Develop a Security Operations Strategy

There is an onslaught of security data – generating information in different formats, storing it in different places, and forwarding it to different locations.
The organization lacks a dedicated enterprise security team. There is limited resourcing available to begin or mature a security operations center.
Many organizations are developing ad hoc security capabilities that result in operational inefficiencies, the misalignment of resources, and the misuse of security technology investments.
It is difficult to communicate the value of a security operations program when trying to secure organizational buy-in to gain the appropriate resourcing.
There is limited communication between security functions due to a centralized security operations organizational structure.

Our Advice

Critical Insight

Security operations is no longer a center, but a process. The need for a physical security hub has evolved into the virtual fusion of prevention, detection, analysis, and response efforts. When all four functions operate as a unified process, your organization will be able to proactively combat changes in the threat landscape.
Functional threat intelligence is a prerequisite for effective security operations – without it, security operations will be inefficient and redundant. Eliminate false positives by contextualizing threat data, aligning intelligence with business objectives, and building processes to satisfy those objectives.
If you are not communicating, you are not secure. Collaboration eliminates siloed decisions by connecting people, processes, and technologies. You leave less room for error, consume fewer resources, and improve operational efficiency with a transparent security operations process.

Impact and Result

A unified security operations process actively transforms security events and threat information into actionable intelligence, driving security prevention, detection, analysis, and response processes, addressing the increasing sophistication of cyberthreats, and guiding continuous improvement.
This blueprint will walk through the steps of developing a flexible and systematic security operations program relevant to your organization.

Develop a Security Operations Strategy Research & Tools

Start here – read the Executive Brief

Read our concise Executive Brief to find out why you should enhance your security operations program, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

Develop a Security Operations Strategy – Executive Brief

1. Assess your current state

Assess current prevention, detection, analysis, and response capabilities.

2. Develop maturity initiatives

Design your optimized state of operations.

3. Define operational interdependencies

Identify opportunities for collaboration within your security program.

INFO-TECH RESEARCH GROUP

Develop a Security Operations Strategy

Transition from a security operations center to a threat collaboration environment.

Info-Tech Research Group, Inc. is a global leader in providing IT research and advice. Info-Tech’s products and services combine actionable insight and relevant advice with ready-to-use tools and templates that cover the full spectrum of IT concerns.
© 1997-2017 Info-Tech Research Group Inc.

ANALYST PERSPECTIVE

“A reactive security operations program is no longer an option. The increasing sophistication of threats demands a streamlined yet adaptable mitigation and remediation process. Protect your assets by preparing for the inevitable; unify your prevention, detection, analysis, and response efforts and provide assurance to your stakeholders that you are making information security a top priority.”

Phot of Edward Gray, Consulting Analyst, Security, Risk & Compliance, Info-Tech Research Group.

Edward Gray,
Consulting Analyst, Security, Risk & Compliance
Info-Tech Research Group

Our understanding of the problem

This Research Is Designed For:

Chief Information Officer (CIO)
Chief Information Security Officer (CISO)
Chief Operating Officer (COO)
Security / IT Management
Security Operations Director / Security Operations Center (SOC)
Network Operations Director / Network Operations Center (NOC)
Systems Administrator
Threat Intelligence Staff
Security Operations Staff
Security Incident Responders
Vulnerability Management Staff
Patch Management

This Research Will Help You:

Enhance your security program by implementing and streamlining next-generation security operations processes.
Increase organizational situational awareness through active collaboration between core threat teams, enriching internal security events with external threat intelligence and enhancing security controls.
Develop a comprehensive threat analysis and dissemination process: align people, process, and technology to scale security to threats.
Identify the appropriate technological and infrastructure-based sourcing decisions.
Design a step-by-step security operations implementation process.
Pursue continuous improvement: build a measurement program that actively evaluates program effectiveness.

This Research Will Also Assist:

Board / Chief Executive Officer
Information Owners (Business Directors/VP)
Security Governance and Risk Management
Fraud Operations
Human Resources
Legal and Public Relations

This Research Will Help Them

Aid decision making by staying abreast of cyberthreats that could impact the business.
Increase visibility into the organization’s threat landscape to identify likely targets or identify exposed vulnerabilities.
Ensure the business is compliant with regularity, legal, and/or compliance requirements.
Understand the value and return on investment of security operations offerings.

Executive summary

Situation

Current security practices are disjointed, operating independently with a wide variety of processes and tools to conduct incident response, network defense, and threat analysis. These disparate mitigations leave organizations vulnerable to the increasing number of malicious events.
Threat management has become resource intensive, requiring continuous monitoring, collection, and analysis of massive volumes of security event data, while juggling business, compliance, and consumer obligations.

Complication

There is an onslaught of security data – generating information in different formats, storing it in different places, and forwarding it to different locations.
The organization lacks a dedicated enterprise security team. There is limited resourcing available to begin or mature a security operations center.
Many organizations are developing ad hoc security capabilities that result in operational inefficiencies, the misalignment of resources, and the misuse of their security technology investments.
It is difficult to communicate the value of a security operations program when trying to secure organizational buy-in to gain the appropriate resourcing.
There is limited communication between security functions due to a centralized security operations organizational structure.

Resolution

A unified security operations process actively transforms security events and threat information into actionable intelligence, driving security prevention, detection, analysis, and response processes, addressing the increasing sophistication of cyberthreats, and guiding continuous improvement.
This blueprint will walk through the steps of developing a flexible and systematic security operations program relevant to your organization.

Info-Tech Insight

Security operations is no longer a center, but a process. The need for a physical security hub has evolved into the virtual fusion of prevention, detection, analysis, and response efforts. When all four functions operate as a unified process, your organization will be able to proactively combat changes in the threat landscape.
Functional threat intelligence is a prerequisite for effective security operations – without it, security operations will be inefficient and redundant. Eliminate false positives by contextualizing threat data, aligning intelligence with business objectives, and building processes to satisfy those objectives.
If you are not communicating, you are not secure. Collaboration eliminates siloed decisions by connecting people, processes, and technologies. You leave less room for error, consume fewer resources, and improve operational efficiency with a transparent security operations process.

Data breaches are resulting in major costs across industries

Horizontal bar chart of 'Per capita cost by industry classification of benchmarked companies', with the highest cost attributed to 'Health', 'Pharmaceutical', 'Financial', 'Energy', and 'Transportation'.

Average data breach costs per compromised record hit an all-time high of $217 (in 2015); $74 is direct cost (e.g. legal fees, technology investment) and $143 is indirect cost (e.g. abnormal customer churn). (Source: Ponemon Institute, “2015 Cost of Data Breach Study: United States”)

'% of systems impacted by a data breach', '1% No Impact', '19% 1-10% impacted', '41% 11-30% impacted', '24% 31-50% impacted', '15% more than 50% impacted

'% of customers lost from a data breach', '61% Lost <20%', '21% Lost 20-40%', '8% Lost 40-60%', '6% Lost 60-80%', '4% Lost 80-100%'.

'% of business opportunity lost from a data breach', '58% Lost <20%', '25% Lost 20-40%', '9% Lost, 40-60%', '5% Lost 60-80%', '4% Lost 80-100%'.

(Source: The Network, “ Cisco 2017 Security Capabilities Benchmark Study”)

Persistent issues

Organizational barriers separating prevention, detection, analysis, and response efforts.
Siloed operations limit collaboration and internal knowledge sharing.
Lack of knowledgeable security staff.
Human capital is transferrable between roles and functions and must be cross-trained to wear multiple hats.
Failure to evaluate and improve security operations.
The effectiveness of operations must be frequently measured and (re)assessed through an iterative system of continuous improvement.
Lack of standardization.
Pre-established use cases and policies outlining tier-1 operational efforts will eliminate ad hoc remediation efforts and streamline operations.
Failure to acknowledge the auditor as a customer.
Many compliance and regulatory obligations require organizations to have comprehensive documentation of their security operations practices.

60% Of organizations say security operation teams have little understanding of each other’s requirements.

40% Of executives report that poor coordination leads to excessive labor and IT operational costs.

38-100% Increase in efficiency after closing operational gaps with collaboration.
(Source: Forbes, “The Game Plan for Closing the SecOps Gap”)

The solution

Bar chart of the 'Benefits of Internal Collaboration' with 'Increased Operational Efficiency' and 'Increased Problem Solving' having the highest percentage.

“Empower a few administrators with the best information to enable fast, automated responses.”
– Ismael Valenzuela, IR/Forensics Technical Practice Manager, Foundstone® Services, Intel Security)

Insufficient security personnel resourcing has been identified as the most prevalent challenge in security operations…

When an emergency security incident strikes, weak collaboration and poor coordination among critical business functions will magnify inefficiencies in the incident response (IR) process, impacting the organization’s ability to minimize damage and downtime.

The solution: optimize your SOC. Info-Tech has seen SOCs with five analysts outperform SOCs with 25 analysts through tools and process optimization.

Sources:
Ponemon. "2016 State of Cybersecurity in Small & Medium-Sized Businesses (SMB).”
Syngress. Designing and Building a Security Operations Center.

Maintain a holistic security operations program

Legacy security operations centers (SOCs) fail to address gaps between data sources, network controls, and human capital. There is limited visibility and collaboration between departments, resulting in siloed decisions that do not support the best interests of the organization.
Security operations is part of what Info-Tech calls a threat collaboration environment, where members must actively collaborate to address cyberthreats affecting the organization’s brand, business operations, and technology infrastructure on a daily basis.	Prevent: Defense in depth is the best approach to protect against unknown and unpredictable attacks. Diligent patching and vulnerability management, endpoint protection, and strong human-centric security (amongst other tactics) are essential.	Detect: There are two types of companies – those who have been breached and know it and those who have been breached and don’t know it. Ensure that monitoring, logging, and event detection tools are in place and appropriate to your organizational needs
	Analyze: Raw data without interpretation cannot improve security and is a waste of time, money, and effort. Establish a tiered operational process that not only enriches data but also provides visibility into your threat landscape.	Respond: Organizations can’t rely on an ad hoc response anymore – don’t wait until a state of panic. Formalize your response processes in a detailed incident runbook in order to reduce incident remediation time and effort.

Info-Tech’s security operations blueprint ties together various initiatives

Design and Implement a Vulnerability Management Program	Vulnerability Management Vulnerability management revolves around the identification, prioritization, and remediation of vulnerabilities. Vulnerability management teams hunt to identify which vulnerabilities need patching and remediating.	Deliverables Vulnerability Tracking Tool Vulnerability Scanning Tool RFP Template Penetration Test RFP Template Vulnerability Mitigation Process Template
Integrate Threat Intelligence Into Your Security Operations	Threat Intelligence Threat intelligence addresses the collection, analysis, and dissemination of external threat data. Analysts act as liaisons to their peers, publishing actionable threat alerts, reports, and briefings. Threat intelligence proactively monitors and identifies whether threat indicators are impacting your organization.	Maturity Assessment Tool Threat Intelligence RACI Tool Management Plan Template Threat Intelligence Policy Template Alert Template Alert and Briefing Cadence Schedule
Develop Foundational Security Operations Processes	Operations Security operations include the real-time monitoring and analysis of events based on the correlation of internal and external data sources. This also includes incident escalation based on impact. Analysts are constantly tuning and tweaking rules and reporting thresholds to further help identify which indicators are most impactful during the analysis phase of operations.	Maturity Assessment Tool Event Prioritization Tool Efficiency Calculator SecOps Policy Template In-House vs. Outsourcing Decision-Making Tool SecOps RACI Tool TCO & ROI Comparison Calculator
Develop and Implement a Security Incident Management Program	Incident Response Effective and efficient management of incidents involves a formal process of analysis, containment, eradication, recovery, and post-incident activities. IR teams coordinate root-cause analysis and incident gathering while facilitating post-incident lessons learned. Incident response can provide valuable threat data that ties specific indicators to threat actors or campaigns.	Incident Management Policy Maturity Assessment Tool Incident Management RACI Tool Incident Management Plan Incident Runbook Prioritization Tool Various Incident Management Runbooks

This blueprint will…

…better protect your organization with an interdependent and collaborative security operations program.

Phase 01 Assess your operational requirements.	Phase 02 Optimize and further mature your security operations processes	Phase 3a Develop the process flow and specific interaction points between functions	Phase 3b Test your current capabilities with a table top exercise
Briefly assess your current prevention, detection, analysis, and response capabilities. Highlight operational weak spots that should be addressed before progressing.	Develop a prioritized list of security-focused operational initiatives. Conduct a holistic analysis of your operational capabilities.	Define the operational interaction points between security-focused operational departments. Document the results in comprehensive operational interaction agreement.	Test your operational processes with Info-Tech’s security operations table-top exercise.

Info-Tech integrates several best practices to create a best-of-breed security framework

Legend for the 'Information Security Framework' identifying blue best practices as 'In Scope' and white best practices as 'Out of Scope'.

Info-Tech's 'Information Security Framework' of best practices with two main categories 'Governance' and 'Management', each with subcategories such as 'Context & Leadership' and 'Prevention', each with a group of best practices color-coded to the associated legend identifying them as 'In Scope' or 'Out of Scope'.

Benefits of a collaborative and integrated operations program

Effective security operations management will help you do the following:

Improve efficacy
Develop structured processes to automate activities and increase process consistency across the security program. Expose operational weak points and transition teams from firefighting to an innovator role.
Improve threat protection
Enhance network controls through the hardening of perimeter defenses, an intelligence-driven analysis process, and a streamlined incident remediation process.
Improve visibility and information sharing
Promote both internal and external information sharing to enable good decision making.
Create and clarify accountability and responsibility
Security operations management practices will set a clear level of accountability throughout the security program and ensure role responsibility for all tasks and processes involved in service delivery.
Control security costs
Security operations management is concerned with delivering promised services in the most efficient way possible. Good security operations management practices will provide insight into current costs across the organization and present opportunities for cost savings.
Identify opportunities for continuous improvement
Increased visibility into current performance levels and the ability to accurately identify opportunities for continuous improvement.

Impact

Short term:

Streamlined security operations program development process.
Completed comprehensive list of operational gaps and initiatives.
Formalized and structured implementation process.
Standardized operational use cases that predefine necessary operational protocol.

Long term:

Enhanced visibility into immediate threat environment.
Improved effectiveness of internal defensive controls.
Increased operational collaboration between prevention, detection, analysis, and response efforts.
Enhanced security pressure posture.
Improved communication with executives about relevant security risks to the business.

Understand the cost of not having a suitable security operations program

A practical approach, justifying the value of security operations, is to identify the assets at risk and calculate the cost to the company should the information assets be compromised (i.e. assess the damage an attacker could do to the business).

	Cost Structure	Cost Estimation ($) for SMB (Small and medium-sized business)	Cost Estimation ($) for LE (Large enterprise)
Security controls	Technology investment: software, hardware, facility, maintenance, etc. Cost of process implementation: incident response, CMBD, problem management, etc. Cost of resource: salary, training, recruiting, etc.	$0-300K/year	$200K-2M/year
Security incidents (if no security control is in place)	Explicit cost: Incident response cost: Remediation costs Productivity: (number of employees impacted) × (hours out) × (burdened hourly rate) Extra professional services Equipment rental, travel expenses, etc. Compliance fine Cost of notifying clients Revenue loss: direct loss, the impact of permanent loss of data, lost future revenues Financial performance: credit rating, stock price Hidden cost: Reputation, customer loyalty, etc.	$15K-650K/year	$270K-11M/year

Workshop Overview

Contact your account representative or email Workshops@InfoTech.com for more information.

	Workshop Day 1	Workshop Day 2	Workshop Day 3	Workshop Day 4	Workshop Day 5
Activities	Kick-off and introductions. High-level overview of weekly activities and outcomes. Activity: Define workshop objectives and current state of knowledge. Understand the threat collaboration environment. Understand the benefits of an optimized security operations. Activity: Review preliminary maturity level. Activity: Assess current people, processes, and technology capabilities. Activity: Assess workflow capabilities.	Activity: Begin deep-dive into maturity assessment tool. Discuss strategies to enhance the analysis process (ticketing, automation, visualization, use cases, etc.).	Activity: Design ideal target state. Activity: Identify security gaps. Build initiatives to bridge the gaps. Activity: Estimate the resources needed. Activity: Prioritize gap initiatives. Activity: Develop dashboarding and visualization metrics. Activity: Plan for a transition with the security roadmap and action plan. Activity: Define and assign tier 1, 2 & 3 SOC roles and responsibilities.	Activity: Assign roles and responsibilities for each security operations initiative. Activity: Develop a comprehensive measurement program. Activity: Develop specific runbooks for your top-priority incidents (e.g. ransomware). Detect the incident. Analyze the incident. Contain the incident. Eradicate the root cause. Recover from the incident. Conduct post-incident analysis and communication. Activity:Conduct attack campaign simulation.	Finalize main deliverables. Schedule feedback call.
Deliverables		Security Operations Maturity Assessment Tool	Target State and Gap Analysis (Security Operations Maturity Assessment Tool)	Security Operations Role & Process Design Security Operations RACI Chart Security Operations Metrics Summary Security Operations Phishing Process Runbook Attack Campaign Simulation PowerPoint	All Final Deliverables

Develop a Security Operations Strategy

PHASE 1

Assess Operational Requirements

1

Assess Operational Requirements

2

Develop Maturity Initiatives

3

Define Interdependencies

This step will walk you through the following activities:

Determine why you need a sound security operations program.
Understand Info-Tech’s threat collaboration environment.
Evaluate your current security operation’s functions and capabilities.

Outcomes of this step

A defined scope and motive for completing this project.
Insight into your current security operations capabilities.
A prioritized list of security operations initiatives based on maturity level.

Info-Tech Insight

Security operations is no longer a center, but a process. The need for a physical security hub has evolved into the virtual fusion of prevention, detection, analysis, and response efforts. When all four functions operate as a unified process, your organization will be able to proactively combat changes in the threat landscape.

Warm-up exercise: Why build a security operations program?

Estimated time to completion: 30 minutes

Discussion: Why are we pursuing this project?

What are the objectives for optimizing and developing sound security operations?

Stakeholders Required:

Key business executives
IT leaders
Security operations team members

Resources Required

Sticky notes
Whiteboard
Dry-erase markers

Briefly define the scope of security operations
What people, processes, and technology fall within the security operations umbrella?
Brainstorm the implications of not acting
What does the status quo have in store? What are the potential risks?
Define the goals of the project
Clarify from the outset: what exactly do you want to accomplish from this project?
Prioritize all brainstormed goals
Classify the goals based on relevant prioritization criteria, e.g. urgency, impact, cost.

Info-Tech Best Practice

Don’t develop a security operations program with the objective of zero incidents. This reliance on prevention results in over-engineered security solutions that cost more than the assets being protected.

Decentralizing the SOC: Security as a function

Before you begin, remember that no two security operation programs are the same. While the end goal may be similar, the threat landscape, risk tolerance, and organizational requirements will differ from any other SOC. Determine what your DNA looks like before you begin to protect it.

Security operations must provide several fundamental functions:

Real-time monitoring, detecting, and triaging of data from both internal and external sources.
In-depth analysis of indicators and incidents, leveraging malware analysis, correlation and rule tweaking, and forensics and eDiscovery techniques.
Network/host scanning and vulnerability patch management.
Incident response, remediation, and reporting. Security operations must disseminate appropriate information/intelligence to relevant stakeholders.
Comprehensive logging and ticketing capabilities that document and communicate events throughout the threat collaboration environment.
Tuning and tweaking of technologies to ingest collected data and enhance the analysis process.
Enhance overall organizational situational awareness by reporting on security trends, escalating incidents, and sharing adversary tools, tactics, and procedures.

Venn diagram of 'Security Operations' with four intersecting circles: 'Prevent', 'Detect', 'Analyze', and 'Respond'.

At its core, a security operations program is responsible for the prevention, detection, analysis, and response of security events.

Optimized security operations can seamlessly integrate threat and incident management processes with monitoring and compliance workflows and resources. This integration unlocks efficiency.

Understand the levels of security operations

Take the time to map out what you need and where you should go. Security operations has to be more than just monitoring events – there must be a structured program.

Foundational	Operational	Strategic
Intrusion Detection Management Active Device and Event Monitoring Log Collection and Retention Reporting and Escalation Management Incident Management Audit Compliance Vendor Management Ticketing Processes Packet Capture and Analysis SIEM Firewall Antivirus Patch Management	Event Analysis and Incident Triage Security Log Management Vulnerability Management Host Hardening Static Malware Analysis Identity and Access Management Change Management Endpoint Management Business Continuity Management Encryption Management Cloud Security (if applicable)	SIEM with Defined Use Cases Big Data Security Analytics Threat Intelligence Network Flow Analysis VPN Anomaly Detection Dynamic Malware Analysis Use-Case Management Feedback and Continuous Improvement Management Visualization and Dashboarding Knowledge Portal Ticket Documentation Advanced Threat Hunting Control and Process Automation eDiscovery and Forensics Risk Management
——Security Operations Capabilities—–›

Understand security operations: Establish a unified threat collaboration environment

Design and Implement a Vulnerability Management Program

Security operations is part of what Info-Tech calls a threat collaboration environment, where members must actively collaborate to address threats impacting the organization’s brand, operations, and technology infrastructure.

Managing incident escalation and response. Coordinating root-cause analysis and incident gathering. Facilitating post-incident lessons learned.		Managing system patching and risk acceptance. Conducting vulnerability assessment and penetration testing.
Monitoring in real-time and triaging of events. Escalating events to incident management team. Tuning and tweaking rules and reporting thresholds.		Gathering and analyzing external threat data. Liaising with peers, industry, and government. Publishing threat alerts, reports, and briefings.

Info-Tech Best Practice

Ensure that information flows freely throughout the threat collaboration environment – each function should serve to feed and enhance the next.

Integrate Threat Intelligence Into Your Security Operations

Develop Foundational Security Operations Processes

Develop and Implement a Security Incident Management Program

About Info-Tech

Info-Tech Research Group is the world’s fastest-growing information technology research and advisory company, proudly serving over 30,000 IT professionals.

We produce unbiased and highly relevant research to help CIOs and IT leaders make strategic, timely, and well-informed decisions. We partner closely with IT teams to provide everything they need, from actionable tools to analyst guidance, ensuring they deliver measurable results for their organizations.

What Is a Blueprint?

A blueprint is designed to be a roadmap, containing a methodology and the tools and templates you need to solve your IT problems.

Each blueprint can be accompanied by a Guided Implementation that provides you access to our world-class analysts to help you get through the project.

Table of Contents

Talk to an Analyst

Our analyst calls are focused on helping our members use the research we produce, and our experts will guide you to successful project completion.

Book an Analyst Call on This Topic

You can start as early as tomorrow morning. Our analysts will explain the process during your first call.

Get Advice From a Subject Matter Expert

Each call will focus on explaining the material and helping you to plan your project, interpret and analyze the results of each project step, and set the direction for your next project step.