Top Responsibilities of a Cyber Security Team

Introduction

An enterprise security operations center (SOC) responsibilities are both wide and varied. This is a list based on my personal experience and observations working in operation center. If you have limited time or resources, you should consider focusing on the Review Log Events section.

Monitor Security Systems

Security systems should be continuously monitored to look for compromised devices, prevent unauthorized access, or verify hardware configurations and patches been installed. Continuously ask yourself, how can I layer my defenses, am I collecting logs, and am I protecting systems and resources.

Consider the below security systems as a minimum for monitoring.

• Antivirus software agent on endpoints.
• Vulnerability scanning to look for missing software patches.
• Intrusion Detection / Prevention System to detect malicious traffic inside the network,
• Network devices, like routers, firewalls, VPN, Citrix should be configured for least privilege.
• On switches, segregate network using VLANS for logical access controls.
• Use a SIEM for log review and alerting.
• Employ FIM to detect critical file changes.
• Physical access controls. (cameras, key cards, other.)
• Servers to collect logs for meet compliance requirements and for forensic investigations.
• Authentication servers. Active Directory. Employ Logical access controls.
• Internal Firewalls to protect servers that store and process PII data, (i.e. credit cards).
• Web proxy to blacklist suspicious sites.
• Perimeter firewall to block connections, IDS, prevent DDOS attacks, and scan attachments.
• Network Access Controls to prevent rogue wireless devices. Also, Implement 802.1x.

Review Log Events Using a SIEM

Not all events are created equal. But, some top events to look out for in a SIEM are shown here. This list was developed from hands on experience and researching various blogs. They are not listed in any specific order and should all be treated equally.

1. Monitor for policy changes.
2. User rights assignments.
3. Local Account authentication policy changes.
4. Local user account changes.
5. Sensitive Group Changes. (PIM activations. Domain Admins, SQL admins, etc.)
6. Local group membership changes.
7. New software downloads or installs.
8. Failed login attempts or lockouts.
9. Any attempt to logon as an administrator. (domain admins, afterhours, etc)
10. Firewall policy changes. (config changes)
11. New devices attached.
12. Monitor for exfiltration of data. (use SIEM, Netflow, or NIDS systems)
13. User to User network traffic. – Should be near zero. Traffic is typically client to server.

Reference: by https://windowsultimatesecurity.com

Perform Threat Hunting

Operations centers spend the bulk of their time looking for potential threats that may affect systems or people. Threats are wide and varied, from an un-known person walking the hallways to an employee walking out of door with a USB drive. A variety of different tools will be used to hunt for all the different kinds of threats.

• Run daily File Integrity Management (FIM) scan. (Changes to registry or system files)
• Run daily malware/virus/rootkit scans on all hosts.
• Monitor wireless networks for un-authorized connections.
• Conduct daily external port scans to verify only authorized ports in the firewall are open.
• Run weekly MITRE Attack/Defense testing. (Do your defenses actually work).
• Review Conditional Access policy changes in Azure, Intune, or Purview.
• Investigate SIEM alerts. Endpoint (HIDS) events and Internal Network (NIDS) events.
• Review DNS logs for allowed/blocked access to suspicious sites.
• Review DNS logs to verify un-authorized sites was actually blocked.
• Process phish tank emails. (Block users from receiving malicious emails from senders or domains).
• Verify the endpoint AV agent is running & communicating.
• Review physical cameras for un-authorized access.
• Review external Firewall logs.

Conduct Risk Assessments

Risk assessments attempt to categorize all risks and help develop a priority improvement list. Risk can come from fines by government agencies, external attackers, internal employee threats, and other sources. Typical questions that are asked are, what is likely to occur? What actions can be taken to prevent it? and how easily can fixes be implemented? Risk assessments are often required by insurance brokers, prior to issuing a policy.

• Run weekly vulnerability scans. (patching, obsolete software, or expired SSL certs).
• Verify the scanner has recently updated rule set.
• Ensure logs are collected and stored. (90 days hot + 12 months cold)
• Backup all logs nightly and run file hash to prevent unauthorized modifications.
• Dispose of logs older then the data loss prevention or retention policy.
• Conduct clean desk inspections.
• Annually conduct a Pen test against all external facing websites.
• Sending out simulated phishing emails to all employees.

Conduct Compliance Audits

Look for weaknesses in the polices or procedures that you IT staff use. How can you make security better.

• Conduct SOC2 internal audits.
• Prepare due diligence reports for outside auditors.
• Monitor Third Party venders for data breach disclosures.
• Run hardening scans. (Do the assets meet company policy; MS or CIS benchmarks).
• Maintain an inventory of all assets.
• Develop company internet filtering standards for users.
• Review network device config files for changes w/o authorization.
• Verify encryption is used for all hard drives.
• Implement DLP Policies. (unauthorized printing of data, SSN, CC numbers, etc.).
• Review your Microsoft Azure secure score.
• Run PCI compliance scans against external websites.
• Conduct tests against the firewall to verify it is blocking traffic from external countries or emails are blocking files with specific extensions.
• Carefully review Group Policy Objects, such as what computers can join the network, password enforcement, folder redirection (so files are not saved locally), etc.

Verify System’s Meet Hardening Standards

All servers and workstation need to meet minimum configuration hardening (aka. compliance) standards. The CIS Benchmarks are prescriptive configuration recommendations for more than 25+ vendor product families. They represent the consensus-based effort of cybersecurity experts globally to help you protect your systems against threats more confidently.

Reference: https://www.cisecurity.org/cis-benchmarks

Collect Logs From Critical Sources

Log collection is required by government regulations and industry standards. You will need to collect logs from a variety of critical systems. Logs typically need to be kept for 12 months. Be sure to back them up offsite for disaster recovery reasons.

The types of logs a SOC operations center should collect are:

• Application Logging
  • User account management
  • Access control events
  • Configuration changes
• Servers & Workstation Logging
  • Operating system logs.
    • System event logs. (shut down or restart service, etc.)
    • Audit logs. (Privileged account activity, files accessed, authentication attempts, etc.)
• Other Potentially Logging systems
  • Network Segmentation controls (switches)
  • Remote access software (VPN) or Citrix Gateway (NetScaler)
  • Virtual Hosts Servers like VMWare (ESX)
  • SQL data base access – Who access the databases.
  • DNS Proxy Servers.
  • FTP Servers – who logged in and what files were downloaded.
  • Linux servers, auth (login attempts) & sudo elevation.