In previous news, we’ve spoken about how to build your Bespoke Security Operations Centre for your business and what elements need to be used in the design process to make sure that you, your business and your client base are provided with the best possible protection in an ever-changing world.
Click on the link to revisit the news piece “Building a Bespoke Security Operations Centre for your business”: https://www.maximumnetworks.co.uk/building-a-bespoke-security-operations-centre-for-your-business/
Click on the link to revisit the news piece “Designing the right Security Operations Centre for your business”: https://www.maximumnetworks.co.uk/designing-the-right-security-operations-centre-for-your-business/
Why choose Maximum Networks as your Managed Outsourced IT Support Partner?
We have a wide range of IT desktop solutions and print services for any business across the UK.
Not only do we offer high-quality services across IT Services we offer business broadband solutions, telecommunications and much, much more.
Get in touch at https://www.maximumnetworks.co.uk/contact or call us on 0330 041 6308 today!
Onboarding systems and log sources to your Bespoke Security Operations Centre
Now that you have built your Bespoke Security Operations Centre (SOC), the next stage to building the ideal cybersecurity for your business is to get your business systems onboarded to the SOC.
This means that you can begin to integrate your CRM and required business systems so that their security can be monitored accurately and specific threat identified.
Before we go on, let’s look at what the description of “Onboarding” is:
Onboarding (For SOC specific purposes):
“Onboarding is the name given to the process of adding systems to the scope of a SOC. This means ensuring that the logs from those systems are collected by or sent to the SOC systems so that they can be monitored.”
Onboarding is a key part of any SOC operation, for new SOCs but also for established SOCs. This is because no IT estate will perpetually stay the same during the operational lifetime of your SOC.
There are multiple ways to perform onboarding, from onboarding common log sources, using the output of risk assessments or just onboarding absolutely every log source available. Threat modelling can also be used to support onboarding.
The goal of onboarding is to enable you to determine which log sources are most appropriate to your organisation and should be onboarded, helping your Outsourced IT Support Partner to offer better and specific protection.
Identifying Log sources and how these can better protect you and your clients
Your Outsourced IT Support Partner is the best and most experienced asset you have in your business to make sure that the correct level of cybersecurity defence is in place to protect your colleagues and customers.
They will have a detailed understanding of the systems utilised in your business and the workings of your Bespoke Security Operations Centre (SOC), to make sure that they can identify any potential threats ahead of time and also future-proof your protection as best as they can.
With this in mind, The next step is to identify log sources within your organisation (or customer systems) that will provide you with information that would be useful when performing security monitoring.
Log sources and regular security monitoring: better protection for you
Regular security monitoring is the best defence against cyber threats in the virtual and online landscape and this is a landscape that is constantly evolving parties look to use more sophisticated and clever ways to try and break down your business cyber-security.
Threat modelling can be useful, as it will enable you to identify valuable log sources and provide an excellent case as to why you should collect them for further monitoring.
In addition to being used for detection, log sources are also vital in performing incident response as they can provide valuable context around system behaviour in the event of an incident.
Recognised Types of Log Sources
In order to make sure that your Outsourced IT Support Partner is looking for the right types of log sources, they will investigate different types of sources.
To keep this a user-friendly information section, let’s break these down and explore each type of Log source.
Application Log Sources:
Arguably the widest and most varied scope.
Logs provided by applications will often provide invaluable insight into user actions.
Host Log Sources:
These log types typically refer to both operating system and application logs.
Often getting these will involve deploying an agent to the device.
Network Log Sources:
Logs from network devices and infrastructure can provide vital information about connected devices and services across your estate.
Cloud Log Sources:
Cloud logs can include all of the above data sources, but there are some services that fall outside these categories, such as cloud management and compute services.
These services will typically provide their own logs, which contain a wealth of useful information.
Log Sources that provide easy wins in security monitoring
Already, this can sound quite a daunting task to perform within Security Monitoring, however, your Outsourced IT Support Partner will be aware that there are also other avenues available that can provide answers sooner.
There are three levels of what are called “Must-have” logs –
Authentication Log Sources:
These logs will allow the Security Operations Centre to identify where and when users logged onto a system – or attempted to logon to a system.
These logs provide big red flags when adversaries attempt to gain unauthorised access to systems.
Security Controls Log Sources:
This can include anti-malware software, security controls such as firewalls, access control list changes and anything that performs a security function within the organisation.
The logs provided by these controls are must-haves as they will provide a first indication of something going wrong.
DNS Log Sources:
These logs can be invaluable in identifying malicious behaviour within an organisation.
An example could be “EUD123 has requested www[.]n0t-m4lw4re[.]com” – which may provide the first indications of a compromised device, allowing the SOC to intervene.
The next section in this series that we will look at is threat modelling and how this type of modelling can provide a robust defence to your Bespoke Security Operations Centre.