Building a SOC effectively

Cybersecurity is one of the biggest economic challenges countries face in the twenty-first century. The Middle
East is one of the most advanced regions when it comes to the speed of technology adoption and population
growth. Organizations in the Middle East are more prone to cyber threats compared to the rest of the world.
If you can’t measure
it, You can’t manage
it!
(Peter Drucker)
Today’s Discussion

SAMA CSF v1.0

ISO 27001 standard & SAMA Cyber Security
Framework Objectives
Review and maintain Create a common approach for
organization’s ability to protect addressing cyber security
its information assets and its
preparedness against cyber
threats

Identify and address risks

related to cyber security

Achieve an appropriate
maturity level of cyber
security controls
Ensure cyber security risks are
properly managed

*SAMA , ISO 27001

Focus
• ISO 27001 standard &
SAMA CSF maturity
model focuses on
People , Process and
Technology
 People: Require HR for SOC

People and processes are

more important than the
tool!
• Focus should not be
solely on SIEM care and
feeding
• Detection techniques are
required and must scale
• Automation is a must!
SANS.org
Process: Required List of Processes
• SOC Job Description SAMA CSF References
3.3.14 (1) Security Event Management Process
• Training Plans 3.3.14 (2) Security Event Management Process Measurement

• Security Incident Management Process 3.3.15 (1) Cyber Security Incident Management Process

• Threat Intelligence Management process 3.3.15 (2) Cyber Security Incident Management Process Measurement

3.3.16 (1) Threat Intelligence Management Process

• Vulnerability Management Process 3.3.16 (2) Threat Intelligence Management Process Measurement

• Forensic Investigation Process and Toolkit3.3.17 (1) Vulnerability Management (VM) Process

• Log Management Process

• Overall Process Effectiveness Measurement Process (KPIs)
Technologies
Vulnerability Management
Threat Intelligence

SOC
Security Incident & Event Monitoring System
EDR vs SIEM
EDR
Endpoint Detection and Response
(EDR)
• Focus is on ENDPOINTS!!! <--- Yay!
• Capable of real-time detection
• Capable of real-time prevention
• Tend to be a one-stop shop for
solution
• Likely to require an agent
(agentless in the works)
SIEM
Security Information and Event
Management
• Heavy emphasis on detection
• Near real-time
• Capable of full network and
endpoint visibility
• Requires multiple moving parts
• May or may not require an agent
EDR Solutions
Commercial Open Source – Detection focused
• Carbon Black • Google Rapid Response
• CounterTack • Mozilla InvestiGator
• CrowdStrike • El Jefe
• Cybereason • Lima Charlie
• FireEye • OSQuery
• Tanium • Kind of:
• RSA - Sysmon

• And more… • Commercial solutions are stronger

SIEM Solutions
Commercial Open Source
• Splunk • Elastic Stack
• Elastic Stack • Graylog
• LogRhythm • OSSIM
• HP ArcSight Enterprise Security • Prelude
Manager (ESM) • Syslog-NG
• IBM QRadar • Windows Event Collector
• RSA Security Analytics
• And more…
7 steps : SOC Development
1: SOC Strategy Development
First, develop your strategy to understand
the current state of your organization.
• Identify and define business objectives
Objectives
Implement & Enhance an effective Cybersecurity
management system. So
1. Cybersecurity violations may not go undetected.
2. Cybersecurity Incident may not cause
interruption to business network resulting in
loss in productivity and resources.

• Assess your existing capabilities

Current Desire
• At first, limit your scope to core functions: Maturity State
• Monitoring level
• Detection 4.0
1.0
• Response
• Recovery
• Delay non-core functions until your core
functions are sufficiently mature
2: Design the Business Critical Use cases
Good places to start:
• Choose a few business-critical use cases (e.g., a phishing attack)
• Define your initial solution based on these use cases
• Consider that your solution must be able to meet future needs
A narrow scope will reduce the time to initial implementation which
will help you achieve results faster.
2: Three required actions
1. Define your functional requirements. (Be sure these are tied to
business objectives.)
2. Choose a SOC model based on your functional requirements.
3. Design your technical architecture.
a) Choose your Threat Lifecycle Management platform
b) Identify business and information systems to be integrated
c) Define your workflows
d) Pinpoint areas for automation
e) Test the architecture

*LogRhythm Threat Lifecycle Management Framework

3: Create processes, procedures and training
In Step 3, it’s important to make sure that all six phases of the Threat
Lifecycle Management Framework are covered.

*LogRhythm Threat Lifecycle Management Framework

4: Prepare your environment
• Before deployment, make sure crucial security elements are in place:
a) Ensure SOC staff desktops, laptops and mobile devices are secure
b) Put secure remote access mechanisms in place for SOC staff (and
outsourcers if applicable)
c) Require Multi-Factor authentication
5: Implement your solution
Take full advantage of your technology to minimize the workload on
your staff:
1. Bring up your log management infrastructure.
2. Onboard your minimum collection of critical data sources.
3. Bring up your security analytics capabilities.
4. Onboard your security automation and orchestration capabilities.
5. Begin deploying use cases to focus on end-to-end threat detection and
response realization.

Realize seamless interoperability :

System interoperability is critical for your
team to collect data from sources
6: Deploy end-to-end use cases
Your tech is in place and your capabilities are deployed. Now next part
is:
1. Implement your use cases across your analytics and security
automation and orchestration tiers.
2. Test your use cases rigorously over a variety of shifts and during
shift changes.
3. Proof the reliability and security of your solution.
KPIs
Percentage of incidents reported that
were genuine
Percentage of reported genuine
incidents resolved/ closed
7: Maintain and evolve your solution
A SOC isn’t something to turn on and stop thinking about. It requires
ongoing maintenance, such as:
• Tuning to improve detection accuracy
• Adding other systems as inputs or outputs
• Reviewing the SOC model, SOC roles, staff counts
 SAMA CYBER SECURITY MATURITY ASSESSMENT DASHBOARD

SAMA CS MATURITY LEVEL MATURITY LEVEL PER DOMAIN

1 3 4 1 1 1 1
Current State Target State Desire State
D 3.1 D 3.2 D 3.3 D 3.4

SAMA CSF NON-COMPLIANCE SOC KEY INITIATIVES REQUIRED

PER CONTROLS 1. Establishment of Cyber Security function and its Structure
within organization.
Domains Applicable Controls Non Compliance 2. Establishment of CSIRT.
D3.1 33 15 3. Report line of SOC to CISO.
D3.2 34 8
4. Training Plan Development
5. Establishment of SOC requirements to integrated in IT
D3.3 61 24 Strategy
D3.4 9 6 6. Budget and resources allocation by the Board
Total 137 53

0.61 % Compliance Round as 1

Outcomes

• Effective governance of Cyber Security 1

• Reduction on operational cost 2
• Optimized Security Practices 3
• Enhanced Goodwill and Reputation 4
• Compliance with legal and regulatory requirements 5
• Improved Return on Technological Investments 6

25
References:
• SANS
• LogRythem
• Gartner
• SAMA
• ISO27001
• Lots of Research