you assessed your respective people, process, and technological capabilities?
  • Have you completed the Security Operations Preliminary Maturity Assessment Tool?
  • Were all threat collaboration environment functions of a sufficient maturity level?

If you answered “yes” to the questions, then you are ready to move on to Phase 2: Develop Maturity Initiatives

Develop a Security Operations Strategy

PHASE 2

Develop Maturity Initiatives

1

Assess Operational Requirements

2

Develop Maturity Initiatives

3

Define Interdependencies

This step will walk you through the following activities:

  • Establish your goals, obligations, scope, and boundaries.
  • Assess your current state and define a target state.
  • Develop and prioritize gap initiatives.
  • Define cost, effort, alignment, and security benefit of each initiative.
  • Develop a security strategy operational roadmap.

Outcomes of this step

  • A formalized understanding of your business, customer, and regulatory obligations.
  • A comprehensive current and target state assessment.
  • A succinct and consolidated list of gap initiatives that will collectively achieve your target state.
  • A formally documented set of estimated priority variables (cost, effort, business alignment).
  • A fully prioritized security roadmap that is in alignment with business goals and informed by the organization’s needs and limitations.

Info-Tech Insight

Functional threat intelligence is a prerequisite for effective security operations – without it, security operations will be inefficient and redundant. Eliminate false positives by contextualizing threat data, aligning intelligence with business objectives, and building processes to satisfy those objectives

Align your security operations program with corporate goals and obligations

A common challenge for security leaders is learning to express their initiatives in terms that are meaningful to business executives.

Frame the importance of your security operations program to
align with that of the decision makers’ over-arching strategy.

Oftentimes resourcing and funding is dependent on the
alignment of security initiatives to business objectives.

Corporate goals and objectives can be categorized into three major buckets:
  1. BUSINESS OBLIGATIONS
    The primary goals and functions of the organization at large. Examples include customer retention, growth, innovation, customer experience, etc.
  2. CONSUMER OBLIGATIONS
    The needs and demands of internal and external stakeholders. Examples include ease of use (external), data protection (external), offsite access (internal), etc.
  3. COMPLIANCE OBLIGATIONS
    The requirements of the organization to comply with mandatory and/or voluntary standards. Examples include HIPAA, PIPEDA, ISO 27001, etc.
*Do not approach the above list with a security mindset – take a business perspective and align your security efforts accordingly.

Info-Tech Best Practice

Developing a security operations strategy is a proactive activity that enables you to get in front of any upcoming business projects or industry trends rather than having to respond reactively later on. Consider as many foreseeable variables as possible!

Determine your security operations program scope and boundaries

It is important to define all security-related areas of responsibility. Upon completion you should clearly understand what you are trying to secure.

Ask yourself:
Where does the onus of responsibility stop?

The organizational scope and boundaries and can be categorized into four major buckets:
  1. PHYSICAL SCOPE
    The physical locations that the security operations program is responsible for. Examples include office locations, remote access, clients/vendors, etc.
  2. IT SYSTEMS
    The network systems that must be protected by the security operations program. Examples include fully owned systems, IaaS, PaaS, remotely hosted SaaS, etc.
  3. ORGANIZATIONAL SCOPE
    The business units, departments, or divisions that will be affected by the security operations program. Examples include user groups, departments, subsidiaries, etc.
  4. DATA SCOPE
    The data types that the business handles and the privacy/criticality level of each. Examples include top secret, confidential, private, public, etc.

This also includes what is not within scope. For some outsourced services or locations you may not be responsible for security. For some business departments you may not have control of security processes. Ensure that it is made explicit at the outset, what will be included and what will be excluded from security considerations.

Reference Info-Tech’s security strategy: goals, obligations, and scope activities

Explicitly understanding how security aligns with the core business mission is critical for having a strategic plan and fulfilling the role of business enabler.

Download and complete the information security goals, obligations and scope activities (Section 1.3) within the Info-Tech security strategy research publication. If previously completed, take the time to review your results.

GOALS and OBLIGATIONS
Proceed through each slide and brainstorm the ways that security operations supports business, customer, and compliance needs.

Goals & Obligations
Screenshots of slides from the information security goals, obligations and scope activities (Section 1.3) within the Info-Tech security strategy research publication.

PROGRAM SCOPE & BOUNDARIES
Assess your current organizational environment. Document current IT systems, critical data, physical environments, and departmental divisions.

If a well-defined corporate strategy does not exist, these questions can help pinpoint objectives:

  • What is the message being delivered by the CEO?
  • What are the main themes of investments and projects?
  • What are the senior leaders measured on?
Program Scope & Boundaries
Screenshots of slides from the information security goals, obligations and scope activities (Section 1.3) within the Info-Tech security strategy research publication.

INFO-TECH OPPORTUNITY

For more information on how to complete the goals & obligations activity please reference Section 1.3 of Info-Tech’s Build an Information Security Strategy blueprint.

Complete the Information Security Requirements Gathering Tool

On tab 1. Goals and Obligations:
  • Document all business, customer, and compliance obligations. Ensure that each item is reflective of the over-arching business strategy and is not security focused.
  • In the second column, identify the corresponding security initiative that supports the obligation.
Screenshot from tab 1 of Info-Tech's Information Security Requirements Gathering Tool. Columns are 'Business obligations', 'Security obligations to support the business (optional)', and 'Notes'.
On tab 2. Scope and Boundaries:
  • Record all details for what is in and out of scope from physical, IT, organizational, and data perspectives.
  • Complete the affiliated columns for a comprehensive scope assessment.
  • As a discussion guide, refer to the considerations slides prior to this in phase 1.3.
Screenshot from tab 2 of Info-Tech's Information Security Requirements Gathering Tool. Title is 'Physical Scope', Columns are 'Environment Name', 'Highest data criticality here', 'Is this in scope of the security strategy?', 'Are we accountable for security here?', and 'Notes'.
For the purpose of this security operations initiative please IGNORE the risk tolerance activities on tab 3.

Info-Tech Best Practice

A common challenge for security leaders is expressing their initiatives in terms that are meaningful to business executives. This exercise helps make explicit the link between what the business cares about and what security is trying to do.

Conduct a comprehensive security operations maturity assessment

The following slides will walk you through the process below.

Define your current and target state

Self-assess your current security operations capabilities and determine your intended state.

Create your gap initiatives

Determine the operational processes that must be completed in order to achieve the target state.

Prioritize your initiatives

Define your prioritization criteria (cost, effort, alignment, security benefit) based on your organization

Build a Gantt chart for your upcoming initiatives
The final output will be a Gantt to action your prioritized initiatives

Info-Tech Insight

Progressive improvements provide the most value to IT and your organization. Leaping from pre-foundation to complete optimization is an ineffective goal. Systematic improvements to your security performance delivers value to your organization, each step along the way.

Optimize your security operations workflow

Info-Tech consulted various industry experts and consolidated their optimization advice.

Dashboards: Centralized visibility, threat analytics, and orchestration enable faster threat detection with fewer resources.

Adding more controls to a network never increases resiliency. Identify technological overlaps and eliminate unnecessary costs.

Automation: There is shortfall in human capital in contrast to the required tools and processes. Automate the more trivial processes.

SOCs with 900 employees are just as efficient as those with 35-40. There is an evident tipping point in marginal value.

There are no plug-and-play technological solutions – each is accompanied by a growing pain and an affiliated human capital cost.

Planning: Narrow the scope of operations to focus on protecting assets of value.

Cross-train employees throughout different silos. Enable them to wear multiple hats.

Practice: None of the processes happen in a vacuum. Make the most of tabletop exercises and other training exercises.

Define appropriate use cases and explicitly state threat escalation protocol. Focus on automating the tier-1 analyst role.

Self-assess your current-state capabilities and determine the appropriate target state

1. Review:
The heading in blue is the security domain, light blue is the subdomain and white is the specific control.
2. Determine and Record:
Ask participants to identify your organization’s current maturity level for each control. Next, determine a target maturity level that meets the requirements of the area (requirements should reflect the goals and obligations defined earlier).
3.
In small groups, have participants answer “what is required to achieve the target state?” Not all current/target state gaps will require additional description, explanation, or an associated imitative. You can generate one initiative that may apply to multiple line items.

Screenshot of a table for assessing the current and target states of capabilities.

Info-Tech Best Practice

When customizing your gap initiatives consider your organizational requirements and scope while remaining realistic. Below is an example of lofty vs. realistic initiatives:
Lofty: Perform thorough, manual security analysis. Realistic: Leverage our SIEM platform to perform more automated security analysis through the use of log information.

Consolidate related gap initiatives to simplify and streamline your roadmap

Identify areas of commonality between gap initiative in order to effectively and efficiently implement your new initiatives.

Steps:
  1. After reviewing and documenting initiatives for each security control, begin sorting controls by commonality, where resources can be shared, or similar end goals and actions. Begin by copying all initiatives from tab 2. Current State Assessment into tab 5. Initiative List of the Security Operations Maturity Assessment Tool and then consolidating them.
  2. Initiatives Consolidated Initiatives
    Document data classification and handling in AUP —› Document data classification and handling in AUP Keep urgent or exceptional initiatives separate so they can be addressed appropriately.
    Document removable media in AUP —› Define and document an Acceptable Use Policy Other similar or related initiatives can be consolidated into one item.
    Document BYOD and mobile devices in AUP —›
    Document company assets in Acceptable Use Policy (AUP) —›

  3. Review grouped initiatives and identify specific initiatives should be broken out and defined separately.
  4. Record your consolidated gap initiatives in the Security Operations Maturity Assessment Tool, tab 6. Initiative Prioritization.

Understand your organizational maturity gap

After inputting your current and target scores and defining your gap initiatives in tab 2, review tab 3. Current Maturity and tab 4. Maturity Gap in Info-Tech’s Security Operations Maturity Assessment Tool.

Automatically built charts and tables provide a clear visualization of your current maturity.

Presenting these figures to stakeholders and management can help visually draw attention to high-priority areas and contextualize the gap initiatives for which you will be seeking support.

Screenshot of tabs 3 and 4 from Info-Tech's Security Operations Maturity Assessment Tool. Bar charts titled 'Planning and Direction', 'Vulnerability Management', 'Threat Intelligence', and 'Security Maturity Level Gap Analysis'.

Info-Tech Best Practice

Communicate the value of future security projects to stakeholders by copying relevant charts and tables into an executive stakeholder communication presentation (ask an Info-Tech representative for further information).

Define cost, effort, alignment, and security benefit

Define low, medium, and high resource allocation, and other variables for your gap initiatives in the Concept of Operations Maturity Assessment Tool. These variables include:
  1. Define initial cost. One-time, upfront capital investments. The low cut-off would be a project that can be approved with little to no oversight. Whereas the high cut-off would be a project that requires a major approval or a formal capital investment request. Initial cost covers items such as appliance cost, installation, project based consulting fees, etc.
  2. Define ongoing cost. This includes any annually recurring operating expenses that are new budgetary costs, e.g. licensing or rental costs. Do not account for FTE employee costs. Generally speaking you can take 20-25% of initial cost as ongoing cost for maintenance and service.
  3. Define initial staffing in hours. This is total time in hours required to complete a project. Note: It is not total elapsed time, but dedicated time. Consider time required to research, document, implement, review, set up, fine tune, etc. Consider all staff hours required (2 staff at 8 hours means 16 hours total).
  4. Define ongoing staffing in hours. This is the ongoing average hours per week required to support that initiative. This covers all operations, maintenance, review, and support for the initiative. Some initiatives will have a week time commitment (e.g. perform a vulnerability scan using our tool once a week) versus others that may have monthly, quarterly, or annual time commitments that need to averaged out per week (e.g. perform annual security review requiring 0.4 hours/week (20 hours total based on 50 working weeks per year).
Table relating the four definitions on the left, 'Initial Cost', 'Ongoing Cost (annual)', 'Initial Staffing in Hours', and 'Ongoing Staffing in Hours/Week'. Each row header is a definition and has four sub-rows 'High', 'Medium', 'Low', and 'Zero'.

Info-Tech Best Practice

When considering these parameters, aim to use already existing resource allocations.

For example, if there is a dollar value that would require you to seek approval for an expense, this might be the difference between a medium and a high cost category.

Define cost, effort, alignment, and security benefit

  1. Define Alignment with Business. This variable is meant to capture how well the gap initiative aligns with organizational goals and objectives. For example, something with high alignment usually can be tied to a specific organization initiative and will receive senior management support. You can either:
    • Set low, medium, and high based on levels of support the organization will provide (e.g. High – senior management support, Medium – VP/business unit head support, IT support only)
    • Attribute specific corporate goals or initiatives to the gap initiative (e.g. High – directly supports a customer requirement/key contract requirement; Medium – indirectly support customer requirement/key contract OR enables remote workforce; Low – security best practice).
  2. Define Security Benefit. This variable is meant to capture the relative security benefit or risk reduction being provided by the gap initiative. This can be represented through a variety of factors, such as:
    • Reduces compliance or regulatory risk by meeting a control requirement
    • Reduces availability and operational risk
    • Implements a non-existent control
    • Secures high-criticality data
    • Secures at-risk end users
Table relating the two definitions on the left, 'Alignment with Business', and 'Security Benefit'. Each row header is a definition and has three sub-rows 'High', 'Medium', and 'Low'.

Info-Tech Best Practice

Make sure you consider the value of AND/OR. For either alignment with business or security benefit, the use of AND/OR can become useful thresholds to rank similar importance but different value initiatives.

Example: with alignment with business, an initiative can indirectly support a key compliance requirement OR meet a key corporate goal.

Info-Tech Insight

You cannot do everything – and you probably wouldn’t want to. Make educated decisions about which projects are most important and why.

Apply your variable criteria to your initiatives

Identify easy-win tasks and high-value projects worth fighting for.
Categorize the Initiative
Select the gap initiative type from the down list. Each category (Must, Should, Could, and Won’t) is considered to be an “execution wave.” There is also a specific order of operations within each wave. Based on dependencies and order of importance, you will execute on some “must-do” items before others.
Assign Criteria
For each gap initiative, evaluate it based on your previously defined parameters for each variable.
  • Cost – initial and ongoing
  • Staffing – initial and ongoing
  • Alignment with business
  • Security benefit
Overall Cost/Effort Rating
An automatically generated score between 0 and 12. The higher the score attached to the initiative, the more effort required. The must-do, low-scoring items are quick wins and must be prioritized first.
Screenshot of a table from Info-Tech's Concept of Operations Maturity Assessment Tool with all of the previous table row headers as column headers.

A financial services organization defined its target security state and created an execution plan

CASE STUDY
Industry: Financial Services | Source: Info-Tech Research Group
Framework Components
Security Domains & Accompanied Initiatives
(A portion of completed domains and initiatives)
CSC began by creating over 100 gap initiatives across Info-Tech’s seven security domains.
Current-State Assessment Context & Leadership Compliance, Audit & Review Security Prevention
Gap Initiatives Created 12
Initiatives
14
Initiatives
45
Initiatives
Gap Initiative Prioritization
Planned Initiative(s)* Initial Cost Ongoing Cost Initial Staffing Ongoing Staffing
Document Charter Low - ‹$5K Low - ‹$1K Low - ‹1d Low - ‹2 Hour
Document RACI Low - ‹$5K Low - ‹$1K Low - ‹1d Low - ‹2 Hour
Expand IR processes Medium - $5K-$50K Low - ‹$1K High - ›2w Low - ‹2 Hour
Investigate Threat Intel Low - ‹$5K Low - ‹$1K Medium - 1-10d Low - ‹2 Hour
CSC’s defined low, medium, and high for cost and staffing are specific to the organization.

CSC then consolidated its initiatives to create less than 60 concise tasks.

*Initiatives and variables have been changed or modified to maintain anonymity

Review your prioritized security roadmap

Review the final Gantt chart to review the expected start and end dates for your security initiatives as part of your roadmap.

In the Gantt chart, go through each wave in sequence and determine the planned start date and planned duration for each gap initiative. As you populate the planned start dates, take into consideration the resource constraints or dependencies for each project. Go back and revise the granular execution wave to resolve any conflicts you find.

Screenshot of a 'Gantt Chart for Initiatives', a table with planned and actual start times and durations for each initiative, and beside it a roadmap with the dates from the Gantt chart plugged in.
Review considerations
  • Does this roadmap make sense for our organization?
  • Do we focus too much on one quarter over others?
  • Will the business be going through any significant changes during the upcoming years that will directly impact this project?
This is a living management document
  • You can use the same process on a per-case basis to decide where this new project falls in the priority list, and then add it to your Gantt chart.
  • As you make progress, check items off of the list, and periodically use this chart to retroactively update your progress towards achieving your overall target state.

Consult an Info-Tech Analyst

To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
Onsite workshops offer an easy way to accelerate your project. If a Guided Implementation isn’t enough, we offer low-cost onsite delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to successfully complete your project.
Photo of TJ Minichillo, Senior Director – Security, Risk & Compliance, Info-Tech Research Group. TJ Minichillo
Senior Director – Security, Risk & Compliance
Info-Tech Research Group
Edward Gray, Consulting Analyst – Security, Risk & Compliance, Info-Tech Research Group. Edward Gray
Consulting Analyst – Security, Risk & Compliance
Info-Tech Research Group
Photo of Celine Gravelines, Research Manager – Security, Risk & Compliance, Info-Tech Research Group. Celine Gravelines
Research Manager – Security, Risk & Compliance
Info-Tech Research Group
If you are not communicating, then you are not secure.

Call 1-888-670-8889 or email workshops@infotech.com for more information.

Are you ready to move on to the next phase?

Self-Assessment Questions

  • Have you identified your organization’s corporate goals along with your obligations?
  • Have you defined the scope and boundaries of your security program?
  • Have you determined your organization’s risk tolerance level?
  • Have you considered threat types your organization may face?
  • Are the above answers documented in the Security Requirements Gathering Tool?
  • Have you defined your maturity for both your current and target state?
  • Do you have clearly defined initiatives that would bridge the gap between your current and target state?
  • Are each of the initiatives independent, specific, and relevant to the associated control?
  • Have you indicated any dependencies between your initiatives?
  • Have you consolidated your gap initiatives?
  • Have you defined the parameters for each of the prioritization variables (cost, effort, alignment, and security benefit)?
  • Have you applied prioritization parameters to each consolidated initiative?
  • Have you recorded your final prioritized roadmap in the Gantt chart tab?
  • Have you reviewed your final Gantt chart to ensure it aligns to your security requirements?

If you answered “yes” to the questions, then you are ready to move on to Phase 3: Define Operational Interdependencies

Develop a Security Operations Strategy

PHASE 3

Define Operational Interdependencies

1

Assess Operational Requirements

2

Develop Maturity Initiatives

3

Define Interdependencies

This step will walk you through the following activities:

  • Understand the current security operations process flow.
  • Define the security operations stakeholders and their respective deliverables.
  • Formalize an internal information sharing and collaboration plan.

Outcomes of this step

  • A formalized security operations interaction agreement.
  • A security operations service and product catalog.
  • A structured operations collection plan.

Info-Tech Insight

If you are not communicating, you are not secure. Collaboration eliminates siloed decisions by connecting people, processes, and technologies. You leave less room for error, consume fewer resources, and improve operational efficiency with a transparent security operations process.

Tie everything together with collaboration

If you are not communicating, you are not secure. Collaboration eliminates siloed decisions by connecting people, processes, and technologies. You leave less room for error, consume fewer resources, and improve operational efficiency with a transparent security operations process.

Define Strategic Needs and Requirements Participate in Information Sharing Communicate Clearly
  • Establish a channel to communicate management needs and requirements and define important workflow activities. Focus on operationalizing those components.
  • Establish a feedback loop to ensure your actions satisfied management’s criteria.
  • Consolidate critical security data within a centralized portal that is accessible throughout the threat collaboration environment, reducing the human capital resources required to manage that data.
  • Participate in external information sharing groups such as ISACs. Intelligence collaboration allows organizations to band together to decrease risk and protect one another from threat actors.
  • Disseminate relevant information in clear and succinct alerts, reports, or briefings.
  • Security operations analysts must be able to translate important technical security issues and provide in-depth strategic insights.
  • Define your audience before presenting information; various stakeholders will interpret information differently. You must present it in a format that appeals to their interests.
  • Be transparent in your communications. Holding back information will only serve to alienate groups and hinder critical business decisions.

Info-Tech Best Practice

Simple collaborative activities, such as a biweekly meeting, can unite prevention, detection, analysis, and response teams to help prevent siloed decision making.

Understand the security operations process flow

Process standardization and automation is critical to the effectiveness of security operations.

Process flow for security operations with column headers 'Monitoring', 'Preliminary Analysis (Tier 1)', 'Triage', 'Investigation & Analysis (Tier 2)', 'Response', and 'Advanced Threat Detection (Tier 3)'. All processes begin with elements in the 'Monitoring' column and end up at 'Visualization & Dashboarding'.

Document your security operations’ capabilities and tasks

Table of capabilities and tasks for security operations.
Document your security operations’ functional capabilities and operational tasks to satisfy each capability. What resources will you leverage to complete the specific task/capability? Identify your internal and external collection sources to satisfy the individual requirement. Identify the affiliated product, service, or output generated from the task/capability. Determine your escalation protocol. Who are the stakeholders you will be sharing this information with?
Capabilities

The major responsibilities of a specific function. These are the high-level processes that are expected to be completed by the affiliated employees and/or stakeholders.

Tasks

The specific and granular tasks that need to be completed in order to satisfy a portion of or the entire capability.

Download Info-Tech’s Security Operations RACI Chart & Program Plan.

Convert your results into actionable process flowcharts

Map each functional task or capability into a visual process-flow diagram.

  • The title should reflect the respective capability and product output.
  • List all involved stakeholders (inputs and threat escalation protocol) along the left side.
  • Ensure all relevant security control inputs are documented within the body of the process-flow diagram.
  • Map out the respective processes in order to achieve the desired outcome.
  • Segment each process within its own icon and tie that back to the respective input.
Example of a process flow made with sticky notes.

Title: Output #1 Example of a process flow diagram with columns 'Stakeholders', 'Input Processes', 'Output Processes', and 'Threat Escalation Protocol'. Processes are mapped by which stakeholder and column they fall to.

Download Info-Tech’s Security Operations RACI Chart & Program Plan.

Formalize the opportunities for collaboration within your security operations program

Security Operations Collaboration Plan

Security operations provides a single pane of glass through which the threat collaboration environment can manage its operations.

How to customize

The security operations interaction agreement identifies opportunities for optimization through collaboration and cross-training. The document is composed of several components:

  • Security operations program scope and objectives
  • Operational capabilities and outputs on a per function basis
  • A needs and requirements collection plan
  • Escalation protocol and respective information-sharing guidance (i.e. a detailed cadence schedule)
  • A security operations RACI chart
Sample of Info-Tech's Security Operations Collaboration Plan.

Info-Tech Best Practice

Understand the operational cut-off points. While collaboration is encouraged, understand when the onus shifts to the rest of the threat collaboration environment.

Assign responsibilities for the threat management process

Security Operations RACI Chart & Program Plan

Formally documenting roles and responsibilities helps to hold those accountable and creates awareness as to everyone’s involvement in various tasks.

How to customize
  • Customize the header fields with applicable stakeholders.
  • Identify stakeholders that are:
    • Responsible: The person(s) who does the work to accomplish the activity; they have been tasked with completing the activity and/or getting a decision made.
    • Accountable: The person(s) who is accountable for the completion of the activity. Ideally, this is a single person and is often an executive or program sponsor.
    • Consulted: The person(s) who provides information. This is usually several people, typically called subject matter experts (SMEs).
    • Informed: The person(s) who is updated on progress. These are resources that are affected by the outcome of the activities and need to be kept up to date.
Sample of Info-Tech's Security Operations Collaboration Plan.

Download Info-Tech’s Security Operations RACI Chart & Program Plan.

Identify security operations consumers and their respective needs and requirements

Ensure your security operations program is constantly working toward satisfying a consumer need or requirement.

Internal Consumers External Consumers
  • Business Executives & Management (CIO, CISO, COO):
    • Inform business decisions regarding threats and their association with future financial risk, reputational risk, and continuity of operations.
  • Human Resources:
    • Security operations must directly work with HR to enforce tight device controls, develop processes, and set expectations.
  • Legal:
    • Security operations is responsible to notify the legal department of data breaches and the appropriate course of action.
  • Audit and Compliance:
    • Work with the auditing department to define additional audits or controls that must be measured.
  • Public Relations/Marketing Employees:
    • Employees must be educated on prevalent threats and how to avoid or mitigate them.

Note: Your organization might not be the final target, but it could be a primary path for attackers. If you exist as a third-party partner to another organization, your responsibility in your technology ecosystem extends beyond your own product or service offerings.

  • Third-Party Contractors:
    • Identify relevant threats across industries – security operations is responsible for protecting more than just itself.
  • Commercial Vendors:
    • Identify commercial vendors of control failures and opportunities for operational improvement.
  • Suppliers:
    • Provide or maintain a certain level of security delivery.
    • Meet the same level of security that is expected of business units.
  • All End Users:
    • Be notified of any data breaches and potential violations of privacy.

Info-Tech Best Practice

“In order to support a healthy constituency, network operations and security operations should be viewed as equal partners, rather than one subordinate to the other.” (Mitre world-class CISO)

Define the stakeholders, their respective outputs, and the underlying need

Security Operations Program Service & Product Catalog

Create an informal security operations program service and product catalog. Work your way backwards – map each deliverable to the respective stakeholders and functions.

Action/Output Arrow pointing right. Frequency Arrow pointing right. Stakeholders/Function
Document the key services and outputs produced by the security operations program. For example:
  • Real-time monitoring
  • Event analysis and incident coordination
  • Malware analysis
  • External information sharing
  • Published alerts, reports, and briefings
  • Metrics
Define the frequency for which each deliverable or service is produced or conducted. Leverage this activity to establish a state of accountability within your threat collaboration environment. Identify the stakeholders or groups affiliated with each output. Remember to include potential MSSPs.
  • Vulnerability Management
  • Threat Intelligence
  • Tier 1, 2, and 3 Analysts
  • Incident Response
  • MSSP
  • Network Operations
Remember to include any target-state outputs or services identified in the maturity assessment. Use this exercise as an opportunity to organize your security operations outputs and services.

Info-Tech Best Practice

Develop a central web/knowledge portal that is easily accessible throughout the threat collaboration environment.

Internal information sharing helps to focus operational efforts

Organizations must share information internally and through secure external information sharing and analysis centers (ISACs).

Ensure information is shared in a format that relates to the particular end user. Internal consumers fall into two categories:

  • Strategic Users — Intelligence enables strategic stakeholders to better understand security trends, minimize risk, and make more educated and informed decisions. The strategic intelligence user often lacks technical security knowledge; bridge the communication gap between security and non-technical decision makers by clearly communicating the underlying value and benefits.
  • Operational Users — Operational users integrate information and indicators directly into their daily operations and as a result have more in-depth knowledge of the technical terms. Reports help to identify escalated alerts that are part of a bigger campaign, provide attribution and context to attacks, identify systems that have been compromised, block malicious URLs or malware signatures in firewalls, IDPS systems, and other gateway products, identify patches, reduce the number of incidents, etc.
Collaboration includes the exchange of:
  • Contextualized threat indicators, threat actors, TTPs, and campaigns.
  • Attribution of the attack, motives of the attacker, victim profiles, and frequent exploits.
  • Defensive and mitigation strategies.
  • Best-practice incident response procedures.
  • Technical tools to help normalize threat intelligence formats or decode malicious network traffic.
Collaboration can be achieved through:
  • Manual unstructured exchanges such as alerts, reports, briefings, knowledge portals, or emails.
  • Automated centralized platforms that allow users to privately upload, aggregate, and vet threat intelligence. Current players include commercial, government, and open-source information-sharing and analysis centers.
Isolation prevents businesses from learning from each others’ mistakes and/or successes.

Define the routine of your security operations program in a detailed cadence schedule

Security Operations Program Cadence Schedule Template

Design your meetings around your security operations program’s outputs and capabilities

How to customize

Don’t operate in a silo. Formalize a cadence schedule to develop a state of accountability, share information across the organization, and discuss relevant trends. A detailed cadence schedule should include the following:

  • Activity, output, or topic being discussed.
  • Participants and stakeholders involved.
  • Value and purpose of meeting.
  • Duration and frequency of each meeting.
  • Investment per participant per meeting.
Sample of Info-Tech's Security Operations Program Cadence Schedule Template.

Info-Tech Best Practice

Schedule regular meetings composed of key members from different working groups to discuss concerns, share goals, and communicate operational processes pertaining to their specific roles.

Apply a strategic lens to your security operations program

Frame the importance of optimizing the security operations program to align with that of the decision makers’ overarching strategy.

Strategies
  1. Bridge the communication gap between security and non-technical decision makers. Communicate concisely in business-friendly terms.
  2. Quantify the ROI for the given project.
  3. Educate stakeholders – if stakeholders do not understand what a security operations program encompasses, it will be hard for them to champion the initiative.
  4. Communicate the implications, value, and benefits of a security operations program.
  5. Frame the opportunity as a competitive advantage, e.g. proactive security measures as a client acquisition strategy.
  6. Address the increasing prevalence of threat actors. Use objective data to demonstrate the impact, e.g. through case studies, recent media headlines, or statistics.

Defensive Strategy diagram with columns 'Adversaries', 'Defenses', 'Assets', and priority level.
(Source: iSIGHT, “ Definitive Guide to Threat Intelligence”)

Info-Tech Best Practice

Refrain from using scare tactics such as fear, uncertainty, and doubt (FUD). While this may be a short-term solution, it limits the longevity of your operations as senior management is not truly invested in the initiative.

Example: Align your strategic needs with that of management.

Identify assets of value, current weak security measures, and potential adversaries. Demonstrate how an optimized security operations program can mitigate those threats.

Develop a comprehensive measurement program to evaluate the effectiveness of your security operations

There are three types of metrics pertaining to security operations:

1) Operations-focused

Operations-focused metrics are typically communicated through a centralized visualization such as a dashboard. These metrics guide operational efforts, identifying operational and control weak points while ensuring the appropriate actions are taken to fix them.

Examples include, but are not limited to:

  • Ticketing metrics (e.g. average ticket resolution rate, ticketing status, number of tickets per queue/analyst).
  • False positive percentage per control.
  • Incident response metrics (e.g. mean time to recovery).
  • CVSS scores per vulnerability.

2) Business-focused

The evaluation of operational success from a business perspective.

Example metrics include:

  • Return on investment.
  • Total cost of ownership (can be segregated by function: prevent, detect, analyze, and respond).
  • Saved costs from mitigated breaches.
  • Security operations budget as a percentage of the IT budget.

3) Initiative-focused

The measurement of security operations project progress. These are frequently represented as time, resource, or cost-based metrics.

Note: Remember to measure end-user feedback. Asking stakeholders about their current expectations via a formal survey is the most effective way to kick-start the continuous improvement process.

Info-Tech Best Practice

Operational metrics have limited value beyond security operations – when communicating to management, focus on metrics that are actionable from a business perspective.

Download Info-Tech’s Security Operations Metrics Summary Document.Sample of Info-Tech's Security Operations Metrics Summary Document.

Identify the triggers for continual improvement

Continual Improvement

  • Audits: Check for performance requirements in order to pass major audits.
  • Assessments: Variances in efficiency or effectiveness of metrics when compared to the industry standard.
  • Process maturity: Opportunity to increase efficiency of services and processes.
  • Management reviews: Routine reviews that reveal gaps.
  • Technology advances: For example, new security architecture/controls have been released.
  • Regulations: Compliance to new or changed regulations.
  • New staff or technology: Disruptive technology or new skills that allow for improvement.

Conduct tabletop exercises with Info-Tech’s onsite workshop

Assess your security operations capabilities

Leverage Info-Tech’s Security Operations Tabletop Exercise to guide simulations to validate your operational procedures.

How to customize
  • Use the templates to document actions and actors.
  • For each new injection, spend three minutes discussing the response as a group. Then spend two minutes documenting each role’s contribution to the response. After the time limit, proceed to the following injection scenario.
  • Review the responses only after completing the entire exercise.
Sample of Info-Tech's Security Operations Tabletop Exercise.

This tabletop exercise is available through an onsite workshop as we can help establish and design a tabletop capability for your organization.

Are you ready to implement your security operations program?

Self-Assessment Questions

  • Is there a formalized security operations collaboration plan?
  • Are all key stakeholders documented and acknowledged?
  • Have you defined your strategic needs and requirements in a formalized collection plan?
  • Is there an established channel for management to communicate needs and requirements to the security operation leaders?
  • Are all program outputs documented and communicated?
  • Is there an accessible, centralized portal or dashboard that actively aggregates and communicates key information?
  • Is there a formalized threat escalation protocol in order to facilitate both internal and external information sharing?
  • Does your organization actively participate in external information sharing through the use of ISACs?
  • Does your organization actively produce reports, alerts, products, etc. that feed into and influence the output of other functions’ operations?
  • Have you assigned program responsibilities in a detailed RACI chart?
  • Is there a structured cadence schedule for key stakeholders to actively communicate and share information?
  • Have you developed a structured measurement program on a per function basis?
  • Now that you have constructed your ideal security operations program strategy, revisit the question “Are you answering all of your objectives?”

If you answered “yes” to the questions, then you are ready to implement your security operations program.

Summary

Insights

  1. Security operations is no longer a center, but a process. The need for a physical security hub has evolved into the virtual fusion of prevention, detection, analysis, and response efforts. When all four functions operate as a unified process, your organization will be able to proactively combat changes in the threat landscape.
  2. Functional threat intelligence is a prerequisite for effective security operations – without it, security operations will be inefficient and redundant. Eliminate false positives by contextualizing threat data, aligning intelligence with business objectives, and building processes to satisfy those objectives
  3. If you are not communicating, then you are not secure. Collaboration eliminates siloed decisions by connecting people, processes, and technologies. You leave less room for error, consume fewer resources, and improve operational efficiency with a transparent security operations process.

Best Practices

  • Have a structured plan of attack. Define your unique threat landscape, as well as business, regulatory, and consumer obligations.
  • Foster both internal and external collaboration.
  • Understand the operational cut-off points. While collaboration is encouraged, understand when the onus shifts to the rest of the threat collaboration environment.
  • Do not bite off more than you can chew. Identify current people, processes, and technologies that satisfy immediate problems and enable future expansion.
  • Leverage threat intelligence to create a predictive and proactive security operations analysis process.
  • Formalize escalation procedures with logic and incident management flow.
  • Don’t develop a security operations program with the objective of zero incidents. This reliance on prevention results in over-engineered security solutions that cost more than the assets being protected.
  • Ensure that information flows freely throughout the threat collaboration environment – each function should serve to feed and enhance the next.
  • Develop a central web/knowledge portal that is easily accessible throughout the threat collaboration environment
Protect your organization with an interdependent and collaborative security operations program.

Bibliography

“2016 State of Cybersecurity in Small & Medium-Sized Businesses (SMB).” Ponemon Institute, June 2016. Web. 10 Nov. 2016.

Ahmad, Shakeel et al. “10 Tips to Improve Your Security Incident Readiness and Response.” RSA, n.d. Web. 12 Nov. 2016.

Anderson, Brandie. “ Building, Maturing & Rocking a Security Operations Center.” Hewlett Packard, n.d. Web. 4 Nov. 2016.

Barnum, Sean. “Standardizing cyber threat intelligence information with the structured threat information expression.” STIX, n.d. Web. 03 Oct. 2016.

Bidou, Renaud. “Security Operation Center Concepts & Implementation.” IV2-Technologies, n.d. Web. 20 Nov. 2016.

Bradley, Susan. “Cyber threat intelligence summit.” SANS Institute InfoSec Reading Room, n.d. Web. 03 Oct. 2016.

“Building a Security Operations Center.” DEF CON Communications, Inc., 2015. Web. 14 Nov. 2016.

“Building a Successful Security Operations Center.” ArcSight, 2015. Web. 21 Nov. 2016.

“Building an Intelligence-Driven Security Operations Center.” RSA, June 2014. Web. 25 Nov. 2016.

Caltagirone, Sergio, Andrew Pendergast, and Christopher Betz. “Diamond Model of Intrusion Analysis,” Center for Cyber Threat Intelligence and Threat Research, 5 July 2013. Web. 25 Aug. 2016.

“Cisco 2017 Annual Cybersecurity Report: Chief Security Officers Reveal True Cost of Breaches and the Actions Organizations Are Taking.” The Network. Cisco, 31 Jan. 2017. Web. 11 Nov. 2017.

“CITP Training and Education.” Carnegie Mellon University, 2015. Web. 03 Oct. 2016.

“Creating and Maintaining a SOC.” Intel Security, n.d. Web. 14 Nov. 2016.

“Cyber Defense.” Mandiant, 2015. Web. 10 Nov. 2016.

“Cyber Security Operations Center (CSOC).” Northrop Grumman, 2014. Web. 14 Nov. 2016.

Danyliw, Roman. “Observations of Successful Cyber Security Operations.” Carnegie Mellon, 12 Dec. 2016. Web. 14 Dec. 2016.

“Designing and Building Security Operations Center.” SearchSecurity. TechTarget, Mar. 2016. Web. 14 Dec. 2016.

EY. “Managed SOC.” EY, 2015. Web. 14 Nov. 2016.

Fishbach, Nicholas. “How to Build and Run a Security Operations Center.” Securite.org, n.d. Web. 20 Nov. 2016.

“Framework for improving critical infrastructure cybersecurity.” National Institute of Standards and Technology, 12 Feb. 2014. Web.

Friedman, John, and Mark Bouchard. “Definitive Guide to Cyber Threat Intelligence.” iSIGHT, 2015. Web. 1 June 2015.

Goldfarb, Joshua. “The Security Operations Hierarchy of Needs.” Securityweek.com, 10 Sept. 2015. Web. 14 Dec. 2016.

“How Collaboration Can Optimize Security Operations.” Intel, n.d. Web. 2 Nov. 2016.

Hslatman. “Awesome threat intelligence.” GitHub, 16 Aug. 2016. Web. 03 Oct. 2016.

“Implementation Framework – Collection Management.” Carnegie Mellon University, 2015. Web.

“Implementation Framework – Cyber Threat Prioritization.” Carnegie Mellon University, 03 Oct. 2016. Web. 03 Oct. 2016.

“Intelligent Security Operations Center.” IBM, 25 Feb. 2015. Web. 15 Nov. 2016.

Joshi Follow , Abhishek. “Best Practices for Security Operations Center.” LinkedIn, 01 Nov. 2015. Web. 14 Nov. 2016.

Joshi. “Best Practices for a Security Operations Center.” Cybrary, 18 Sept. 2015. Web. 14 Dec. 2016.

Kelley, Diana and Ron Moritz. “Best Practices for Building a Security Operations Center.” Information Security Today, 2006. Web. 10 Nov. 2016.

Killcrece, Georgia, Klaus-Peter Kossakowski, Robin Ruefle, and Mark Zajicek. ”Organizational Models for Computer Security Incident Response Teams (CSIRTs).” Carnegie Mellon Software Engineering Institute, Dec. 2003. Carnegie Mellon. Web. 10 Nov. 2016.

Kindervag , John. “SOC 2.0: Three Key Steps toward the Next-generation Security Operations Center.” SearchSecurity. TechTarget, Dec. 2010. Web. 14 Dec. 2016.

Kvochko, Elena. “Designing the Next Generation Cyber Security Operations Center.” Forbes Magazine, 14 Mar. 2016. Web. 14 Dec. 2016.

Lambert, P. “ Security Operations Center: Not Just for Huge Enterprises.” TechRepublic, 31 Jan. 2013. Web. 10 Nov. 2016.

Lecky, M. and D. Millier. “Re-Thinking Security Operations.” SecTor Security Education Conference. Toronto, 2014.

Lee, Michael. “Three Elements That Every Advanced Security Operations Center Needs.” CSO | The Resource for Data Security Executives, n.d. Web. 16 Nov. 2016.

Linch, David and Jason Bergstrom. “Building a Culture of Continuous Improvement in an Age of Disruption.” Deloitte LLP, 2014.

Lynch, Steve. “Security Operations Center.” InfoSec Institute, 14 May 2015. Web. 14 Dec. 2016.

Macgregor, Rob. “Diamonds or chains – cyber security updates.” PwC, n.d. Web. 03 Oct. 2016.

“Make Your Security Operations Center (SOC) More Efficient.” Making Your Data Center Energy Efficient (2011): 213-48. Intel Security. Web. 20 Nov. 2016.

Makryllos, Gordon. “The Six Pillars of Security Operations.” CSO | The Resource for Data Security Executives, n.d. Web. 14 Nov. 2016.

Marchany, R. “ Building a Security Operations Center.” Virginia Tech, 2015. Web. 8 Nov. 2016.

Marty, Raffael. “Dashboards in the Security Operations Center (SOC).” Security Bloggers Network, 15 Jan. 2016. Web. 14 Nov. 2016.

Minu, Adolphus. “Discovering the Value of Knowledge Portal.” IBM, n.d. Web. 1 Nov. 2016.

Muniz, J., G. McIntyre, and N. AlFardan. “Introduction to Security Operations and the SOC.” Security Operations Center: Building, Operating, and Maintaining your SOC. Cisco Press, 29 Oct. 2015. Web. 14 Nov. 2016.

Muniz, Joseph and Gary McIntyre. “ Security Operations Center.” Cisco, Nov. 2015. Web. 14 Nov. 2016.

Muniz, Joseph. “5 Steps to Building and Operating an Effective Security Operations Center (SOC).” Cisco, 15 Dec. 2015. Web. 14 Dec. 2016.

Nathans, David. Designing and Building a Security Operations Center. Syngress, 2015. Print.

National Institute of Standards and Technology. “SP 800-61 Revision 2: Computer Security Incident Handling Guide.” 2012. Web.

National Institute of Standards and Technology. “SP 800-83 Revision 1.” 2013. Web.

National Institute of Standards and Technology. “SP 800-86: Guide to Integrating Forensic Techniques into Incident Response.” 2006. Web.

F5 Networks. “F5 Security Operations Center.” F5 Networks, 2014. Web. 10 Nov. 2016.

“Next Generation Security Operations Center.” DTS Solution, n.d. Web. 20 Nov. 2016.

“Optimizing Security Operations.” Intel, 2015. Web. 4 Nov. 2016.

Paganini, Pierluigi. “What Is a SOC ( Security Operations Center)?” Security Affairs, 24 May 2016. Web. 14 Dec. 2016.

Ponemon Institute LLC. “Cyber Security Incident Response: Are we as prepared as we think?” Ponemon, 2014. Web.

Ponemon Institute LLC. “The Importance of Cyber Threat Intelligence to a Strong Security Posture.” Ponemon, Mar. 2015. Web. 17 Aug. 2016.

Poputa-Clean, Paul. “Automated defense – using threat intelligence to augment.” SANS Institute InfoSec Reading Room, 15 Jan. 2015. Web.

Quintagroup. “Knowledge Management Portal Solution.” Quintagroup, n.d. Web.

Rasche, G. “Guidelines for Planning an Integrated Security Operations Center.” EPRI, Dec. 2013. Web. 25 Nov. 2016.

Rehman, R. “What It Really Takes to Stand up a SOC.” Rafeeq Rehman – Personal Blog, 27 Aug. 2015. Web. 14 Dec. 2016.

Rothke, Ben. “Designing and Building Security Operations Center.” RSA Conference, 2015. Web. 14 Nov. 2016.

Ruks, Martyn and David Chismon. “Threat Intelligence: Collecting, Analysing, Evaluating.” MWR Infosecurity, 2015. Web. 24 Aug. 2016.

Sadamatsu, Takayoshi. “Practice within Fujitsu of Security Operations Center.” Fujitsu, July 2016. Web. 15 Nov. 2016.

Sanders, Chris. “Three Useful SOC Dashboards.” Chris Sanders, 24 Oct. 2016. Web. 14 Nov. 2016.

SANS Institute. “Incident Handler's Handbook.” 2011. Web.

Schilling, Jeff. “5 Pitfalls to Avoid When Running Your SOC.” Dark Reading, 18 Dec. 2014. Web. 14 Nov. 2016.

Schinagl, Stef, Keith Schoon, and Ronald Paans. “A Framework for Designing a Security Operations Centre (SOC).” 2015 48th Hawaii International Conference on System Sciences. Computer.org, 2015. Web. 20 Nov. 2016.

“Security – Next Gen SOC or SOF.” InfoSecAlways.com, 31 Dec. 2013. Web. 14 Nov. 2016.

“Security Operations Center Dashboard.” Enterprise Dashboard Digest, n.d. Web. 14 Dec. 2016.

“Security Operations Center Optimization Services.” AT&T, 2015. Web. 5 Nov. 2016.

“Security Operations Centers — Helping You Get Ahead of Cybercrime Contents.” EY, 2014. Web. 6 Nov. 2016.

Sheikh, Shah. “DTS Solution - Building a SOC (Security Operations Center).” LinkedIn, 4 May 2013. Web. 20 Nov. 2016.

Soto, Carlos. “ Security Operations Center (SOC) 101.” Tom's IT Pro, 28 Oct. 2015. Web. 14 Dec. 2016.

“Standardizing and Automating Security Operations.” National Institute of Standards and Technology, 3 Sept. 2006. Web.

“Strategy Considerations for Building a Security Operations Center.” IBM, Dec. 2013. Web. 5 Nov. 2016.

“Summary of Key Findings.” Carnegie Mellon University, 03 Oct. 2016. Web. 03 Oct. 2016.

“Sustainable Security Operations.” Intel, 2016. Web. 20 Nov. 2016.

“The Cost of Malware Containment.” Ponemon Institute, Jan. 2015. Web.

“The Game Plan for Closing the SecOps Gap.” BMC. Forbes Magazine, Jan. 2016. Web. 10 Jan. 2017.

Veerappa Srinivas, Babu. “Security Operations Centre (SOC) in a Utility Organization.” GIAC, 17 Sept. 2014. Web. 5 Nov. 2016.

Wang, John. “Anatomy of a Security Operations Center.” NASA, 2015. Web. 2 Nov. 2016.

Weiss, Errol. “Statement for the Record.” House Financial Services Committee, 1 June 2012. Web. 12 Nov. 2016.

Wilson, Tim. “SOC 2.0: A Crystal-Ball Glimpse of the Next-Generation Security Operations Center.” Dark Reading, 22 Nov. 2010. Web. 10 Nov. 2016.

Zimmerman, Carson. “Ten Strategies of a World-Class Cybersecurity Operations Center.” Mitre, 2014. Web. 24 Aug. 2016.

About Info-Tech

Info-Tech Research Group is the world’s fastest-growing information technology research and advisory company, proudly serving over 30,000 IT professionals.

We produce unbiased and highly relevant research to help CIOs and IT leaders make strategic, timely, and well-informed decisions. We partner closely with IT teams to provide everything they need, from actionable tools to analyst guidance, ensuring they deliver measurable results for their organizations.

MEMBER RATING

10.0/10
Overall Impact

$78,749
Average $ Saved

28
Average Days Saved

After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research helped them achieve.

Read what our members are saying

What Is a Blueprint?

A blueprint is designed to be a roadmap, containing a methodology and the tools and templates you need to solve your IT problems.

Each blueprint can be accompanied by a Guided Implementation that provides you access to our world-class analysts to help you get through the project.

Talk to an Analyst

Our analyst calls are focused on helping our members use the research we produce, and our experts will guide you to successful project completion.

Book an Analyst Call on This Topic

You can start as early as tomorrow morning. Our analysts will explain the process during your first call.

Get Advice From a Subject Matter Expert

Each call will focus on explaining the material and helping you to plan your project, interpret and analyze the results of each project step, and set the direction for your next project step.

Unlock Sample Research

Authors

Edward Gray

TJ Minichillo

Celine Gravelines

Visit our IT Cost Optimization Center
Over 100 analysts waiting to take your call right now: 1-519-432-3550 x2019