WEBVTT

00:00:00.540 --> 00:00:01.140
Finally,

00:00:01.140 --> 00:00:05.910
let's take a few moments to look at the management of security operations.

00:00:06.340 --> 00:00:10.080
It should be no shock that there are already standards out there from

00:00:10.080 --> 00:00:15.430
the ISO world that we will pursue to define what security operations

00:00:15.430 --> 00:00:18.550
should look like and how to measure success.

00:00:18.940 --> 00:00:19.470
Then,

00:00:19.480 --> 00:00:25.140
we will take a moment to log into the AWS Management Console to check out

00:00:25.150 --> 00:00:28.730
what monitoring looks like from a cloud perspective.

00:00:28.740 --> 00:00:29.410
And finally,

00:00:29.410 --> 00:00:32.299
we'll close out the discussion with establishing a

00:00:32.299 --> 00:00:34.330
plan for our digital forensics.

00:00:34.330 --> 00:00:42.430
The security operation centers standard as specified in ISO/IEC 18788,

00:00:42.430 --> 00:00:48.470
noted as the Management System for Private Security Operations,

00:00:48.470 --> 00:00:52.740
defines a number of elements for successful operations.

00:00:52.800 --> 00:00:57.670
The first is to make sure that you have developed requirements for the

00:00:57.670 --> 00:01:02.080
guidance on what your security operations center should be designed for

00:01:02.090 --> 00:01:06.750
based upon your organization's risk management process.

00:01:06.760 --> 00:01:10.800
What is it that is part of the risk appetite to participate in

00:01:10.810 --> 00:01:14.880
and what are things that you're absolutely avoiding that do not

00:01:14.890 --> 00:01:17.560
meet up to a risk tolerance level?

00:01:18.040 --> 00:01:21.880
You should also be thinking about what the design should be for

00:01:21.880 --> 00:01:26.850
facilities that are in spaces that may have additional concerns

00:01:26.860 --> 00:01:30.460
beyond your monitoring of security operations.

00:01:30.820 --> 00:01:34.730
You need to be able to assess and manage the impact of

00:01:34.730 --> 00:01:38.410
problems brought onto the facility and the impact of issues

00:01:38.410 --> 00:01:40.060
that it is that you are monitoring.

00:01:40.440 --> 00:01:44.240
There needs to be tight integration of what the local law

00:01:44.250 --> 00:01:49.420
says as far as your specter of responsibility for the area

00:01:49.420 --> 00:01:50.800
that you're operating in,

00:01:50.800 --> 00:01:54.740
and we need to make sure that there is some alignment between what's being

00:01:54.740 --> 00:01:57.550
monitored and what matches the organizational mission.

00:01:57.550 --> 00:02:01.180
A way to make sure that you are growing in your

00:02:01.180 --> 00:02:04.220
capability would be to use the PDCA model.

00:02:04.220 --> 00:02:06.950
In the four‑step process, it begins with planning,

00:02:06.950 --> 00:02:10.759
and it's a cycle also known as the Deming Cycle.

00:02:11.140 --> 00:02:14.970
Once you have a plan of what the operation center should

00:02:14.980 --> 00:02:17.730
be and the behavior associated with it,

00:02:17.740 --> 00:02:22.560
you should carry out a plan in the form of some kind of action.

00:02:23.540 --> 00:02:26.500
So there should have been something that predicted the outcome,

00:02:26.500 --> 00:02:30.040
but you also are now verifying what the outcome is.

00:02:30.090 --> 00:02:30.510
Finally,

00:02:30.510 --> 00:02:36.490
you go into an act that is the reconciliation of what you planned and

00:02:36.490 --> 00:02:40.470
what you did and whatever discrepancies are addressed so that you can

00:02:40.470 --> 00:02:43.650
continually iterate in modifying the plan,

00:02:43.660 --> 00:02:44.580
updating the plan,

00:02:44.580 --> 00:02:48.340
improving the plan so that your actions in that center are

00:02:48.340 --> 00:02:50.270
conforming to your business requirements.

00:02:51.440 --> 00:02:55.680
When looking at the security operations management system,

00:02:55.680 --> 00:03:00.140
management commitment is always going to be an extremely important part of

00:03:00.190 --> 00:03:03.530
any capability that you have within your organization.

00:03:03.540 --> 00:03:06.970
Understanding what human rights, not only for your employees,

00:03:06.980 --> 00:03:10.150
but for those who are nearby that facility,

00:03:10.210 --> 00:03:14.520
understanding that you should have continuous improvement as a way of going

00:03:14.520 --> 00:03:18.180
about implementing your security operations management system,

00:03:18.180 --> 00:03:21.910
and that management should have defined also what the

00:03:21.910 --> 00:03:24.920
available resources are to maintain it.

00:03:24.920 --> 00:03:26.640
When it comes to the planning portion,

00:03:26.640 --> 00:03:30.020
this means that you would engage in a risk assessment,

00:03:30.030 --> 00:03:31.430
both qualitative,

00:03:31.430 --> 00:03:33.500
thinking about what the impact would be for lost

00:03:33.500 --> 00:03:36.510
services and quantitative as well,

00:03:36.510 --> 00:03:41.650
thinking of what the financial loss could be for things that are destroyed,

00:03:41.660 --> 00:03:44.360
altered, or otherwise disclosed.

00:03:44.360 --> 00:03:49.590
What legal requirements you have to meet based upon the area that you're in.

00:03:49.730 --> 00:03:53.670
It is good to remember that you need to follow the laws that you are closest to.

00:03:53.670 --> 00:03:56.560
What may serve as policy in one area of the world,

00:03:56.560 --> 00:03:59.370
may actually be illegal in another space.

00:03:59.760 --> 00:04:03.690
Make sure that you have set up objectives that you want to achieve

00:04:03.690 --> 00:04:07.050
within a particular timeframe and that you have measurable ways of

00:04:07.050 --> 00:04:09.820
seeing if you are off on meeting those.

00:04:09.820 --> 00:04:14.440
Strategic programs that are external to your security operations

00:04:14.440 --> 00:04:17.760
management system could be your deployment capabilities,

00:04:17.769 --> 00:04:21.050
your release capabilities, your continuous integration,

00:04:21.050 --> 00:04:23.710
and continuous delivery capabilities.

00:04:23.740 --> 00:04:28.400
Risk management strategies also means taking a step back from the

00:04:28.410 --> 00:04:31.850
assessment and seeing what the purpose is of the assessment.

00:04:31.860 --> 00:04:35.160
What objective does it meet from a business perspective?

00:04:35.160 --> 00:04:40.390
The implementation and the operation of it includes the operational

00:04:40.390 --> 00:04:43.310
controls that will be inside of that facility,

00:04:43.320 --> 00:04:47.770
resources and roles in a delineation between responsibilities

00:04:47.770 --> 00:04:49.580
and the authorities in the organization,

00:04:49.590 --> 00:04:54.650
making certain that people have good training and awareness and communication.

00:04:54.660 --> 00:04:59.470
Documentation tends to be something that is underutilized,

00:04:59.480 --> 00:05:01.410
underrepresented in an organization,

00:05:01.420 --> 00:05:05.450
verifying that you have proper documentation and runbooks on when

00:05:05.450 --> 00:05:07.870
there are failures inside of these systems.

00:05:07.870 --> 00:05:12.120
And then also making sure that prevention is an equal

00:05:12.120 --> 00:05:14.750
part of your risk assessment process.

00:05:14.940 --> 00:05:18.920
Understanding how well you're doing means that you have to have

00:05:18.920 --> 00:05:22.370
continuous monitoring and measuring of your objectives.

00:05:22.380 --> 00:05:26.540
So key performance indicators are typically rearview mirror,

00:05:26.640 --> 00:05:28.650
something has to have taken place.

00:05:28.740 --> 00:05:33.320
But key risk indicators can be predictive of the future as you see

00:05:33.320 --> 00:05:38.380
how far off you might be on average based upon a goal that you have

00:05:38.390 --> 00:05:40.410
that has yet to be met in the future.

00:05:40.420 --> 00:05:44.330
Compliance evaluation is also part of the performance

00:05:44.330 --> 00:05:47.280
monitoring to make sure that you are complying with laws and

00:05:47.280 --> 00:05:49.750
regulations. That also should be measured,

00:05:49.760 --> 00:05:54.450
along with testing to see that the controls are actually effective and

00:05:54.450 --> 00:05:59.740
something that takes place if those controls are shown to be ineffective to

00:05:59.750 --> 00:06:02.970
correct it and create additional preventive measures.

00:06:03.010 --> 00:06:07.890
The nonconformities for corrective measures that come out of testing

00:06:07.900 --> 00:06:11.190
would also be exposed by means of internal audits.

00:06:11.340 --> 00:06:16.120
The management of the security operations management system would include

00:06:16.130 --> 00:06:20.160
effectiveness of the adequate controls that are there,

00:06:20.160 --> 00:06:23.850
need for changes for controls that do not work well,

00:06:23.850 --> 00:06:30.040
and having this idea of never being satisfied with where you are is essential.

00:06:30.050 --> 00:06:34.350
Next, let's take a look at monitoring of the security controls.