Information Security Jobs: Security Operations

By Peter H. Gregory

Security operations, or SecOp, is another category of information security that contains many separate concepts and topics, all having to do with security’s support of the operations of information systems.

Operations terminology

Several key terms fit best in the security operations category, including the following:

  • Separation of duties: High-value operations need to be split into tasks performed by different individuals or departments. The classic example is privileged access requests: One person requests it, another approves it, and another provides it.

  • Least privilege: The concept of least privilege states that people should have the lowest possible level of privilege required to perform required tasks. Although it’s easier to give everyone higher privilege levels, doing so diminishes the need to keep things well protected and gives intruders greater advantages.

  • Need to know: The concept of need-to-know states that people should have access to only the information they need to do their job. For example, just because someone has administrator privileges on one system doesn’t mean the person should have it on all systems.

  • Job rotation: Organizations periodically move people from role to role for many reasons, including staving off boredom, cross-training, and deterring individuals from abusing their privileges.

  • Special privileges monitoring: Because administrative privileges provide powerful capabilities for system, network, and database administrators are so much greater than other people, many organizations choose to monitor their activities on computers more closely, even to the point of monitoring and logging every command they issue to systems.

Continuous monitoring

The velocity of harmful events has accelerated to a point where data review of incident logs is no longer an effective means of detecting unwanted behavior. Besides, the volume of available log data is too great for humans to review.

Organizations must centralize their logging. All devices and systems should send their log data to a purpose-built central repository, called a security incident and event management (SIEM) system. But more than that, organizations need tools that not only detect serious security events but also alert key personnel and even remediate the incident in seconds instead of weeks or months as is often the case.

Records management

Records management refers to a family of business processes used to manage and protect business records in an organization. Several security-related disciplines in records are of particular interest to information security professionals:

  • Data classification: Organizations define sensitive levels for information, with handling procedures at each level.

  • Access management: The broad topic in which organizations establish access management processes to control who has access to what data, functions, and systems.

  • Data retention: Based on business need and regulations, organizations establish minimum and maximum retention times for various types of data. In the absence of specific guidance, the best rule is to keep it long enough but not too long: Data is both an asset as well as a liability.

  • Data loss prevention: Organizations need to ensure that sensitive data is adequately protected. Static and dynamic tools can find sensitive data living where it shouldn’t and observe the data when leaving the environment when that departure is not a part of routine business operations.

  • Backup: Hardware problems, software problems, and disasters of many kinds make organizations wish they had a backup copy of critical information. Most organizations routinely copy important data to backup media or servers in some remote location.

  • Data destruction: After data is no longer needed, it needs to be destroyed so unauthorized parties cannot recover it.

Antimalware

Organizations often combat malware by having several layers of control in place (known as defense in depth), including the following:

  • Workstation antimalware: The front lines of the malware wars, every workstation should have antimalware to block malware.

  • Server antimalware: File servers and other systems used to store programs and files should have antimalware, just in case malware sneaks through a workstation.

  • Email server antimalware: Email is a favored transportation route for malware, so blocking it at email servers is a good way to keep it from reaching workstations.

  • Spam filtering: Because many attacks come in the form of phishing, spam filters can be effective at blocking most or all phishing messages.

  • Website filtering: These appliances block access to websites based on category and block websites known to be compromised with malware.

Remote access

Remote access is both the business process as well as the technology that facilitates an employee’s ability to remotely access information systems that are not accessible from the Internet.

In the business process sense, many organizations permit only a subset of their workers to remotely access the internal environment. In the technical sense, remote access usually includes encryption of all communications, as well as two-factor authentication to make it harder for an attacker to gain access to internal systems.

The fact that many systems are opting to use cloud-based systems instead of internal systems makes some aspects of remote access obsolete.

Incident management

Incident management is an IT operations process used to properly respond to operational and security incidents. Organizations should have written incident response plans along with training and testing. Written playbooks for common incidents should be developed.

The steps in a mature incident management process are

  • Declaration

  • Triage

  • Investigation

  • Analysis

  • Containment

  • Recovery or mitigation or both

  • Debriefing

Vulnerability management

Vulnerability management is an IT operations process concerned with the identification and mitigation of vulnerabilities in IT systems. An effective vulnerability management process includes procedures for identifying vulnerabilities, prioritizing them, and making changes to eliminate vulnerabilities that could be used by an intruder to successfully attack the environment.

Change management

Change management is a basic IT operations process concerned with the management and control of changes made in IT systems. A proper change management process has formal steps of request, review, approval, execution, verification, and recordkeeping. The purpose of change control is the discussion of proposed changes before they take place, so that risks and other issues can surface.