These are difficult times for sure, but times of uncertainty often present opportunities to reevaluate practices. For instance, the enforced work-at-home orders in many areas are an opportunity to enhance and improve security operations. COVID-19 may be an extraordinary case, but it’s certainly not the only event where security team members may not be able to get into the security operations center (SOC). Other disasters, such as fires, tornadoes or hurricanes, can also make it very difficult for staff to physically sit in the SOC. In times of turmoil when bad actors are looking to take advantage, the following are some practices to implement in the SOC to help ensure the continuation of remote operations.
Tip 1: Invest in LCD Screens for Remote SOC Staff
SOC work is very real estate-intensive, meaning these employees like their screens. Big screens to be able to see a lot of data and a lot of applications are considered essential. Fortunately, it’s not that expensive to get big screens today. If you know where to shop and aren’t looking for a lot of bells and whistles, 27” to 29” screens fall in the $200 to $300 range. When considering the alterative of not having SOC staff be able to work at all, this becomes a reasonable investment to get people back to work from their home.
In cases where purchasing big monitors isn’t possible, there are still ways to get more screen space. Consider using virtual screens. Both Windows and macOS have this functionality built in. MacOS refers to it as full-screen applications, which users can swipe between. In Windows, users can create virtual desktops and can easily switch between them.
Tip 2: Address Data Access via Cloud-Based Models
The security information and event management (SIEM) system has become a focal point of a lot of security operations. Many SIEM vendors are moving to a cloud-based model where they host the infrastructure and access to the data is achieved through a web interface (which is how they work on premise anyway). As long as employees are using multi-factor authentication and the web interface has strong encryption in place, the exposure to the organization would be equivalent to someone using the corporate VPN for internal resource access, which should also be using multi-factor and strong encryption. Other SOC applications and services have similar cloud-based models that many companies are using. The cloud-based model provides scalability, fault-tolerance and geographic distribution, if of value. They may also ease provisioning access for surge support staff or temporary replacement staff if there is an increase in alert volume or the crisis in some way affects staff availability. These features can be essential in the case of a major incident.
Tip 3: Embrace Collaboration and Task Management Tools
Communication through an event is critical and there are certainly a lot of people who believe face-to-face communication is essential. We are all principally virtual people in the technology space, though. We live with remote systems through web interfaces and email. There is no reason we can’t adapt to using virtual communications in these times of unrest. Modern communications systems such as Microsoft Teams or Slack provide more capabilities for collaboration and management than we’ve had in the past. Users can have a virtual whiteboard, a wiki, task management, polls and bots all available through the same interface, which generally allows sharing incident data and collaboration on further investigation, and response options faster and more efficient than face-to-face communications. Additionally, Office 365 users that conduct document management via SharePoint can use Teams as a way to get access to those documents easily, editing them in-place as needed. Similar is the case through G-Suite and others. Many organizations are already implementing these solutions within the SOC or across the business because of these advantages.
Tip 4: Take Proper Precautions to Secure Video Conferences
Video conferences are often considered the next best thing to being there in person, and they can be, but there are some potential security concerns about web and video conferencing. Attackers today are scanning through video conferencing setups, looking for meetings they can join. If an attacker is in an organization’s environment, they may be well-aware of how employees are communicating, which means they may attempt to jump into the SOC conference video chats to hear about ongoing investigations. Doing so could lead to the attacker learning about SOC investigations into their own activity, giving them a major edge in maintaining a presence on the network.
Always pay close attention to who is joining conferences. This can be a challenge if people are using their mobile phones for the audio connection. One way around this is to ensure people have the equipment they need to successfully join using their computer, where they are forced to authenticate—preferably with multi-factor authentication. For organizations that do allow employees to dial in, ensure some form of authentication is in in place to verify the right people are joining. Someone should also be assigned the task of monitoring for new participants. Some conferencing software requires an authenticated user to allow admission to outside parties, such as dial-ins, which can also provide a degree of mitigation.
Tip 5: Prepare by Taking Turns Remote Working During Otherwise Normal Operations
To ensure that staff and supporting technology are sufficiently prepared for remote security operations, it may be prudent to assign staff to occasionally work remote shifts during otherwise normal conditions. This allows SOC staff to ensure that they have the technology they need to work from home, so they can effectively and efficiently identify any gaps in advance of a sustained work-from-home situation. This also allows team members to grow and stay more accustomed to virtual collaboration using the aforementioned tools.
Overcoming some of the anxiety associated with adopting work-from-home tools and practices, without the added stress that a crisis brings, is beneficial. Additionally, including remote-work considerations as part of any tabletop exercise can be beneficial.
A security operations center should definitely be focused on security, but confidentiality and integrity are not all there is to consider. Availability needs to be a consideration as well, which means SOC analysts and engineers need to be able to perform their duties regardless of the circumstances. There are controls that can be put in place to allow essential SOC staff to remain functional and productive without exposing the essential details of incidents to the wider world. This includes multi-factor authentication, virtual private networks, secure cloud-hosted security capabilities, real-time collaboration solutions and, of course, strong encryption over all data transmissions. Embracing these techniques and solutions can allow the security organization to be more agile and responsive when incidents and natural disasters occur simultaneously.