Top 20 Capability Areas for Cyber Security Operations
This is a familiar topic area with Cyber Security practitioners of all experience levels – What are the core capabilities we need to start investing in as we mature and evolve Cyber Security Operations for our organization? Of course, the answer is always – It depends.
Cyber Security is a very broad set of challenges, and the term “Cyber Security Operations” can mean different things to different people. You first need to create some clarity regarding the overall vision your organization has for Cyber Security Operations; including what specific Services and SLAs are expected. From these Services, you can derive the set of core capabilities you’ll need and when, including some prioritization for which should be acquired first.
Other critical business areas such as MRP, SCM, ERP, CRM, etc. have matured over decades to converge on “taxonomies” or “reference models” that capture the superset of capabilities required to perform their specific disciplines. Convergence on such a capability reference model for Cyber Security Operations has yet to materialize. So herein we have compiled a summary of the top 20 capabilities often found in more mature Cyber Security Operations Centers or (C)SOCs, and grouped them by the 7 challenges every cyber security operations effort ultimately needs to address:
- Knowledge of one’s own cyber infrastructure
- Knowledge of the threats emerging in cyberspace
- Management of Access Controls
- Monitoring and Detection
- Informed Incident Response
- Investigation
- and Visibility through advanced reporting
The outline below provides the next level of detail to the taxonomy.
The list of capability areas is a broad superset, and is intended to be descriptive rather than prescriptive. It’s offered strictly as a reference model to inform Security Operations roadmaps, or simply to help teams manage expectations with their stakeholder and leadership communities. The following is an outline of the taxonomy:
Knowledge of one’s own cyber infrastructure
- Capability Area 1) Asset & Configuration Management
- Capability Area 2) Asset Discovery
- Capability Area 3) Business Dependency Mapping (e.g., "Business Impact Analysis", or "Mission Mapping")
Knowledge of the Threats emerging in cyberspace
- Capability Area 4) Cyber Threat Intelligence (e.g., "CTI" and Threat Intel Platforms or "TIPs")
Management of Access Controls
- Capability Area 5) Identity Management
- Capability Area 6) Authentication Management
- Capability Area 7) Authorization Management
- Capability Area 8) Privacy/Confidentiality Management
Monitoring and Detection
- Capability Area 9) Instrumentation (Sensors & Tuning)
- Capability Area 10) Monitoring (Collection, Aggregation)
- Capability Area 11) Detection Analytics (e.g., "Big Data" security analytics)
- Capability Area 12) Visualization (e.g., Analyst's dashboards, operational pictures)
Informed Incident Response
- Capability Area 13) Consequence Analysis (e.g., answering the "So What?" imperative)
- Capability Area 14) Incident Response (IR) Workflow
- Capability Area 15) Countermeasure Management (e.g., "Playbooks")
- Capability Area 16) Security Orchestration & Automation (e.g., "Response Management")
Forensic Investigation
- Capability Area 17) Digital Forensics (DF) Analysis
- Capability Area 18) Case Management
- Capability Area 19) Digital Evidence Management
Visibility through advanced reporting
- Capability Area 20) Enterprise Reporting (e.g., KPIs, GRC, and beyond)
Any one of these topic areas on its own, is broad enough to require a more detailed inventory of specific capabilities and requirements. Which may explain why so many mature SOCs employ an average of more than 50 individual tools and technologies.