INFO-TECH RESEARCH GROUP

Develop a Security Operations Strategy

Transition from a security operations center to a threat collaboration environment.

Info-Tech Research Group, Inc. is a global leader in providing IT research and advice. Info-Tech’s products and services combine actionable insight and relevant advice with ready-to-use tools and templates that cover the full spectrum of IT concerns.
© 1997-2017 Info-Tech Research Group Inc.

ANALYST PERSPECTIVE

“A reactive security operations program is no longer an option. The increasing sophistication of threats demands a streamlined yet adaptable mitigation and remediation process. Protect your assets by preparing for the inevitable; unify your prevention, detection, analysis, and response efforts and provide assurance to your stakeholders that you are making information security a top priority.”

Edward Gray,
Consulting Analyst, Security, Risk & Compliance
Info-Tech Research Group

Our understanding of the problem

Executive summary

Situation

• Current security practices are disjointed, operating independently with a wide variety of processes and tools to conduct incident response, network defense, and threat analysis. These disparate mitigations leave organizations vulnerable to the increasing number of malicious events.
• Threat management has become resource intensive, requiring continuous monitoring, collection, and analysis of massive volumes of security event data, while juggling business, compliance, and consumer obligations.

Complication

• There is an onslaught of security data – generating information in different formats, storing it in different places, and forwarding it to different locations.
• The organization lacks a dedicated enterprise security team. There is limited resourcing available to begin or mature a security operations center.
• Many organizations are developing ad hoc security capabilities that result in operational inefficiencies, the misalignment of resources, and the misuse of their security technology investments.
• It is difficult to communicate the value of a security operations program when trying to secure organizational buy-in to gain the appropriate resourcing.
• There is limited communication between security functions due to a centralized security operations organizational structure.

Resolution

• A unified security operations process actively transforms security events and threat information into actionable intelligence, driving security prevention, detection, analysis, and response processes, addressing the increasing sophistication of cyberthreats, and guiding continuous improvement.
• This blueprint will walk through the steps of developing a flexible and systematic security operations program relevant to your organization.

Info-Tech Insight

1. Security operations is no longer a center, but a process. The need for a physical security hub has evolved into the virtual fusion of prevention, detection, analysis, and response efforts. When all four functions operate as a unified process, your organization will be able to proactively combat changes in the threat landscape.
2. Functional threat intelligence is a prerequisite for effective security operations – without it, security operations will be inefficient and redundant. Eliminate false positives by contextualizing threat data, aligning intelligence with business objectives, and building processes to satisfy those objectives.
3. If you are not communicating, you are not secure. Collaboration eliminates siloed decisions by connecting people, processes, and technologies. You leave less room for error, consume fewer resources, and improve operational efficiency with a transparent security operations process.

Data breaches are resulting in major costs across industries

Average data breach costs per compromised record hit an all-time high of $217 (in 2015); $74 is direct cost (e.g. legal fees, technology investment) and $143 is indirect cost (e.g. abnormal customer churn). (Source: Ponemon Institute, “2015 Cost of Data Breach Study: United States”)

(Source: The Network, “ Cisco 2017 Security Capabilities Benchmark Study”)

Persistent issues

• Organizational barriers separating prevention, detection, analysis, and response efforts.
  Siloed operations limit collaboration and internal knowledge sharing.
• Lack of knowledgeable security staff.
  Human capital is transferrable between roles and functions and must be cross-trained to wear multiple hats.
• Failure to evaluate and improve security operations.
  The effectiveness of operations must be frequently measured and (re)assessed through an iterative system of continuous improvement.
• Lack of standardization.
  Pre-established use cases and policies outlining tier-1 operational efforts will eliminate ad hoc remediation efforts and streamline operations.
• Failure to acknowledge the auditor as a customer.
  Many compliance and regulatory obligations require organizations to have comprehensive documentation of their security operations practices.

60% Of organizations say security operation teams have little understanding of each other’s requirements.

40% Of executives report that poor coordination leads to excessive labor and IT operational costs.

38-100% Increase in efficiency after closing operational gaps with collaboration.
(Source: Forbes, “The Game Plan for Closing the SecOps Gap”)

The solution

“Empower a few administrators with the best information to enable fast, automated responses.” – Ismael Valenzuela, IR/Forensics Technical Practice Manager, Foundstone® Services, Intel Security) Insufficient security personnel resourcing has been identified as the most prevalent challenge in security operations… When an emergency security incident strikes, weak collaboration and poor coordination among critical business functions will magnify inefficiencies in the incident response (IR) process, impacting the organization’s ability to minimize damage and downtime. The solution: optimize your SOC. Info-Tech has seen SOCs with five analysts outperform SOCs with 25 analysts through tools and process optimization. Sources: Ponemon. "2016 State of Cybersecurity in Small & Medium-Sized Businesses (SMB).” Syngress. Designing and Building a Security Operations Center.

Maintain a holistic security operations program

Legacy security operations centers (SOCs) fail to address gaps between data sources, network controls, and human capital. There is limited visibility and collaboration between departments, resulting in siloed decisions that do not support the best interests of the organization.
Security operations is part of what Info-Tech calls a threat collaboration environment, where members must actively collaborate to address cyberthreats affecting the organization’s brand, business operations, and technology infrastructure on a daily basis.	Prevent: Defense in depth is the best approach to protect against unknown and unpredictable attacks. Diligent patching and vulnerability management, endpoint protection, and strong human-centric security (amongst other tactics) are essential.	Detect: There are two types of companies – those who have been breached and know it and those who have been breached and don’t know it. Ensure that monitoring, logging, and event detection tools are in place and appropriate to your organizational needs
	Analyze: Raw data without interpretation cannot improve security and is a waste of time, money, and effort. Establish a tiered operational process that not only enriches data but also provides visibility into your threat landscape.	Respond: Organizations can’t rely on an ad hoc response anymore – don’t wait until a state of panic. Formalize your response processes in a detailed incident runbook in order to reduce incident remediation time and effort.

Info-Tech’s security operations blueprint ties together various initiatives

Design and Implement a Vulnerability Management Program	Vulnerability Management Vulnerability management revolves around the identification, prioritization, and remediation of vulnerabilities. Vulnerability management teams hunt to identify which vulnerabilities need patching and remediating.	Deliverables Vulnerability Tracking Tool Vulnerability Scanning Tool RFP Template Penetration Test RFP Template Vulnerability Mitigation Process Template
Integrate Threat Intelligence Into Your Security Operations	Threat Intelligence Threat intelligence addresses the collection, analysis, and dissemination of external threat data. Analysts act as liaisons to their peers, publishing actionable threat alerts, reports, and briefings. Threat intelligence proactively monitors and identifies whether threat indicators are impacting your organization.	Maturity Assessment Tool Threat Intelligence RACI Tool Management Plan Template Threat Intelligence Policy Template Alert Template Alert and Briefing Cadence Schedule
Develop Foundational Security Operations Processes	Operations Security operations include the real-time monitoring and analysis of events based on the correlation of internal and external data sources. This also includes incident escalation based on impact. Analysts are constantly tuning and tweaking rules and reporting thresholds to further help identify which indicators are most impactful during the analysis phase of operations.	Maturity Assessment Tool Event Prioritization Tool Efficiency Calculator SecOps Policy Template In-House vs. Outsourcing Decision-Making Tool SecOps RACI Tool TCO & ROI Comparison Calculator
Develop and Implement a Security Incident Management Program	Incident Response Effective and efficient management of incidents involves a formal process of analysis, containment, eradication, recovery, and post-incident activities. IR teams coordinate root-cause analysis and incident gathering while facilitating post-incident lessons learned. Incident response can provide valuable threat data that ties specific indicators to threat actors or campaigns.	Incident Management Policy Maturity Assessment Tool Incident Management RACI Tool Incident Management Plan Incident Runbook Prioritization Tool Various Incident Management Runbooks

This blueprint will…

…better protect your organization with an interdependent and collaborative security operations program.

Info-Tech integrates several best practices to create a best-of-breed security framework

Benefits of a collaborative and integrated operations program

Understand the cost of not having a suitable security operations program

A practical approach, justifying the value of security operations, is to identify the assets at risk and calculate the cost to the company should the information assets be compromised (i.e. assess the damage an attacker could do to the business).

Workshop Overview

Contact your account representative or email Workshops@InfoTech.com for more information.

Develop a Security Operations Strategy

PHASE 1

Assess Operational Requirements

This step will walk you through the following activities:

• Determine why you need a sound security operations program.
• Understand Info-Tech’s threat collaboration environment.
• Evaluate your current security operation’s functions and capabilities.

Outcomes of this step

• A defined scope and motive for completing this project.
• Insight into your current security operations capabilities.
• A prioritized list of security operations initiatives based on maturity level.

Info-Tech Insight

Security operations is no longer a center, but a process. The need for a physical security hub has evolved into the virtual fusion of prevention, detection, analysis, and response efforts. When all four functions operate as a unified process, your organization will be able to proactively combat changes in the threat landscape.

Warm-up exercise: Why build a security operations program?

Estimated time to completion: 30 minutes

Info-Tech Best Practice

Don’t develop a security operations program with the objective of zero incidents. This reliance on prevention results in over-engineered security solutions that cost more than the assets being protected.

Decentralizing the SOC: Security as a function

Before you begin, remember that no two security operation programs are the same. While the end goal may be similar, the threat landscape, risk tolerance, and organizational requirements will differ from any other SOC. Determine what your DNA looks like before you begin to protect it.

Security operations must provide several fundamental functions: Real-time monitoring, detecting, and triaging of data from both internal and external sources. In-depth analysis of indicators and incidents, leveraging malware analysis, correlation and rule tweaking, and forensics and eDiscovery techniques. Network/host scanning and vulnerability patch management. Incident response, remediation, and reporting. Security operations must disseminate appropriate information/intelligence to relevant stakeholders. Comprehensive logging and ticketing capabilities that document and communicate events throughout the threat collaboration environment. Tuning and tweaking of technologies to ingest collected data and enhance the analysis process. Enhance overall organizational situational awareness by reporting on security trends, escalating incidents, and sharing adversary tools, tactics, and procedures.

At its core, a security operations program is responsible for the prevention, detection, analysis, and response of security events.

Optimized security operations can seamlessly integrate threat and incident management processes with monitoring and compliance workflows and resources. This integration unlocks efficiency.

Understand the levels of security operations

Take the time to map out what you need and where you should go. Security operations has to be more than just monitoring events – there must be a structured program.

Foundational		Operational		Strategic
Intrusion Detection Management Active Device and Event Monitoring Log Collection and Retention Reporting and Escalation Management Incident Management Audit Compliance Vendor Management Ticketing Processes Packet Capture and Analysis SIEM Firewall Antivirus Patch Management		Event Analysis and Incident Triage Security Log Management Vulnerability Management Host Hardening Static Malware Analysis Identity and Access Management Change Management Endpoint Management Business Continuity Management Encryption Management Cloud Security (if applicable)		SIEM with Defined Use Cases Big Data Security Analytics Threat Intelligence Network Flow Analysis VPN Anomaly Detection Dynamic Malware Analysis Use-Case Management Feedback and Continuous Improvement Management Visualization and Dashboarding Knowledge Portal Ticket Documentation Advanced Threat Hunting Control and Process Automation eDiscovery and Forensics Risk Management
——Security Operations Capabilities—–›

Understand security operations: Establish a unified threat collaboration environment

Design and Implement a Vulnerability Management Program	Security operations is part of what Info-Tech calls a threat collaboration environment, where members must actively collaborate to address threats impacting the organization’s brand, operations, and technology infrastructure. Managing incident escalation and response. Coordinating root-cause analysis and incident gathering. Facilitating post-incident lessons learned. Managing system patching and risk acceptance. Conducting vulnerability assessment and penetration testing. Monitoring in real-time and triaging of events. Escalating events to incident management team. Tuning and tweaking rules and reporting thresholds. Gathering and analyzing external threat data. Liaising with peers, industry, and government. Publishing threat alerts, reports, and briefings. Info-Tech Best Practice Ensure that information flows freely throughout the threat collaboration environment – each function should serve to feed and enhance the next.
Integrate Threat Intelligence Into Your Security Operations
Develop Foundational Security Operations Processes
Develop and Implement a Security Incident Management Program

The threat collaboration environment is comprised of three core elements

Info-Tech Insight

The value of a SOC can be achieved with fewer prerequisites than you think. While it is difficult to cut back on process and technology requirements, human capital is transferrable between roles and functions and can be cross-trained to satisfy operational gaps.

	People. Effective human capital is fundamental to establishing an efficient security operations program, and if enabled correctly, can be the driving factor behind successful process optimization. Ensure you address several critical human capital components: Who is responsible for each respective threat collaboration environment function? What are the required operational roles, responsibilities, and competencies for each employee? Are there formalized training procedures to onboard new employees? Is there an established knowledge transfer and management program?
	Processes. Formal and informal mechanisms that bridge security throughout the collaboration environment and organization at large. Ask yourself: Are there defined runbooks that clearly outline critical operational procedures and guidelines? Is there a defined escalation protocol to transfer knowledge and share threats internally? Is there a defined reporting procedure to share intelligence externally? Are there formal and accessible policies for each respective security operations function? Is there a defined measurement program to report on the performance of security operations? Is there a continuous improvement program in place for all security operations functions? Is there a defined operational vendor management program?
	Technology. The composition of all infrastructure, systems, controls, and tools that enable processes and people to operate and collaborate more efficiently. Determine: Are the appropriate controls implemented to effectively prevent, detect, analyze, and remediate threats? Is each control documented with an assigned asset owner? Can a solution integrate with existing controls? If so, to what extent? Is there a centralized log aggregation tool such as a SIEM? What is the operational cost to effectively manage each control? Is the control the most up-to-date version? Have the most recent patches and configuration changes been applied? Can it be consolidated with or replaced by another control?

Conduct a preliminary maturity assessment before tackling this project

Design and Implement a Vulnerability Management Program	At a high level, assess your organization’s operational maturity in each of the threat collaboration environment functions. Determine whether the foundational processes exist in order to mature and streamline your security operations.
Integrate Threat Intelligence Into Your Security Operations
Develop Foundational Security Operations Processes
Develop and Implement a Security Incident Management Program

Assess the current maturity of your security operations program

	Prioritize the component most important to the development of your security operations program.
Each “security capability” covers a component of the overarching “security function.”	Assign a current and target maturity score to each respective security capability. (Note: The CMMI maturity scores are further explained on the following slide.)	Document any/all comments for future Info-Tech analyst discussions.

Assign each security capability a reflective and desired maturity score.

	Ad Hoc
	1		Initial/Ad Hoc: Activity is not well defined and is ad hoc, e.g. no formal roles or responsibilities exist, de facto standards are followed on an individual-by-individual basis.
	2		Developing: Activity is established and there is moderate adherence to its execution, e.g. while no formal policies have been documented, content management is occurring implicitly or on an individual-by-individual basis.
	3		Defined: Activity is formally established, documented, repeatable, and integrated with other phases of the process, e.g. roles and responsibilities have been defined and documented in an accessible policy, however, metrics are not actively monitored and managed.
	4		Managed and Measurable: Activity execution is tracked by gathering qualitative and quantitative feedback, e.g. metrics have been established to monitor the effectiveness of tier-1 SOC analysts.
	5		Optimized: Qualitative and quantitative feedback is used to continually improve the execution of the activity, e.g. the organization is an industry leader in the respective field; research and development efforts are allocated in order to continuously explore more efficient methods of accomplishing the task at hand.
	Optimized

Notes: Info-Tech seldom sees a client achieve a CMMI score of 4 or 5. To achieve a state of optimization there must be a subsequent trade-off elsewhere. As such, we recommend that organizations strive for a CMMI score of 3 or 4.

Ensure that your threat collaboration environment is of a sufficient maturity before progressing

Review the report cards for each of the respective threat collaboration environment functions. A green function indicates that you have exceeded the operational requirements to proceed with the security operations initiative. A yellow function indicates that your maturity score is below the recommended threshold; Info-Tech advises revisiting the attached blueprint. In the instance of a one-off case, the client can proceed with this security operations initiative. A red function indicates that your maturity score is well below the recommended threshold; Info-Tech strongly advises to not proceed with the security operations initiative. Revisit the recommended blueprint and further mature the specific function.

Are you ready to move on to the next phase?

Self-Assessment Questions

• Have you clearly defined the rationale for refining your security operations program?
• Have you clearly defined and prioritized the goals and outcomes of optimizing your security operations program?
• Have you assessed your respective people, process, and technological capabilities?
• Have you completed the Security Operations Preliminary Maturity Assessment Tool?
• Were all threat collaboration environment functions of a sufficient maturity level?

If you answered “yes” to the questions, then you are ready to move on to Phase 2: Develop Maturity Initiatives

Develop a Security Operations Strategy

PHASE 2

Develop Maturity Initiatives

This step will walk you through the following activities:

• Establish your goals, obligations, scope, and boundaries.
• Assess your current state and define a target state.
• Develop and prioritize gap initiatives.
• Define cost, effort, alignment, and security benefit of each initiative.
• Develop a security strategy operational roadmap.

Outcomes of this step

• A formalized understanding of your business, customer, and regulatory obligations.
• A comprehensive current and target state assessment.
• A succinct and consolidated list of gap initiatives that will collectively achieve your target state.
• A formally documented set of estimated priority variables (cost, effort, business alignment).
• A fully prioritized security roadmap that is in alignment with business goals and informed by the organization’s needs and limitations.

Info-Tech Insight

Functional threat intelligence is a prerequisite for effective security operations – without it, security operations will be inefficient and redundant. Eliminate false positives by contextualizing threat data, aligning intelligence with business objectives, and building processes to satisfy those objectives

Align your security operations program with corporate goals and obligations

A common challenge for security leaders is learning to express their initiatives in terms that are meaningful to business executives.

Info-Tech Best Practice

Developing a security operations strategy is a proactive activity that enables you to get in front of any upcoming business projects or industry trends rather than having to respond reactively later on. Consider as many foreseeable variables as possible!

Determine your security operations program scope and boundaries

It is important to define all security-related areas of responsibility. Upon completion you should clearly understand what you are trying to secure.

This also includes what is not within scope. For some outsourced services or locations you may not be responsible for security. For some business departments you may not have control of security processes. Ensure that it is made explicit at the outset, what will be included and what will be excluded from security considerations.

Reference Info-Tech’s security strategy: goals, obligations, and scope activities

Explicitly understanding how security aligns with the core business mission is critical for having a strategic plan and fulfilling the role of business enabler.

Download and complete the information security goals, obligations and scope activities (Section 1.3) within the Info-Tech security strategy research publication. If previously completed, take the time to review your results. GOALS and OBLIGATIONS Proceed through each slide and brainstorm the ways that security operations supports business, customer, and compliance needs.

Goals & Obligations

PROGRAM SCOPE & BOUNDARIES Assess your current organizational environment. Document current IT systems, critical data, physical environments, and departmental divisions. If a well-defined corporate strategy does not exist, these questions can help pinpoint objectives: What is the message being delivered by the CEO? What are the main themes of investments and projects? What are the senior leaders measured on?

Program Scope & Boundaries

INFO-TECH OPPORTUNITY

For more information on how to complete the goals & obligations activity please reference Section 1.3 of Info-Tech’s Build an Information Security Strategy blueprint.

Complete the Information Security Requirements Gathering Tool

On tab 1. Goals and Obligations: Document all business, customer, and compliance obligations. Ensure that each item is reflective of the over-arching business strategy and is not security focused. In the second column, identify the corresponding security initiative that supports the obligation.
On tab 2. Scope and Boundaries: Record all details for what is in and out of scope from physical, IT, organizational, and data perspectives. Complete the affiliated columns for a comprehensive scope assessment. As a discussion guide, refer to the considerations slides prior to this in phase 1.3.
For the purpose of this security operations initiative please IGNORE the risk tolerance activities on tab 3.

Info-Tech Best Practice

A common challenge for security leaders is expressing their initiatives in terms that are meaningful to business executives. This exercise helps make explicit the link between what the business cares about and what security is trying to do.

Conduct a comprehensive security operations maturity assessment

The following slides will walk you through the process below.

Info-Tech Insight

Progressive improvements provide the most value to IT and your organization. Leaping from pre-foundation to complete optimization is an ineffective goal. Systematic improvements to your security performance delivers value to your organization, each step along the way.

Optimize your security operations workflow

Info-Tech consulted various industry experts and consolidated their optimization advice.

Self-assess your current-state capabilities and determine the appropriate target state

Info-Tech Best Practice

When customizing your gap initiatives consider your organizational requirements and scope while remaining realistic. Below is an example of lofty vs. realistic initiatives:
Lofty: Perform thorough, manual security analysis. Realistic: Leverage our SIEM platform to perform more automated security analysis through the use of log information.

Consolidate related gap initiatives to simplify and streamline your roadmap

Identify areas of commonality between gap initiative in order to effectively and efficiently implement your new initiatives.

1. After reviewing and documenting initiatives for each security control, begin sorting controls by commonality, where resources can be shared, or similar end goals and actions. Begin by copying all initiatives from tab 2. Current State Assessment into tab 5. Initiative List of the Security Operations Maturity Assessment Tool and then consolidating them.

Initiatives		Consolidated Initiatives
Document data classification and handling in AUP	—›	Document data classification and handling in AUP	Keep urgent or exceptional initiatives separate so they can be addressed appropriately.
Document removable media in AUP	—›	Define and document an Acceptable Use Policy	Other similar or related initiatives can be consolidated into one item.
Document BYOD and mobile devices in AUP	—›
Document company assets in Acceptable Use Policy (AUP)	—›



2. Review grouped initiatives and identify specific initiatives should be broken out and defined separately.
3. Record your consolidated gap initiatives in the Security Operations Maturity Assessment Tool, tab 6. Initiative Prioritization.

Understand your organizational maturity gap

After inputting your current and target scores and defining your gap initiatives in tab 2, review tab 3. Current Maturity and tab 4. Maturity Gap in Info-Tech’s Security Operations Maturity Assessment Tool. Automatically built charts and tables provide a clear visualization of your current maturity. Presenting these figures to stakeholders and management can help visually draw attention to high-priority areas and contextualize the gap initiatives for which you will be seeking support.

Info-Tech Best Practice

Communicate the value of future security projects to stakeholders by copying relevant charts and tables into an executive stakeholder communication presentation (ask an Info-Tech representative for further information).

Define cost, effort, alignment, and security benefit

Define low, medium, and high resource allocation, and other variables for your gap initiatives in the Concept of Operations Maturity Assessment Tool. These variables include: Define initial cost. One-time, upfront capital investments. The low cut-off would be a project that can be approved with little to no oversight. Whereas the high cut-off would be a project that requires a major approval or a formal capital investment request. Initial cost covers items such as appliance cost, installation, project based consulting fees, etc. Define ongoing cost. This includes any annually recurring operating expenses that are new budgetary costs, e.g. licensing or rental costs. Do not account for FTE employee costs. Generally speaking you can take 20-25% of initial cost as ongoing cost for maintenance and service. Define initial staffing in hours. This is total time in hours required to complete a project. Note: It is not total elapsed time, but dedicated time. Consider time required to research, document, implement, review, set up, fine tune, etc. Consider all staff hours required (2 staff at 8 hours means 16 hours total). Define ongoing staffing in hours. This is the ongoing average hours per week required to support that initiative. This covers all operations, maintenance, review, and support for the initiative. Some initiatives will have a week time commitment (e.g. perform a vulnerability scan using our tool once a week) versus others that may have monthly, quarterly, or annual time commitments that need to averaged out per week (e.g. perform annual security review requiring 0.4 hours/week (20 hours total based on 50 working weeks per year).

Info-Tech Best Practice When considering these parameters, aim to use already existing resource allocations. For example, if there is a dollar value that would require you to seek approval for an expense, this might be the difference between a medium and a high cost category.

Define cost, effort, alignment, and security benefit

Define Alignment with Business. This variable is meant to capture how well the gap initiative aligns with organizational goals and objectives. For example, something with high alignment usually can be tied to a specific organization initiative and will receive senior management support. You can either: Set low, medium, and high based on levels of support the organization will provide (e.g. High – senior management support, Medium – VP/business unit head support, IT support only) Attribute specific corporate goals or initiatives to the gap initiative (e.g. High – directly supports a customer requirement/key contract requirement; Medium – indirectly support customer requirement/key contract OR enables remote workforce; Low – security best practice). Define Security Benefit. This variable is meant to capture the relative security benefit or risk reduction being provided by the gap initiative. This can be represented through a variety of factors, such as: Reduces compliance or regulatory risk by meeting a control requirement Reduces availability and operational risk Implements a non-existent control Secures high-criticality data Secures at-risk end users

Info-Tech Best Practice Make sure you consider the value of AND/OR. For either alignment with business or security benefit, the use of AND/OR can become useful thresholds to rank similar importance but different value initiatives. Example: with alignment with business, an initiative can indirectly support a key compliance requirement OR meet a key corporate goal.

Info-Tech Insight

You cannot do everything – and you probably wouldn’t want to. Make educated decisions about which projects are most important and why.

Apply your variable criteria to your initiatives

A financial services organization defined its target security state and created an execution plan

Review your prioritized security roadmap

Review the final Gantt chart to review the expected start and end dates for your security initiatives as part of your roadmap.

In the Gantt chart, go through each wave in sequence and determine the planned start date and planned duration for each gap initiative. As you populate the planned start dates, take into consideration the resource constraints or dependencies for each project. Go back and revise the granular execution wave to resolve any conflicts you find.

Review considerations Does this roadmap make sense for our organization? Do we focus too much on one quarter over others? Will the business be going through any significant changes during the upcoming years that will directly impact this project?	This is a living management document You can use the same process on a per-case basis to decide where this new project falls in the priority list, and then add it to your Gantt chart. As you make progress, check items off of the list, and periodically use this chart to retroactively update your progress towards achieving your overall target state.

Consult an Info-Tech Analyst

To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
Onsite workshops offer an easy way to accelerate your project. If a Guided Implementation isn’t enough, we offer low-cost onsite delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to successfully complete your project.	TJ Minichillo Senior Director – Security, Risk & Compliance Info-Tech Research Group Edward Gray Consulting Analyst – Security, Risk & Compliance Info-Tech Research Group Celine Gravelines Research Manager – Security, Risk & Compliance Info-Tech Research Group
If you are not communicating, then you are not secure.

Call 1-888-670-8889 or email workshops@infotech.com for more information.

Are you ready to move on to the next phase?

Self-Assessment Questions

• Have you identified your organization’s corporate goals along with your obligations?
• Have you defined the scope and boundaries of your security program?
• Have you determined your organization’s risk tolerance level?
• Have you considered threat types your organization may face?
• Are the above answers documented in the Security Requirements Gathering Tool?
• Have you defined your maturity for both your current and target state?
• Do you have clearly defined initiatives that would bridge the gap between your current and target state?
• Are each of the initiatives independent, specific, and relevant to the associated control?
• Have you indicated any dependencies between your initiatives?
• Have you consolidated your gap initiatives?
• Have you defined the parameters for each of the prioritization variables (cost, effort, alignment, and security benefit)?
• Have you applied prioritization parameters to each consolidated initiative?
• Have you recorded your final prioritized roadmap in the Gantt chart tab?
• Have you reviewed your final Gantt chart to ensure it aligns to your security requirements?

If you answered “yes” to the questions, then you are ready to move on to Phase 3: Define Operational Interdependencies

Develop a Security Operations Strategy

PHASE 3

Define Operational Interdependencies

This step will walk you through the following activities:

• Understand the current security operations process flow.
• Define the security operations stakeholders and their respective deliverables.
• Formalize an internal information sharing and collaboration plan.

Outcomes of this step

• A formalized security operations interaction agreement.
• A security operations service and product catalog.
• A structured operations collection plan.

Info-Tech Insight

If you are not communicating, you are not secure. Collaboration eliminates siloed decisions by connecting people, processes, and technologies. You leave less room for error, consume fewer resources, and improve operational efficiency with a transparent security operations process.

Tie everything together with collaboration

If you are not communicating, you are not secure. Collaboration eliminates siloed decisions by connecting people, processes, and technologies. You leave less room for error, consume fewer resources, and improve operational efficiency with a transparent security operations process.

Info-Tech Best Practice

Simple collaborative activities, such as a biweekly meeting, can unite prevention, detection, analysis, and response teams to help prevent siloed decision making.

Understand the security operations process flow

Process standardization and automation is critical to the effectiveness of security operations.

Document your security operations’ capabilities and tasks

Document your security operations’ functional capabilities and operational tasks to satisfy each capability.	What resources will you leverage to complete the specific task/capability? Identify your internal and external collection sources to satisfy the individual requirement.	Identify the affiliated product, service, or output generated from the task/capability.	Determine your escalation protocol. Who are the stakeholders you will be sharing this information with?
Capabilities The major responsibilities of a specific function. These are the high-level processes that are expected to be completed by the affiliated employees and/or stakeholders.		Tasks The specific and granular tasks that need to be completed in order to satisfy a portion of or the entire capability.

Download Info-Tech’s Security Operations RACI Chart & Program Plan.

Convert your results into actionable process flowcharts

Map each functional task or capability into a visual process-flow diagram.

The title should reflect the respective capability and product output. List all involved stakeholders (inputs and threat escalation protocol) along the left side. Ensure all relevant security control inputs are documented within the body of the process-flow diagram. Map out the respective processes in order to achieve the desired outcome. Segment each process within its own icon and tie that back to the respective input.

Title: Output #1

Download Info-Tech’s Security Operations RACI Chart & Program Plan.

Formalize the opportunities for collaboration within your security operations program

Security Operations Collaboration Plan

Security operations provides a single pane of glass through which the threat collaboration environment can manage its operations.

How to customize The security operations interaction agreement identifies opportunities for optimization through collaboration and cross-training. The document is composed of several components: Security operations program scope and objectives Operational capabilities and outputs on a per function basis A needs and requirements collection plan Escalation protocol and respective information-sharing guidance (i.e. a detailed cadence schedule) A security operations RACI chart

Info-Tech Best Practice

Understand the operational cut-off points. While collaboration is encouraged, understand when the onus shifts to the rest of the threat collaboration environment.

Assign responsibilities for the threat management process

Security Operations RACI Chart & Program Plan

Formally documenting roles and responsibilities helps to hold those accountable and creates awareness as to everyone’s involvement in various tasks.

How to customize Customize the header fields with applicable stakeholders. Identify stakeholders that are: Responsible: The person(s) who does the work to accomplish the activity; they have been tasked with completing the activity and/or getting a decision made. Accountable: The person(s) who is accountable for the completion of the activity. Ideally, this is a single person and is often an executive or program sponsor. Consulted: The person(s) who provides information. This is usually several people, typically called subject matter experts (SMEs). Informed: The person(s) who is updated on progress. These are resources that are affected by the outcome of the activities and need to be kept up to date.

Download Info-Tech’s Security Operations RACI Chart & Program Plan.

Identify security operations consumers and their respective needs and requirements

Ensure your security operations program is constantly working toward satisfying a consumer need or requirement.

Info-Tech Best Practice

“In order to support a healthy constituency, network operations and security operations should be viewed as equal partners, rather than one subordinate to the other.” (Mitre world-class CISO)

Define the stakeholders, their respective outputs, and the underlying need

Security Operations Program Service & Product Catalog

Create an informal security operations program service and product catalog. Work your way backwards – map each deliverable to the respective stakeholders and functions.

Action/Output		Frequency			Stakeholders/Function
Document the key services and outputs produced by the security operations program. For example: Real-time monitoring Event analysis and incident coordination Malware analysis External information sharing Published alerts, reports, and briefings Metrics		Define the frequency for which each deliverable or service is produced or conducted. Leverage this activity to establish a state of accountability within your threat collaboration environment.			Identify the stakeholders or groups affiliated with each output. Remember to include potential MSSPs. Vulnerability Management Threat Intelligence Tier 1, 2, and 3 Analysts Incident Response MSSP Network Operations
Remember to include any target-state outputs or services identified in the maturity assessment.			Use this exercise as an opportunity to organize your security operations outputs and services.

Info-Tech Best Practice

Develop a central web/knowledge portal that is easily accessible throughout the threat collaboration environment.

Internal information sharing helps to focus operational efforts

Organizations must share information internally and through secure external information sharing and analysis centers (ISACs).

Ensure information is shared in a format that relates to the particular end user. Internal consumers fall into two categories:

• Strategic Users — Intelligence enables strategic stakeholders to better understand security trends, minimize risk, and make more educated and informed decisions. The strategic intelligence user often lacks technical security knowledge; bridge the communication gap between security and non-technical decision makers by clearly communicating the underlying value and benefits.
• Operational Users — Operational users integrate information and indicators directly into their daily operations and as a result have more in-depth knowledge of the technical terms. Reports help to identify escalated alerts that are part of a bigger campaign, provide attribution and context to attacks, identify systems that have been compromised, block malicious URLs or malware signatures in firewalls, IDPS systems, and other gateway products, identify patches, reduce the number of incidents, etc.

Define the routine of your security operations program in a detailed cadence schedule

Security Operations Program Cadence Schedule Template

Design your meetings around your security operations program’s outputs and capabilities

How to customize Don’t operate in a silo. Formalize a cadence schedule to develop a state of accountability, share information across the organization, and discuss relevant trends. A detailed cadence schedule should include the following: Activity, output, or topic being discussed. Participants and stakeholders involved. Value and purpose of meeting. Duration and frequency of each meeting. Investment per participant per meeting.

Info-Tech Best Practice

Schedule regular meetings composed of key members from different working groups to discuss concerns, share goals, and communicate operational processes pertaining to their specific roles.

Apply a strategic lens to your security operations program

Frame the importance of optimizing the security operations program to align with that of the decision makers’ overarching strategy.

Strategies

1. Bridge the communication gap between security and non-technical decision makers. Communicate concisely in business-friendly terms.
2. Quantify the ROI for the given project.
3. Educate stakeholders – if stakeholders do not understand what a security operations program encompasses, it will be hard for them to champion the initiative.
4. Communicate the implications, value, and benefits of a security operations program.
5. Frame the opportunity as a competitive advantage, e.g. proactive security measures as a client acquisition strategy.
6. Address the increasing prevalence of threat actors. Use objective data to demonstrate the impact, e.g. through case studies, recent media headlines, or statistics.

(Source: iSIGHT, “ Definitive Guide to Threat Intelligence”)

Info-Tech Best Practice

Refrain from using scare tactics such as fear, uncertainty, and doubt (FUD). While this may be a short-term solution, it limits the longevity of your operations as senior management is not truly invested in the initiative.

Example: Align your strategic needs with that of management.

Identify assets of value, current weak security measures, and potential adversaries. Demonstrate how an optimized security operations program can mitigate those threats.

Develop a comprehensive measurement program to evaluate the effectiveness of your security operations

Info-Tech Best Practice Operational metrics have limited value beyond security operations – when communicating to management, focus on metrics that are actionable from a business perspective.

Download Info-Tech’s Security Operations Metrics Summary Document.

Identify the triggers for continual improvement

Continual Improvement

• Audits: Check for performance requirements in order to pass major audits.
• Assessments: Variances in efficiency or effectiveness of metrics when compared to the industry standard.
• Process maturity: Opportunity to increase efficiency of services and processes.
• Management reviews: Routine reviews that reveal gaps.
• Technology advances: For example, new security architecture/controls have been released.
• Regulations: Compliance to new or changed regulations.
• New staff or technology: Disruptive technology or new skills that allow for improvement.

Conduct tabletop exercises with Info-Tech’s onsite workshop

Leverage Info-Tech’s Security Operations Tabletop Exercise to guide simulations to validate your operational procedures. How to customize Use the templates to document actions and actors. For each new injection, spend three minutes discussing the response as a group. Then spend two minutes documenting each role’s contribution to the response. After the time limit, proceed to the following injection scenario. Review the responses only after completing the entire exercise.

This tabletop exercise is available through an onsite workshop as we can help establish and design a tabletop capability for your organization.

Are you ready to implement your security operations program?

Self-Assessment Questions

• Is there a formalized security operations collaboration plan?
• Are all key stakeholders documented and acknowledged?
• Have you defined your strategic needs and requirements in a formalized collection plan?
• Is there an established channel for management to communicate needs and requirements to the security operation leaders?
• Are all program outputs documented and communicated?
• Is there an accessible, centralized portal or dashboard that actively aggregates and communicates key information?
• Is there a formalized threat escalation protocol in order to facilitate both internal and external information sharing?
• Does your organization actively participate in external information sharing through the use of ISACs?
• Does your organization actively produce reports, alerts, products, etc. that feed into and influence the output of other functions’ operations?
• Have you assigned program responsibilities in a detailed RACI chart?
• Is there a structured cadence schedule for key stakeholders to actively communicate and share information?
• Have you developed a structured measurement program on a per function basis?
• Now that you have constructed your ideal security operations program strategy, revisit the question “Are you answering all of your objectives?”

If you answered “yes” to the questions, then you are ready to implement your security operations program.

Summary

Insights Security operations is no longer a center, but a process. The need for a physical security hub has evolved into the virtual fusion of prevention, detection, analysis, and response efforts. When all four functions operate as a unified process, your organization will be able to proactively combat changes in the threat landscape. Functional threat intelligence is a prerequisite for effective security operations – without it, security operations will be inefficient and redundant. Eliminate false positives by contextualizing threat data, aligning intelligence with business objectives, and building processes to satisfy those objectives If you are not communicating, then you are not secure. Collaboration eliminates siloed decisions by connecting people, processes, and technologies. You leave less room for error, consume fewer resources, and improve operational efficiency with a transparent security operations process.		Best Practices Have a structured plan of attack. Define your unique threat landscape, as well as business, regulatory, and consumer obligations. Foster both internal and external collaboration. Understand the operational cut-off points. While collaboration is encouraged, understand when the onus shifts to the rest of the threat collaboration environment. Do not bite off more than you can chew. Identify current people, processes, and technologies that satisfy immediate problems and enable future expansion. Leverage threat intelligence to create a predictive and proactive security operations analysis process. Formalize escalation procedures with logic and incident management flow. Don’t develop a security operations program with the objective of zero incidents. This reliance on prevention results in over-engineered security solutions that cost more than the assets being protected. Ensure that information flows freely throughout the threat collaboration environment – each function should serve to feed and enhance the next. Develop a central web/knowledge portal that is easily accessible throughout the threat collaboration environment
Protect your organization with an interdependent and collaborative security operations program.

Bibliography

“2016 State of Cybersecurity in Small & Medium-Sized Businesses (SMB).” Ponemon Institute, June 2016. Web. 10 Nov. 2016.

Ahmad, Shakeel et al. “10 Tips to Improve Your Security Incident Readiness and Response.” RSA, n.d. Web. 12 Nov. 2016.

Anderson, Brandie. “ Building, Maturing & Rocking a Security Operations Center.” Hewlett Packard, n.d. Web. 4 Nov. 2016.

Barnum, Sean. “Standardizing cyber threat intelligence information with the structured threat information expression.” STIX, n.d. Web. 03 Oct. 2016.

Bidou, Renaud. “Security Operation Center Concepts & Implementation.” IV2-Technologies, n.d. Web. 20 Nov. 2016.

Bradley, Susan. “Cyber threat intelligence summit.” SANS Institute InfoSec Reading Room, n.d. Web. 03 Oct. 2016.

“Building a Security Operations Center.” DEF CON Communications, Inc., 2015. Web. 14 Nov. 2016.

“Building a Successful Security Operations Center.” ArcSight, 2015. Web. 21 Nov. 2016.

“Building an Intelligence-Driven Security Operations Center.” RSA, June 2014. Web. 25 Nov. 2016.

Caltagirone, Sergio, Andrew Pendergast, and Christopher Betz. “Diamond Model of Intrusion Analysis,” Center for Cyber Threat Intelligence and Threat Research, 5 July 2013. Web. 25 Aug. 2016.

“Cisco 2017 Annual Cybersecurity Report: Chief Security Officers Reveal True Cost of Breaches and the Actions Organizations Are Taking.” The Network. Cisco, 31 Jan. 2017. Web. 11 Nov. 2017.

“CITP Training and Education.” Carnegie Mellon University, 2015. Web. 03 Oct. 2016.

“Creating and Maintaining a SOC.” Intel Security, n.d. Web. 14 Nov. 2016.

“Cyber Defense.” Mandiant, 2015. Web. 10 Nov. 2016.

“Cyber Security Operations Center (CSOC).” Northrop Grumman, 2014. Web. 14 Nov. 2016.

Danyliw, Roman. “Observations of Successful Cyber Security Operations.” Carnegie Mellon, 12 Dec. 2016. Web. 14 Dec. 2016.

“Designing and Building Security Operations Center.” SearchSecurity. TechTarget, Mar. 2016. Web. 14 Dec. 2016.

EY. “Managed SOC.” EY, 2015. Web. 14 Nov. 2016.

Fishbach, Nicholas. “How to Build and Run a Security Operations Center.” Securite.org, n.d. Web. 20 Nov. 2016.

“Framework for improving critical infrastructure cybersecurity.” National Institute of Standards and Technology, 12 Feb. 2014. Web.

Friedman, John, and Mark Bouchard. “Definitive Guide to Cyber Threat Intelligence.” iSIGHT, 2015. Web. 1 June 2015.

Goldfarb, Joshua. “The Security Operations Hierarchy of Needs.” Securityweek.com, 10 Sept. 2015. Web. 14 Dec. 2016.

“How Collaboration Can Optimize Security Operations.” Intel, n.d. Web. 2 Nov. 2016.

Hslatman. “Awesome threat intelligence.” GitHub, 16 Aug. 2016. Web. 03 Oct. 2016.

“Implementation Framework – Collection Management.” Carnegie Mellon University, 2015. Web.

“Implementation Framework – Cyber Threat Prioritization.” Carnegie Mellon University, 03 Oct. 2016. Web. 03 Oct. 2016.

“Intelligent Security Operations Center.” IBM, 25 Feb. 2015. Web. 15 Nov. 2016.

Joshi Follow , Abhishek. “Best Practices for Security Operations Center.” LinkedIn, 01 Nov. 2015. Web. 14 Nov. 2016.

Joshi. “Best Practices for a Security Operations Center.” Cybrary, 18 Sept. 2015. Web. 14 Dec. 2016.

Kelley, Diana and Ron Moritz. “Best Practices for Building a Security Operations Center.” Information Security Today, 2006. Web. 10 Nov. 2016.

Killcrece, Georgia, Klaus-Peter Kossakowski, Robin Ruefle, and Mark Zajicek. ”Organizational Models for Computer Security Incident Response Teams (CSIRTs).” Carnegie Mellon Software Engineering Institute, Dec. 2003. Carnegie Mellon. Web. 10 Nov. 2016.

Kindervag , John. “SOC 2.0: Three Key Steps toward the Next-generation Security Operations Center.” SearchSecurity. TechTarget, Dec. 2010. Web. 14 Dec. 2016.

Kvochko, Elena. “Designing the Next Generation Cyber Security Operations Center.” Forbes Magazine, 14 Mar. 2016. Web. 14 Dec. 2016.

Lambert, P. “ Security Operations Center: Not Just for Huge Enterprises.” TechRepublic, 31 Jan. 2013. Web. 10 Nov. 2016.

Lecky, M. and D. Millier. “Re-Thinking Security Operations.” SecTor Security Education Conference. Toronto, 2014.

Lee, Michael. “Three Elements That Every Advanced Security Operations Center Needs.” CSO | The Resource for Data Security Executives, n.d. Web. 16 Nov. 2016.

Linch, David and Jason Bergstrom. “Building a Culture of Continuous Improvement in an Age of Disruption.” Deloitte LLP, 2014.

Lynch, Steve. “Security Operations Center.” InfoSec Institute, 14 May 2015. Web. 14 Dec. 2016.

Macgregor, Rob. “Diamonds or chains – cyber security updates.” PwC, n.d. Web. 03 Oct. 2016.

“Make Your Security Operations Center (SOC) More Efficient.” Making Your Data Center Energy Efficient (2011): 213-48. Intel Security. Web. 20 Nov. 2016.

Makryllos, Gordon. “The Six Pillars of Security Operations.” CSO | The Resource for Data Security Executives, n.d. Web. 14 Nov. 2016.

Marchany, R. “ Building a Security Operations Center.” Virginia Tech, 2015. Web. 8 Nov. 2016.

Marty, Raffael. “Dashboards in the Security Operations Center (SOC).” Security Bloggers Network, 15 Jan. 2016. Web. 14 Nov. 2016.

Minu, Adolphus. “Discovering the Value of Knowledge Portal.” IBM, n.d. Web. 1 Nov. 2016.

Muniz, J., G. McIntyre, and N. AlFardan. “Introduction to Security Operations and the SOC.” Security Operations Center: Building, Operating, and Maintaining your SOC. Cisco Press, 29 Oct. 2015. Web. 14 Nov. 2016.

Muniz, Joseph and Gary McIntyre. “ Security Operations Center.” Cisco, Nov. 2015. Web. 14 Nov. 2016.

Muniz, Joseph. “5 Steps to Building and Operating an Effective Security Operations Center (SOC).” Cisco, 15 Dec. 2015. Web. 14 Dec. 2016.

Nathans, David. Designing and Building a Security Operations Center. Syngress, 2015. Print.

National Institute of Standards and Technology. “SP 800-61 Revision 2: Computer Security Incident Handling Guide.” 2012. Web.

National Institute of Standards and Technology. “SP 800-83 Revision 1.” 2013. Web.

National Institute of Standards and Technology. “SP 800-86: Guide to Integrating Forensic Techniques into Incident Response.” 2006. Web.

F5 Networks. “F5 Security Operations Center.” F5 Networks, 2014. Web. 10 Nov. 2016.

“Next Generation Security Operations Center.” DTS Solution, n.d. Web. 20 Nov. 2016.

“Optimizing Security Operations.” Intel, 2015. Web. 4 Nov. 2016.

Paganini, Pierluigi. “What Is a SOC ( Security Operations Center)?” Security Affairs, 24 May 2016. Web. 14 Dec. 2016.

Ponemon Institute LLC. “Cyber Security Incident Response: Are we as prepared as we think?” Ponemon, 2014. Web.

Ponemon Institute LLC. “The Importance of Cyber Threat Intelligence to a Strong Security Posture.” Ponemon, Mar. 2015. Web. 17 Aug. 2016.

Poputa-Clean, Paul. “Automated defense – using threat intelligence to augment.” SANS Institute InfoSec Reading Room, 15 Jan. 2015. Web.

Quintagroup. “Knowledge Management Portal Solution.” Quintagroup, n.d. Web.

Rasche, G. “Guidelines for Planning an Integrated Security Operations Center.” EPRI, Dec. 2013. Web. 25 Nov. 2016.

Rehman, R. “What It Really Takes to Stand up a SOC.” Rafeeq Rehman – Personal Blog, 27 Aug. 2015. Web. 14 Dec. 2016.

Rothke, Ben. “Designing and Building Security Operations Center.” RSA Conference, 2015. Web. 14 Nov. 2016.

Ruks, Martyn and David Chismon. “Threat Intelligence: Collecting, Analysing, Evaluating.” MWR Infosecurity, 2015. Web. 24 Aug. 2016.

Sadamatsu, Takayoshi. “Practice within Fujitsu of Security Operations Center.” Fujitsu, July 2016. Web. 15 Nov. 2016.

Sanders, Chris. “Three Useful SOC Dashboards.” Chris Sanders, 24 Oct. 2016. Web. 14 Nov. 2016.

SANS Institute. “Incident Handler's Handbook.” 2011. Web.

Schilling, Jeff. “5 Pitfalls to Avoid When Running Your SOC.” Dark Reading, 18 Dec. 2014. Web. 14 Nov. 2016.

Schinagl, Stef, Keith Schoon, and Ronald Paans. “A Framework for Designing a Security Operations Centre (SOC).” 2015 48th Hawaii International Conference on System Sciences. Computer.org, 2015. Web. 20 Nov. 2016.

“Security – Next Gen SOC or SOF.” InfoSecAlways.com, 31 Dec. 2013. Web. 14 Nov. 2016.

“Security Operations Center Dashboard.” Enterprise Dashboard Digest, n.d. Web. 14 Dec. 2016.

“Security Operations Center Optimization Services.” AT&T, 2015. Web. 5 Nov. 2016.

“Security Operations Centers — Helping You Get Ahead of Cybercrime Contents.” EY, 2014. Web. 6 Nov. 2016.

Sheikh, Shah. “DTS Solution - Building a SOC (Security Operations Center).” LinkedIn, 4 May 2013. Web. 20 Nov. 2016.

Soto, Carlos. “ Security Operations Center (SOC) 101.” Tom's IT Pro, 28 Oct. 2015. Web. 14 Dec. 2016.

“Standardizing and Automating Security Operations.” National Institute of Standards and Technology, 3 Sept. 2006. Web.

“Strategy Considerations for Building a Security Operations Center.” IBM, Dec. 2013. Web. 5 Nov. 2016.

“Summary of Key Findings.” Carnegie Mellon University, 03 Oct. 2016. Web. 03 Oct. 2016.

“Sustainable Security Operations.” Intel, 2016. Web. 20 Nov. 2016.

“The Cost of Malware Containment.” Ponemon Institute, Jan. 2015. Web.

“The Game Plan for Closing the SecOps Gap.” BMC. Forbes Magazine, Jan. 2016. Web. 10 Jan. 2017.

Veerappa Srinivas, Babu. “Security Operations Centre (SOC) in a Utility Organization.” GIAC, 17 Sept. 2014. Web. 5 Nov. 2016.

Wang, John. “Anatomy of a Security Operations Center.” NASA, 2015. Web. 2 Nov. 2016.

Weiss, Errol. “Statement for the Record.” House Financial Services Committee, 1 June 2012. Web. 12 Nov. 2016.

Wilson, Tim. “SOC 2.0: A Crystal-Ball Glimpse of the Next-Generation Security Operations Center.” Dark Reading, 22 Nov. 2010. Web. 10 Nov. 2016.

Zimmerman, Carson. “Ten Strategies of a World-Class Cybersecurity Operations Center.” Mitre, 2014. Web. 24 Aug. 2016.