Setting up and Fine Tuning a Security Operations Centre
Examensarbete för masterexamen
Given the need for every company to be cost-effective, it comes as no wonder that Management does not wish to allocate many resources to information security while on the same time demands a perfect and exhaustive coverage of its infrastructure and applications. This paper will deal with possible ways to maximize the efficiency of a Security Operations Center (SOC), a specialized team responsible to centralize and manage the totality of security operations regarding an IT infrastructure, in order to protect proactively and respond, in real time, to security events. Using a fully operational network of a company as the base for the experiments, multiple real life attack scenarios were reproduced in order to study the results, adapt the defensive mechanisms using the acquired feedback and present the gained experience. These results can be used as an exhaustive guideline for anyone interested in setting up efficiently a Security Operations Center. Through the best practices proposed by the paper, a security analyst will be able to adapt and fine tune a SOC to the specific context of the organization in question, while making sure that no critical elements are overseen or forgotten. Moreover, this paper will give answers about how to provide to the upper-management layers of an organization a service that will minimize security risks and mitigate security events while being cost-effective and efficient. Detailed descriptions of the necessary tools for the centralization, monitoring and resolution of security events as well as how should they be configured and fine tuned are also included. Even though the description of all the procedures is exhaustive, through the conducted experiments it was made clear that in order to have an efficient SOC, which translates to a constant, realistic and reacting monitoring and protection of an IT infrastructure, a continuous and systematic procedure needs to be implemented in order to update, adapt and fine tune the techniques employed by the SOC, depending on the evolution of the demands, the needs, and all kind of changes associated to the organization in question. Therefore, there are no plug and play solutions that can be deployed and then forgotten, no matter the cost. Human expertise is always required and plays a crucial role to the whole procedure of protecting the IT infrastructure.
Data- och informationsvetenskap , Computer and Information Science