{"id":104827,"date":"2020-01-07T06:00:31","date_gmt":"2020-01-07T14:00:31","guid":{"rendered":"https:\/\/www.paloaltonetworks.com\/blog\/?p=104827"},"modified":"2020-07-30T19:58:38","modified_gmt":"2020-07-31T02:58:38","slug":"cortex-security-operations","status":"publish","type":"post","link":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/2020\/01\/cortex-security-operations\/","title":{"rendered":"The Six Pillars of Effective Security Operations"},"content":{"rendered":"<p><div style=\"max-width:100%\" data-width=\"602\"><span class=\"ar-custom\" style=\"padding-bottom:72.43%;\"><img loading=\"lazy\" decoding=\"async\"  class=\"aligncenter size-full wp-image-104830 lozad\"  data-src=\"https:\/\/www.paloaltonetworks.com\/blog\/wp-content\/uploads\/2020\/01\/image1.png\" alt=\"Elements of Security Operations, displayed in the fashion of the periodic table of the elements\" width=\"602\" height=\"436\" srcset=\"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-content\/uploads\/2020\/01\/image1.png 602w, https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-content\/uploads\/2020\/01\/image1-230x167.png 230w, https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-content\/uploads\/2020\/01\/image1-500x362.png 500w, https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-content\/uploads\/2020\/01\/image1-414x300.png 414w, https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-content\/uploads\/2020\/01\/image1-55x40.png 55w\" sizes=\"auto, (max-width: 602px) 100vw, 602px\" \/><\/span><\/div><\/p>\n<p><span style=\"font-weight: 400;\">In our extensive work with security teams around the world, we\u2019ve seen the best and the worst security operations (SecOps) practices. Despite a wide range of cybersecurity strategies and investment levels, we\u2019ve found that most enterprise security programs have lots of room for improvement to better prevent, identify, investigate and mitigate threats with speed and confidence. Even mature Security Operations Centers (SOCs) commonly struggle with alert fatigue, staffing turnover, and complicated manual processes, all of which take away valuable time that they could be spending on investigations and process optimization.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">The first measure to make meaningful improvement is to take a step back and do an honest evaluation of how your security operations are structured and how they\u2019re serving your business goals. <\/span><\/p>\n<p><span style=\"font-weight: 400;\">To help with this evaluation, we\u2019ve condensed the considerations that go into building efficient and scalable security operations into six fundamental pillars. Each of these pillars contain a number of building blocks that we describe in-depth in our book, \u201c<\/span><a href=\"https:\/\/start.paloaltonetworks.com\/elements-of-security-operations.html\"><span style=\"font-weight: 400;\">Elements of Security Operations<\/span><\/a><span style=\"font-weight: 400;\">.\u201d By evaluating your security operations against each of these pillars and their building blocks, you can assess your capability gaps and evolve your security operations to provide better and faster prevention and remediation.\u00a0<\/span><\/p>\n<h2>1. Business<\/h2>\n<p><span style=\"font-weight: 400;\">The Business pillar defines the business objectives and management strategies of the security operations team. Business questions that must be answered:<\/span><\/p>\n<ul>\n<li><span style=\"font-weight: 400;\"> Mission: What are we doing?<\/span><\/li>\n<li><span style=\"font-weight: 400;\"> Planning: How are we going to do it?<\/span><\/li>\n<li><span style=\"font-weight: 400;\"> Governance: How are we going to manage what we are doing?<\/span><\/li>\n<li><span style=\"font-weight: 400;\"> Staffing: Who do we need to do this?<\/span><\/li>\n<li><span style=\"font-weight: 400;\"> Facility: Where are we going to do this?<\/span><\/li>\n<li><span style=\"font-weight: 400;\"> Budget: What will it cost to do this?<\/span><\/li>\n<li><span style=\"font-weight: 400;\"> Metrics: How will we know it is working effectively?<\/span><\/li>\n<li><span style=\"font-weight: 400;\"> Reporting: How will we track activity and provide updates?<\/span><\/li>\n<li><span style=\"font-weight: 400;\"> Collaboration: How will we communicate and track issues with the rest of the business?<\/span><\/li>\n<\/ul>\n<h2>2. People<\/h2>\n<p><span style=\"font-weight: 400;\">The People pillar defines the humans who will be accomplishing the goals of the security operations team and how they will be managed. Questions that must be answered:<\/span><\/p>\n<ul>\n<li><span style=\"font-weight: 400;\"> How will we find staff and train them to fulfill their roles?<\/span><\/li>\n<li><span style=\"font-weight: 400;\"> What will we do to retain them?<\/span><\/li>\n<li><span style=\"font-weight: 400;\"> How will we manage the workloads of the staff?<\/span><\/li>\n<li><span style=\"font-weight: 400;\"> How will we validate the efficacy of the actions of the staff?<\/span><\/li>\n<\/ul>\n<h2>3. Interfaces<\/h2>\n<p><span style=\"font-weight: 400;\">The Interfaces pillar defines what functions need to be involved to achieve the stated goals. Security operations is not a silo and needs to work with many other functions of the business. We describe each of these interactions as \u201cinterfaces,\u201d and these should be defined so expectations between groups are clearly stated. Each group will have different goals and motivations that, when understood, can help with team interactions. Identifying the scope of responsibility and separation of duties will also reduce friction within an organization. Questions that must be answered:<\/span><\/p>\n<ul>\n<li><span style=\"font-weight: 400;\"> What other functions of the business impact security operations?<\/span><\/li>\n<li><span style=\"font-weight: 400;\"> What other functions of the business does security operations impact?<\/span><\/li>\n<li><span style=\"font-weight: 400;\"> How will the security operations team work alongside these other functions?<\/span><\/li>\n<li><span style=\"font-weight: 400;\"> Who has ownership of responsibilities and are there service-level agreements (SLAs) that need to be documented?<\/span><\/li>\n<li><span style=\"font-weight: 400;\"> At what interval will these interfaces be reviewed and updated?<\/span><span style=\"font-weight: 400;\">\u00a0<\/span><\/li>\n<\/ul>\n<h2>4. Visibility<\/h2>\n<p><span style=\"font-weight: 400;\">The Visibility pillar defines what information the SecOps function needs access to. This includes security and systems data, as well as knowledge management content and communications through collaboration tools. Questions that must be answered:<\/span><\/p>\n<ul>\n<li><span style=\"font-weight: 400;\"> What primary security data is needed?<\/span><\/li>\n<li><span style=\"font-weight: 400;\"> What contextual data is needed?<\/span><\/li>\n<li><span style=\"font-weight: 400;\"> How often does this data need to be refreshed?<\/span><\/li>\n<li><span style=\"font-weight: 400;\"> What knowledge base information needs to be accessed?<\/span><\/li>\n<li><span style=\"font-weight: 400;\"> How will the security operations team see activity in the SOC?<\/span><\/li>\n<li><span style=\"font-weight: 400;\"> How will external teams see activity in the SOC?<\/span><\/li>\n<\/ul>\n<h2>5. Technology<\/h2>\n<p><span style=\"font-weight: 400;\">The Technology pillar defines what is needed to achieve visibility into the information needed in the security operations organization. It is important to note that each element should not be thought of as a different tool but rather a capability that should be achieved with the given technology stack. Technologies and capabilities change rapidly, so these are the most fluid elements of a security operations team.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">There is a glut of siloed tools in the industry that lead to a variety of issues, including extensive vendor management, limited feature use, duplicate functionality, and sometimes, end-user degradation. We\u2019re seeing a shift, with organizations moving away from best-of-breed siloed tools toward platforms that provide capabilities needed in the SOC without the need for installation and maintenance of different tools. Questions that must be answered:\u00a0<\/span><\/p>\n<ul>\n<li><span style=\"font-weight: 400;\"> What capabilities are required to achieve the necessary visibility?<\/span><\/li>\n<li><span style=\"font-weight: 400;\"> What technology will be used to provide these capabilities?<\/span><\/li>\n<li><span style=\"font-weight: 400;\"> Who will be responsible for the licensing, implementation and maintenance of the technology?<\/span><\/li>\n<li><span style=\"font-weight: 400;\"> How will technology and content updates be requested and performed?<\/span><\/li>\n<li><span style=\"font-weight: 400;\"> What updates will be carried out automatically and at what interval?<\/span><\/li>\n<\/ul>\n<h2>6. Processes<\/h2>\n<p><span style=\"font-weight: 400;\">The Processes pillar defines the processes and procedures executed by the security operations organization to achieve the determined mission. Questions that must be answered:<\/span><\/p>\n<ul>\n<li><span style=\"font-weight: 400;\"> What processes need to be defined?<\/span><\/li>\n<li><span style=\"font-weight: 400;\"> Where will the processes and procedures be documented?<\/span><\/li>\n<li><span style=\"font-weight: 400;\"> How will this documentation be accessed and socialized?<\/span><\/li>\n<li><span style=\"font-weight: 400;\"> Who will have responsibility for keeping this documentation updated?<\/span><\/li>\n<li><span style=\"font-weight: 400;\"> How often will the processes need to be reviewed and updated?<\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">By answering the questions from each of the above pillars, you will have an outline to assist in the improvement of your SecOps functions. For additional analysis of the considerations that go into each of these questions, <\/span><a href=\"https:\/\/start.paloaltonetworks.com\/elements-of-security-operations.html\"><span style=\"font-weight: 400;\">download a free copy of our book, \"Elements of Security Operations<\/span><\/a><span style=\"font-weight: 400;\">.\"<\/span><\/p>\n<p><em>Watch for future posts in <a href=\"https:\/\/www.paloaltonetworks.com\/blog\/tag\/elements-of-security-operations\/\">Kerry Matre's series<\/a> on \"Elements of Security Operations.\" Next up: \"<a href=\"https:\/\/www.paloaltonetworks.com\/blog\/2020\/01\/cortex-soc-metrics\/\">Do Your SOC Metrics Incentivize Bad Behavior?<\/a>\"<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Take a step back and do an honest evaluation of how your security operations are structured and how they\u2019re serving your business goals. <\/p>\n","protected":false},"author":432,"featured_media":104830,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[6770],"tags":[6980,673],"coauthors":[4695],"class_list":["post-104827","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-secure-the-future","tag-elements-of-security-operations","tag-security-operations-center","sec_ops_category-must-read-articles"],"jetpack_featured_media_url":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-content\/uploads\/2020\/01\/image1.png","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/104827","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/users\/432"}],"replies":[{"embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/comments?post=104827"}],"version-history":[{"count":9,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/104827\/revisions"}],"predecessor-version":[{"id":105690,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/104827\/revisions\/105690"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/media\/104830"}],"wp:attachment":[{"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/media?parent=104827"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/categories?post=104827"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/tags?post=104827"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/coauthors?post=104827"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}