Security Operation ①-Before introducing SIEM or SOAR! Visualization of the current state using frameworks

general remarks

Recently, I often hear from security personnel that "operations have become difficult." In terms of physical strength, such as "the amount of work is large in the first place", "a lot of work is done on holidays and at night", "the load is concentrated due to a shortage of manpower", "the responsibility is heavy", and "you don't know when you will be called, so you can't get rid of the tension." "It's taken for granted that nothing happens, and it's hard work, but it's not appreciated."

In this paper, we will organize the issues of security operation and guide you on how to organize and improve security operation using the security measures framework.

Finally, we have also included a video summarizing examples of how security operations were organized and improved through the use of frameworks, so be sure to check it out.

Specifics

Security operation challenges

What kind of specific burdens do you have in the field of security operations? What I hear from the person in charge at the site is the following severe situation.

  • fireeye_feature02_draw01.png
  • Increased analysis target
    Cyberattacks are becoming more sophisticated every day, and security threats are becoming more sophisticated. Along with this, the volume of logs and alerts to be monitored has also increased dramatically. Recent operational monitoring products have begun to proactively issue alerts even for gray threats that cannot be determined as incidents. A large number of alerts are generated, and the person in charge must decide one by one whether it actually leads to an incident. Although it is unavoidable to ensure security, it is one of the reasons for the increase in the amount of work.
  • time to resolve
    In order to prepare for various threats, the types and number of security products introduced in enterprises are increasing. There are a wide variety of management and operation methods, and procedures are becoming more complex, requiring security personnel to have advanced skills. Skills become obsolete quickly, and new knowledge must be acquired one after another. Work is concentrated on limited security personnel, and companies are constantly suffering from a shortage of personnel. Working on holidays and at night, and coordinating with the department in charge are also burdensome for the person in charge.

Comprehensive understanding of security operations using the security framework

In order to solve the operational issues mentioned earlier, it is necessary to first visualize the current security operation status. There are many frameworks in the world, but this article is based on the Cybersecurity Framework (hereinafter referred to as CSF) advocated by NIST (National Institute of Standards and Technology), which is good at overlooking the situation in terms of operation. describes the visualization method for security operations.

CSF consists of 5 functions.
It is categorized by operation stage: "Identification", "Protection", "Detection", "Response", and "Recovery".

  • Figure 1: Structure of NIST Cybersecurity Framework (1)

Figure 1: Structure of NIST Cybersecurity Framework (1)

In addition, each category consists of multiple subcategories, and these subcategories have more detailed action items. There are also external materials (below, in the red frame) that can be used as a reference for concrete consideration and implementation.

  • Figure 2: Structure of NIST Cybersecurity Framework (2)

Figure 2: Structure of NIST Cybersecurity Framework (2)

How to use the NIST Cybersecurity Framework

So how should we use this CSF?

The procedure for using CSF is briefly summarized below.

  • Using CSF, consider necessary items, unnecessary items, and new items to be added to your company, and create a base for your own company profile.
  • Enter the current level of achievement (Tier) for each subcategory
  • For each subcategory, set the achievement level (Tier) that the company should aim for
  • Set priorities for response to subcategories where there is a gap between the current situation and the level of achievement to be achieved
  • Implement initiatives to achieve the desired level of achievement according to priority
  • Figure 3: Analysis of the current situation based on the NIST Cybersecurity Framework

Figure 3: Analysis of the current situation based on the NIST Cybersecurity Framework

  • Figure 4: Definition of each tier

Figure 4: Definition of each tier

★ point
In order to visualize the work of actual operation, it is recommended to break down to the level of responsibility for each category and organize the frequency of occurrence. This is because the CSF is for visualizing and prioritizing the entire organization, so it includes roles at the management and Member of the Board level in addition to the responsible level.

  • Figure 5: Example of breaking down tasks with a relatively high frequency of occurrence at the responsible level

Figure 5: Example of breaking down tasks with a relatively high frequency of occurrence at the responsible level

Measures to be taken after visualization of operation status

After visualizing the security operation status with CSF, it is recommended to classify high-priority operations into operations controlled by the company and operations to introduce/outsource products.

For reference, we recommend that you control the following operations yourself.

  • Matters to be determined and executed by management and Member of the Board
  • Selection of suppliers and partners
  • Approval of improvement process
  • Operation and management of systems that remain highly individualized
  • Overall handling in incident response (It is good to receive external support)

On the other hand, incident response-related operations included in "detection," "response," and "recovery," tend to be improved through product introduction/outsourcing.

In the video below, we explain the products/service groups linked to each function of CSF, so please take a look.

Conclusion

Even for vague attempts to improve security operations, by analyzing the current situation according to a security framework such as the NIST CSF, we can see the issues that need to be addressed and the appropriate measures for each issue.

In the video below, a person who provides security consulting services to major corporations and also serves as a member of Macnica 's CSIRT uses actual case studies to explain how companies visualize their security operations status and what measures they took to address the issues that came to light.

Before considering security operation products and services, why not take a look at them?

MSS operator talks about working with limited human resources,
What is the latest framework for security operations? Play time: 35 minutes
While it is said that there is a shortage of IT human resources, it is necessary to consider the expertise, skills, and security required of security personnel, such as incident response to respond to increasingly sophisticated attacks and security countermeasure planning suitable for work style reform measures. The scope is expanding. We will use a framework to visualize whether the daily work and operations performed by the person in charge are the security operations that are currently required, and explain the direction of how to address the shortfalls.

Contact information

株式会社マクニカ
FireEye 製品担当