Infrastructure Environment
Continuing with "6 elements to consider when implementing a SOC", this week we are going to introduce element #4: "Infrastructure Environment".
When we are in the process of implementing a SOC it is important to know the environment of the infrastructure we are going to monitor and protect, but for this we must have the following:
A consolidated asset inventory
This inventory can exist in both physical and electronic form, either stored in databases, in files, in systems dedicated to asset inventory management, such as CMDB, etc. To begin with, we must also know what is considered to as an "information asset" in the field of cybersecurity. An information asset is any information or related processing element of that information that has value for the enterprise. An asset inventory contains all relevant information about hardware and software components used for the organization's information technology services, and the relationships between those components.
Having an accurate and up-to-date asset inventory ensures that the type of hardware in use can be tracked and provides an overview, with some details, of the entire technology infrastructure and therefore better control and documentation when conducting investigations related to behaviors observed in those assets. The simple fact of knowing which asset we are observing allows us to better analyze and correlate events.
An asset inventory is a critical element at the end of the day as it can ultimately improve your security posture. It will help you mitigate risk and ensure operations run smoothly.
Creating one can be as simple as creating an Excel spreadsheet. Another way is to scan all network segments with a tool that includes user PCs, servers, management and security tools.
Data source
For the collection of event logs from the different security, network and application control mechanisms, data sources must be considered. Examples of physical and virtual devices that could provide valuable event logs include:
- Security elements such as firewalls, intrusion detection and prevention systems, antivirus solutions, web proxies, and antimalware tools.
- Network elements such as routers, switches and access points and wireless controllers.
- Operating systems such as Microsoft Windows, UNIX, Linux, Apple.
- Applications on web servers, Domain Name System (DNS) servers and Mail gateway.
Other forms of data can be collected, stored and analyzed in addition to event logging. For example, network packet collection, NetFlow, can be beneficial to SOC efforts.
Each of these data sources provides unique value; however, each has its own associated costs to consider before investing in any method of collecting and analyzing data.
Data Collection
As soon as you have an idea of what data you want to collect, you need to figure out how to collect it, and there are different protocols and mechanisms you can use to collect data from various sources.
Depending on what the data source supports, data can be extracted from the origin to the collector or sent directly to the SIEM.
It is necessary to emphasize the need to of time synchronization mechanisms when collecting data. Capturing events without proper time stamping could cause confusion when evaluating the events and could bring unfavorable results, for example, at the time of an audit.
A SOC applies time synchronization throughout the network, leveraging a central synchronization server and using the protocol designed to carry network time information, such as NTP, as this is the most common way to apply such synchronization.
Similarly, one way to collect data is by using the syslog protocol. Syslog implementations use the User Datagram Protocol (UDP) with the default port number 514.
Logging destinations
Which are either the IP address of the collector or SIEM or the host names. Depending on the implementation, the originator may forward syslog messages to one or more destinations.
Protocols and ports
Normally, these are set to UDP and port 514 by default, in this case, the option to change this configuration depends on the implementation.
It is important to note that the fundamental idea is not to monitor everything just for the sake of it, but rather, to design your data collection capability so that your objectives will be the same.
Vulnerability Management
For organizations to prioritize potential threats and minimize their attack surface within the infrastructure environment, it is important to know what vulnerabilities they are exposed to.
It is necessary to have a process that is carried out continuously, so that they can keep up to date with new systems being added to the networks, changes being made to the systems and the discovery of new vulnerabilities over time.
By ensuring that all of this is handled, initially, it translates into time savings when investigating and searching for events; therefore, it corresponds as one of the key elements of this weekly publication series.
Hi! I am Kendra Mazara
Senior Information Security Specialist | MBA | Cofounder MujeresTICs RD | Speaker | LinkedIn Learning Instructor
