This document outlines a roadmap for security operations excellence with three levels: Level 1 focuses on initial security operations like planning risk management, collecting asset information, and operating basic security tools. Level 2 is forming security operations through monitoring for events, protecting from known threats, and reacting to incidents using tools like a SIEM and advanced firewall. Level 3 optimizes security operations through analyzing logs for bad behavior, preventing further damage, and hardening defenses against new threats using tools like malware sandboxing and forensics.

1. ROADMAP TO
SECURITY OPERATIONS EXCELLENCE
ERIK TAAVILA
APRIL 2015

2. Erik Taavila
• IT Security & Compliance manager
• CISSP, CCFP, CISA, CEH
• "IT is about the People!"
• Twitter: @ErikTaavila
• LinkedIn: https://fi.linkedin.com/in/eriktaavila

3. EXECUTIVE SUMMARY
IDENTIFY RISKS
• Plan a solid information security management roadmap
• Setup initial capabilities
MANAGE
INFORMATION
SECURITY
• Operate security tools
• Protect from known threats and handle basic incidents
OPTIMIZE
INFORMATION
SECURITY
• Build advanced skills and capabilities
• Identify, Contain and Remediate complex incidents

4. WHAT IS A SOC?
• SOC, Security Operations Center is popular term currently but is not defined
very accurately
• Varying models from simple: Team managing entities security tools
• Into advanced promise: Skilled team of security professionals managing
proactively entities security posture and having advanced detection and
reaction capabilities to incidents

5. SHOULD YOU BUY ONE?
• All entities in search for better security posture
should setup formal Information Security
Management System
• Next step is to define risk appetite and develop
information security roadmap to get to the
defined level
• SOC is defined team to operate the tools and
processes of the implemented roadmap
• So YES you should buy one, but it is not
necessarily available out of the box service

6. LEVEL 1:
INITIAL SECURITY OPERATIONS
Plan
Understand
Operate
• Plan roadmap for People, Processes,
Architecture and Technology
• Collect and maintain asset information, service
catalog, owners and contact information
• Operate security tools and provide platform
level security for the entity
• Collect infrastructure logs
Tools: Firewall, anti-malware, remote access
solution, user authentication, Log management,
Identity management, IT Service management and
CMDB

7. LEVEL 2:
FORMING SECURITY OPERATIONS
Monitor
Protect
React
• Monitor environment events
• Protect environment from widely known threats
• React on identified incidents
• Collect application events
Tools: Previous level + Security Incident and Event
Management (SIEM),Advanced Firewall,
Federation/SSO, Enterprise Architecture repository,
Device management, Content level encryption,
Patch and Vulnerability management

8. LEVEL 3:
OPTIMIZING SECURITY OPERATIONS
Analyze
Prevent
Improve
• Analyze logs and identify context related bad
behavior
• Remediate situation
• Identify damage
• Prevent further damage
• Harden environment against new threat
Tools: Previous level + Malware sandboxing,
Forensics tools & response

9. START BUILDING SECURITY MANAGEMENT TODAY
• Identifying risks and threats
• Mitigating them
• Monitoring and reacting
• Preventing further damage
• Protecting from future incidents
• Getting it right takes time and organizational growth - start already today