To do this, let’s just step back briefly and look at what it takes to run an IT security operations team.
The first thing you need is a security infrastructure. A set of tools and integrated solutions that allow you to monitor, hopefully automatically detect and block bad things. You need to buy the hardware, install it, and maintain it. This requires engineering resources continually to look after this. These engineers are usually specialists who understand IT security, your security tools, and how to integrate it into the existing IT infrastructure. (Don’t get me going, on how security teams fail because they are isolated from the rest the organization.). This is costly in terms of capital expense and operational expenditure.
The second thing you need is a bunch of people who are monitoring the alerts generated by your security infrastructure, and sometimes some of the other IT infrastructure components such as logs from active directory, 24 x 7. These people are different from the normal IT operations people. IT operations teams are focused on maintaining service levels, removing things that are causing glitches in the service delivery, minimizing the effect of performance issues. The problem is that IT security people are focused on the glitches. Anomalies in behavior such as a server rebooting automatically, or user trying to log in across multiple servers is something that an IT operations team will ignore but for an IT security person, our heart rates are already racing and our suspicions are raised. This is one of the reasons it is difficult to leverage a typical IT security operations team for security monitoring. They require different mindsets, different goals for success. So you can try combining IT operations and security into a single group, which has some great benefits but realize they need to operate so differently that he can’t expect a single person, in a single shift, to be able to analyze from both an IT operations perspective and a security perspective.
So, typically, you need between eight and fifteen people to run a 24 x 7 365 day security monitoring capability. Much money.
The third thing you need is a group of people who can correctly determine if the threat is real or not and take actions to guide the rest of the organization to respond to it as an incident. These incident responders should be mature experienced individuals that understand security, IT, Project management, and your business. They need to be able to respond at any time. You need to be able to trust them. And they need access to all your inner secrets about your business operations and strategies.
The last type of resource you need is back-office support. I hate to work back-office personnel. It seems to diminish the value of the team that provides the security and foundation for day-today operations. They handle the reporting, the finances, the resource management, and requests coming in from other parts of the organization for support.
So I’ve probably glossed over some area or function that you feel I should’ve mentioned. I can just see you now going “Oh Paul missed that or that.” But, the aim of this blog is not to cover every aspect of what IT security operations needs to look like, or could look like. But, the idea of this article is to get you thinking. Just take the four areas I’ve mentioned above. Which ones could you give to an external organization to look after? To my calculations, there are only two.