SECURITY OPERATIONS CENTER (SOC)

Implementing Security Monitoring in Small and Mid-Sized Organizations

A White Paper

Presented by:

MindPoint Group, LLC

8078 Edinburgh Drive
Springfield, VA 22153
(o) 703.636.2033 (f) 866.761.7457
www.mindpointgroup.com blog.mindpointgroup.com

SBA 8(a) Certified Small Disadvantage Business Woman-Owned Small Business (WOSB)
Economically Disadvantaged Woman-Owned Small Business (EDWOSB) Minority-Owned Small Business
 SOC Implementation for Small-Mid Size Organizations

BACKGROUND
The primary goal of a Security Operations Center (SOC), or a security-monitoring infrastructure,
is to provide the capability to detect and analyze potential information security and privacy-
related incidents. Security and privacy incidents can greatly impact any organizations
operational effectiveness and can hinder the organizations ability to complete its mission. The
SOC also provides several other capabilities that are of importance to a security program.

For example, a properly designed and implemented SOC will provide the ability to easily
interpret and output security metrics. Security metrics provide support to the organization in
assessing security initiatives and investments, which can aid in decision-making, planning,
resource allocation, and product and service selection. In addition, security metrics can also
provide tactical oversight enabling the ability to monitor and report on the security posture of
systems in real time, gauge the effectiveness of controls, and provide reporting and trending data.
(Jansen, 2009)

This true is regardless of an organizations size - the SOC is no less important to smaller
organization than larger ones. For instance small or mid-sized organizations may still be part of
a formally regulated industry, or may wish to simply implement security best practices in order
to protect customer data or proprietary company data. Additionally, a data breach in a small or
mid-sized agency can have just as much of an impact as a breach that occurs within a larger
organization. In fact, organizations of a smaller size may not have the same level of resources
available to them as large organizations in responding to a data breach. Legal resources, damage
to the company brand, investigative and clean up costs after an incident can quickly add up for a
small operation. Effectively an identical breach could impact a smaller organization more in
terms of its ability to absorb the associated costs and consequences.

The primary issue affecting smaller organizations is the perception that SOCs are for large
enterprises and cost tens of millions of dollars to implement, or that small organizations cannot
realize the benefits of implementing a SOC due to environmental constraints even though they
need one. In response to this smaller organizations tend to implement one of the following
approaches:

Decide that it is out of reach for their organization, and go no further;

Decide that the only cost-effective option for a small to mid-sized organization is to
contract the work to a Managed Security Service Provider (MSSP);
Decide to implement security monitoring in-house.

In spite of the perceived restrictions to implementing a SOC, MindPoint Group has helped
implement cost-effective monitoring solutions and as a result many small organizations have
been able to successfully implement and run comprehensive security monitoring solutions. In
order to have a successful solution, there are certain choices that need to be made in order to
keep the solution within the budget limitations of the organization, but it does not make it
impossible. In fact, extremely effective features can be implemented even with a limited budget.
By having a clear picture of your environment, the threats your organization faces, your available

1
2013 MindPoint Group, LLC. All Rights Reserved.
 SOC Implementation for Small-Mid Size Organizations

budget, the recurring costs involved in the final solution, available human resources to support
the solution, careful planning, and the support of management you have a strong chance of
implementing a successful SOC solution.

COMPARISON OF THE OPTIONS

When an organization decides to tackle the challenge of implementing a SOC they are going to
essentially take one of two main approaches: implement an MSSP solution; or implement an in-
house SOC.

The MSSP solution is an attempt to generalize security-monitoring so that it can be resold to

many different clients in order to achieve economies of scale. The MSSP will often provide a
good basic level of protection but due to the generalized nature of their solution they infrequently
ever provide much beyond that basic level of protection. These services rarely provide
equipment and software tuning for an organizations specific needs or a staff solely focused on
researching and developing protection for the organizations specific threats. Additionally the
organization may lose long term value gained from implementing and customizing equipment
and software for their organization, as well as the knowledge and experience developed by a
dedicated staff. All the equipment, software, staff, and all the data and knowledge stored in these
resources are solely the property of the MSSP and are lost when switching providers or moving
to an in-house solution.

The in-house SOC solution is primarily designed, implemented, managed, and operated by
internal resources. In most cases support from consultants that are experts in the area of security
monitoring and analysis are used to assist with the initial planning, design, and implementation.
Additionally, there is some outside help from vendors providing specific equipment as part of the
solution. The benefit of an in-house SOC solution is that the solution is tailored to the
environment. All of the devices are tuned specifically to protect against the threats facing the
environment, and in-house staff usually have the skills and knowledge necessary to ensure that
the solution comprehensively addresses the security needs of the organization. An in-house SOC
solution routinely works for most organizations, but proper staffing can sometimes be difficult
for smaller organizations.

OUR EXPERIENCE
MindPoint Groups team has extensive experience in implementing the various stages of the
SOC and security-monitoring program life-cycle. We are equipped to help clients design,
implement, manage, and operate a SOC. Additionally our experience in a variety of SOC
environments means that we are well equipped to assist with staffing, perform training, process
development, as well as researching threats and developing customized protection mechanisms.

We were recently contracted to design and build a security-monitoring infrastructure for a small
government agency. This type of solution would be categorized as an in-house solution that
started with a reliance on our expertise during the design and build-out, but ultimately transitions
to using internal organizational employees for management and operation of the SOC. Despite
the size of the agency, highly sensitive data is processed at the core of their business processes,

2
2013 MindPoint Group, LLC. All Rights Reserved.
 SOC Implementation for Small-Mid Size Organizations

and their operations are spread across seven main sites with more than two dozen satellite
offices.

When we first began work at the agency there was little to no security monitoring program
established. Significant, recent turnover in the Chief Information Officer (CIO) office included
the security staff. The program that was established was focused on compliance, policies, and
vulnerability management/system patching. While those are important aspects in a security
program they do not address actively monitoring the traffic on the network. The security and
network teams had little insight into what was actually occurring on the network. Although there
were some incidents they could respond to, they did not have the tools, personnel, or processes in
place to identify the incidents in the first place. Even with this nearly blank slate we still had a
few technologies already in place that could be used in the design and implementation of the
SOC.
Anti-Virus: The organization had a centrally managed host-based anti-virus solution in
place.
Firewalls: The organization had proper firewall technologies in place at their
egress/ingress points.
Security Information and Event Management (SIEM): The organization had purchased a
product for log collection and correlation which was actually a full-featured SIEM priced
for small and mid-sized environments. However, the product had not been put into
production at the time we started.

Because these products were already purchased we were able to focus more effort on selecting
technologies to provide intrusion detection and data loss prevention capabilities. We were also
able to put significant effort into the technical design of the components and how they would
interact, as well as effective configuration and tuning. Often times these projects can get bogged
down in vendor and product selection. The more important tasks of proper design,
implementation, and customization/tuning suffer. Our design phase consisted of the following
steps:
Client consultation to get a better understanding of the client business and the threats they
faced on a regular basis.
We worked with the client on daily activities to see if there were any differences between
perceived threats and actual threats.
We identified various sources of data which could be considered the most sensitive data
by the client as well as the high-value targets present in their network.
We consult with the various teams within the organization; network infrastructure, server,
desktop; in order to get a better understanding of needs as well as a clear picture of how a
proper monitoring solution could be integrated in the environment most efficiently.

From these data points we crafted a comprehensive Concept of Operations (CONOPS) for the
SOC. The CONOPS clearly described the current state of the security monitoring program,
issues, strong points, and impacts of problems with the program. The document then followed
with a clear picture of the recommendations we had for implementing the SOC program. This
included recommendations for changes to current technologies; procurement of new

3
2013 MindPoint Group, LLC. All Rights Reserved.
 SOC Implementation for Small-Mid Size Organizations

technologies; staffing needs; standard operating procedure and policy development; incident/case
management processes; and knowledge sharing/training initiatives.

Some of the challenges in developing this type of to-be state involve effectively dealing with the
unknowns. Sometimes budgetary or staffing constraints are not clear. However, we are always
focused on creating the right solution for the given environment, and focus on understanding the
client as much as we understand the technology. We knew the organization needed an IDS and
DLP solution, and we set out to propose the most effective solution that would meet the needs of
the organization; be manageable by a limited staff; and would provide the greatest value.

Our design strategically combined commercial tool options with free open source software
(FOSS) tools, and utilized existing hardware and resources where available. Ultimately we knew
that the Data Loss Prevention (DLP) space was the one area that the organization needed the
most advanced and effective solution, and that funds would need to be directed there first in
order to build a program that secured the data assets of the client. Because of this we planned for
and proposed an intrusion detection system (IDS) solution that utilized leading edge FOSS IDS
technology alongside commercial tools.

The proposed FOSS IDS solution gave the organization an IDS infrastructure that matched or
exceeded the commercial solutions in terms of detection capability but cost more in terms of
administration and resource utilization. Working closely with the client, ultimately the design
allowed for the procurement of an industry leading commercial solution in the DLP space due to
cost-savings related to hardware repurposing and the use of FOSS tools

Once the solution was designed and approved a project plan was built and the solution was
implemented. The implementation experienced several issues that threatened successful
completion within the defined timeframes:
Procurement: The organization experienced many issues in procuring the technology in a
timely fashion. Due to the layout of the project plan this began to delay certain aspects of
the project. We were able to quickly reorganize the plan in order to work around these
issues.
Staffing: The organization had multiple staffing and resource availability issues during
the project that caused delays. We were able to work around these issues in most
instances but these are unfortunately the biggest threat to completing projects on time
within a small organization.
Other projects: The organization had multiple other large-scale infrastructure projects
taking place during the time of implementation. Shifting of already thin personnel
resources to these projects caused the delay of certain pieces of the implementation.

The above issues did cause minor delays with the project but in most cases we were able to
quickly pivot the project onto another task to minimize the impact. We accomplished this by
minimizing task dependencies, keeping the project team small to maximize agility when
switching tasks, and by being flexible and client-focused. By focusing on the client needs we
were able to deliver tasks at the appropriate times, provide guidance on the impact of other

4
2013 MindPoint Group, LLC. All Rights Reserved.
 SOC Implementation for Small-Mid Size Organizations

projects, and provide support on tertiary tasks in order to free up organizational resources and
move our tasks forward. The final implementation consisted of the following capabilities:
Network IDS
Network Data Loss Prevention
SIEM
Host-based AV and Host-based IDS
Centralized Log Collection

In addition to the functions above we developed Standard Operating Procedures (SOPs) and
helped to institute processes. Throughout the project we provided knowledge transfer and staff
training. Also, we were able to utilize several products to fill gaps in the security infrastructure.
For instance full packet capture is an invaluable resource to a security program but it is often
expensive in terms of the hardware and software required. We considered using OpenFPC to
perform packet capture which would have eliminated software costs but would have still
required an expensive capital expenditure on hardware. Instead we were able to fill this need by
utilizing a feature built into the SIEM which allowed us to capture and store internal/external
traffic.

TAKEAWAYS
Security monitoring and analysis is a key capability needed to support ongoing security
operations. An organizations incident handling capability relies on a strong security monitoring
capability in order to identify all potential incidents and to capture as much information as
possible about those incidents. Some things to keep in mind when entering into a SOC or
security-monitoring project:
Each organization has its own requirements, priorities, and operating environment that
need to be identified and addressed in any solution design.
Sometimes the key-players at the organization are too close to identify any or all of the
above items. This makes outside input all the more important to successfully design a
solution.
In-house and MSSP solutions can in most cases meet all of an organizations needs and be
successful, but the right decisions need to be made upfront during the design phase.
Commercial solutions are not always necessary and many FOSS products can lower costs
while providing great functionality.
Dont forget to factor in the increase in resource usage (i.e. administration, maintenance,
and setup) that is often hidden.
When deciding whether to use an MSSP, remember that their business model is to use the
same cookie-cutter solution for all customers. If you dont need customization, then this
is truly a viable option.
Consider having a third-party evaluate the organizational needs and then work as an
advocate for the organization during the selection and implementation phases of an
MSSP solution.

5
2013 MindPoint Group, LLC. All Rights Reserved.
 SOC Implementation for Small-Mid Size Organizations

At MindPoint Group we take an approach focused on logical design, identifying customer needs,
efficient implementation, extensive tuning, and effective staffing. We understand the challenges
associated with keeping an organization secure and have experience staffing, designing, and
building SOCs at small and large organizations. You can leverage or use our expertise to help
implement this type of capability in your organization and determine whether an in-house or
MSSP solution is the right fit for you.

ABOUT MINDPOINT GROUP

MindPoint Group, LLC (MPG) is a Small Business Administration (SBA) certified 8(a),
Woman-Owned (WOSB), Economically Disadvantaged Woman-Owned (EDWOSB), and
Minority-Owned Small Disadvantaged Business (SDB) with its headquarters in Springfield, VA.
MPGs Information Security and Privacy (ISP) services provide program management support,
security assessment & authorization (S&A formerly C&A), independent verification and
validation (IV&V), continuous monitoring, cyber security, security controls and vulnerability
assessments, penetration testing, and security operations center support. MPG understands that
information security has a broad scope, and an effective information security program must
integrate with a number of other organizational processes in order to function effectively. MPG
has experience developing and implementing a wide range of security policies, procedures, and
technologies in a variety of environments with the goal of ensuring the confidentiality, integrity,
and availability (CIA) of our clients sensitive assets and information systems.

MPG specializes in implementing IT Security Program Management through our IS&P

methodology of establishing a collaborative working environment across all disciplines through
innovation, technical excellence and a dedication to repeatable processes. MPG goes beyond
FISMA compliance by helping our clients align Federal regulations with their operational
mission. Through this methodology, MPG has successfully supported various clients integrate
security across a wide range of security domains and environments.

For more information on our solutions, please visit our web site at www.mindpointgroup.com, or
check out our blog at blog.mindpointgroup.com.

6
2013 MindPoint Group, LLC. All Rights Reserved.