Security Operations (SecOps)

Identify (ID)Protect (PR)Detect (DE)Response (RS)Recovery (RC)

For starters, let’s discuss what Security Operations (a.k.a. SecOps) is. SecOps is a combination of the IT Security Team and the IT Operations Team.  When SecOps is done properly the conflict between the Security team finding vulnerabilities and the Operations team never getting around to implementing the remediation steps goes away.  The SecOps team finds and remediates vulnerabilities, there is no hand off issues because the SecOps team owns the problem and the solution.

If you are building a SecOps team from scratch or you have an existing team, you can improve your security posture by implementing a Cyber Security Framework (CSF).  There are a few to chose from like NIST (below), SANS CIS implementation of controls for NIST, and COBIT.  Make no mistake, fully implementing a framework will take some time, the framework is huge.  However, the payoffs for doing so will become obvious the first time that you thwart a major breach or attack.

NIST Cyber Security Framework

• Identify (ID) – Develop the organizational understanding to manage cyber security risk to systems, assets, data, and capabilities.
  • Asset Management (ID.AM)
  • Business Environment (ID.BE)
  • Governance (ID.GV)
  • Risk Assessment (ID.RA)
  • Risk Management Strategy (ID.RM)
• Protect (PR) – Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services.
  • Access Control (PR.AC)
  • Awareness and Training (PR.AT)
  • Data Security (PR.DS)
  • Info Protection Processes and Procedures (PR.IP)
  • Maintenance (PR.MA)
  • Protective Technology (PR.PT)
• Detect (DE) – Identify the occurrence of a cyber security event.
  • Anomalies and Events (DE.AE)
  • Security Continuous Monitoring (DE.CM)
  • Detection Process (DE.DP)
• Respond (RS) – Develop and implement the appropriate activities to take action regarding a detected cybersecurity event.
  • Response Planning (RS.RP)
  • Communication (RS.CO)
  • Analysis (RS.AN)
  • Mitigation (RS.MI)
  • Improvements (RS.IM)
• Recover (RC) – Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event.
  • Recovery Planning (RC.RP)
  • Improvements (RC.IM)
  • Communications (RC.CO)

These topics are based on the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF).

Known NIST Special Publications for Computer Security (SP-800’s):

• SP 800-18 (Guide for Developing Security Plans for Federal Information Systems)
• SP 800-45 (Guidelines on Electronic Mail Security)
• SP 800-53A (Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans)
• SP 800-60 (Guide for Mapping Types of Information and Information Systems to Security Categories)
• SP 800-61 (Computer Security Incident Handling Guide) <– aka Incident Response
• SP 800-88 (Guidelines for Media Sanitization)
• SP 800-92 (Guide to Computer Security Log Management)
• SP 800-145 (The NIST Definition of Cloud Computing)