Somewhere, hidden deep in the intersection of how and why, is the idea that a Security Operations Center is a business function that enforces policy. Maybe even beyond an idea, perhaps we could call it a business case?
For example, one can argue that malware detection and response is rooted in a policy allowing only authorized users to access organization systems. This case can also include a policy stating access must be controlled by authentication. Let’s throw on this policy pile “maintain confidentiality” and anything you’ve got on data protection.
Each policy element becomes a bacon, lettuce and tomato sandwich that tastes like a business case. Taking this a little further, together we can craft a new use for the SOC that the business will like too. Adding metaphorical fries on that BLT sandwich plate.
Born from the forge of Governance Risk and Compliance is the Policy – the “administrative control” or perhaps we might call it a “governance control”. An organization will then often travel the path between a governance control and a preventative, technical control. Somewhere along that path, usually closer to the start point, is the detective control – detecting a policy violation and acting on that.
If only there was an operation which maintains visibility and staffing to see what’s going on and can notify folks if policy is not being followed. What’s that you say… the Security Operations Center? Glad we have those folks (wink-wink, nudge-nudge).
Let’s look at a simple example of a policy stating that data transfer must be encrypted in transit. This is common indeed. There are a suite of protocols and ports which are natively unencrypted: FTP & telnet come immediately to mind.
What if, as one step, we utilize the SOCs capabilities to detect traffic flowing on these typically unencrypted ports. Detecting, ostensibly, is a possible policy violation.
What are the benefits of using a SOC in this way?
1. Cultural uplift
The detection and enforcement of policy encourages greater adherence to policy. This is particularly the case when the notification comes out very quickly.
2. Positive effect on velocity to improve security posture
We can move the dial fast with a low level of effort. Yes, some baseline activity may need to happen. Yes, organizational idiosyncrasies will be uncovered. Shameless plug - Indelible can help with this.
3. Cost effective capacity
A SOC can be used as a detective control for dozens or more security policies, all with a smaller investment to start than the thorough preventative control. It also backs up the controls to detect the edge cases… Unless the organization has no edge cases (COUGH chuckle COUGH).
4. Workflow development and continuous improvement
Using this approach fleshes out workflow development opportunities while any technical control project is at varying stages of preparation and execution. Once the thing is detected, who do you notify? What’s the asset? Who is the owner? It is possible that this information is not known and the archeology in advance of a preventative control is helpful. Applying Continuous Improvement to this identifies gaps.
Let’s keep going, we are on a roll.
5. Displace ambiguity through reality tests
Does this ever happen? Is this happening every day? In only one business unit? Does this only happen with one customer? Is there an exception for that? Are those files encrypted before transit?
6. This aligns GRC (Governance, Risk and Compliance), Customer Trust and the SOC
This is a systemic alignment with many latent benefits.
There has been more than one time that this author has deployed detective control around policy, expecting it should never fire. Then that rule fired. And these may not be the only 6 benefits, your mileage may vary.
Because at the end of the day, one can argue that the Security Operations Center is a business function that enforces policy. In fact, that’s really what we are doing when we detect malware and web attacks anyway.