10 Inside the security operations center

 

This chapter covers

  • Differentiating between logging and monitoring, applying our three concepts of cybersecurity
  • Working through some real-life security incidents, learning how to apply the observe, orient, detect, and act (OODA) loop and the three concepts to incidents
  • The different external intelligence data feeds we can use, how they work, and how they can be both beneficial and detrimental to our security capability

Visibility of security events gives defenders a head start on addressing security incidents and is the difference between reading the news or being on the news. Our security operations capability is the best view we have of how effective our IT (development, spend, and strategy) is and feeds into our business strategy to show us where we should be investing more in technology.

Managing risk is about making informed decisions, and for that, we need actionable data, which is what a good security operations capability should provide. Let’s look at how we achieve this.

10.1 Know what’s happening: Logging and monitoring

There is no point in investing in security if we don’t have visibility into what’s happening across the organization. Without that visibility, we’re essentially throwing money at ghosts and scary noises in the night. To effectively know what’s happening, we need to put three things in place:

  • A security operations team
  • Relevant, proportional, and sustainable logging
  • Relevant, proportional, and sustainable monitoring

10.1.1 Logging

10.1.2 Monitoring

10.2 Dealing with attacks: Incident response

10.3 Keeping track of everything: Security and Information Event Management

10.4 Gaining intelligence: Data feeds

Summary