Gregory JarpeyScott McCoy - Security operations center guidebook - a practical guide for a successful s

Gregory Jarpey

R. Scott McCoy

Butterworth-Heinemann is an imprint of Elsevier

The Boulevard, Langford Lane, Kidlington, Oxford OX5 1GB, United Kingdom

50 Hampshire Street, 5th Floor, Cambridge, MA 02139, United States

Copyright 2017 Elsevier Inc. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or any information storage and retrieval system, without permission in writing from the publisher. Details on how to seek permission, further information about the Publishers permissions policies and our arrangements with organizations such as the Copyright Clearance Center and the Copyright Licensing Agency, can be found at our website: www.elsevier.com/permissions.

This book and the individual contributions contained in it are protected under copyright by the Publisher (other than as may be noted herein).

Notices

Knowledge and best practice in this field are constantly changing. As new research and experience broaden our understanding, changes in research methods, professional practices, or medical treatment may become necessary.

Practitioners and researchers must always rely on their own experience and knowledge in evaluating and using any information, methods, compounds, or experiments described herein. In using such information or methods they should be mindful of their own safety and the safety of others, including parties for whom they have a professional responsibility.

To the fullest extent of the law, neither the Publisher nor the authors, contributors, or editors, assume any liability for any injury and/or damage to persons or property as a matter of products liability, negligence or otherwise, or from any use or operation of any methods, products, instructions, or ideas contained in the material herein.

British Library Cataloguing-in-Publication Data

A catalogue record for this book is available from the British Library

Library of Congress Cataloging-in-Publication Data

A catalog record for this book is available from the Library of Congress

ISBN: 978-0-12-803657-0

For Information on all Butterworth-Heinemann publications visit our website at https://www.elsevier.com/books-and-journals

Publisher: Candice Janco

Acquisition Editor: Candice Janco

Editorial Project Manager: Hilary Carr

Senior Project Manager: Priya Kumaraguruparan

Cover Designer: Mark Rogers

Typeset by MPS Limited, Chennai, India

For those who supported me through the SOC years; Al Hancock, Linda Merchant, Eric Jones, Larry Doucette, Anna Spychalla, Aaron Burns, Archie Price, Nate Marks, Mike Tillman, Nancy Sorensen, Dale Woolheater and of course my good friend Scott McCoy. Thank you!

For those that inspire me always; my dearest wife Monica, and my precious jewels Jonathan, Aaron & Maija. I love you!

This book is dedicated to my son;

Nicholas Gregory Jarpey

December 19, 1995 January 28, 2014

A son, a brother and friend to all with a bright smile and quick joke to light up someones day.

I love you and miss you with all my heart. Rest in peace buddy.

This book is intended for anyone who is considering building a security operations center (SOC), already has a SOC, and wants to improve the operations or increase the scope, or simply wants to learn more about what a SOC does and why they are critical to not just the security posture of the organization they support, but when done properly, they also become the hub, which all nonoperational information moves.

Before we dive in, we want to emphasize a point we just made. A SOC is not intended to directly support the day-to-day operations of whatever organization you have. We started this journey at Northern States Power, based in Minneapolis, Minnesota. A few years after we were hired, it became Xcel Energy. As an electric utility, they have an operations center that monitors and controls the flow of electricity across the portion of the grid they support. The SOC has nothing to do with their daily operations, nor should it. For a utility, generating, transmitting, and delivering electricity to customers is their core mission and they do an outstanding job.

The SOC only exists because it supports that core mission. They do this primarily through the monitoring of burglar (burg) or intrusion alarms, fire alarms, panic alarms, camera activity, environmental alarms, card access activity, and anything else that is determined to be important to the operations of the organization. This is accomplished by hiring and training security console operators (SCOs) and giving them clear instructions and solid training and feedback.

Building a world-class SOC is a process. The most important thing to realize going on is that mistakes will be made and things will happen that were never planned for. What is critical to continuous improvement is to focus on fixing the problems and not focusing on the failures.

We are both proud of the SOCs we have built and improved, but neither of us started out as experts and the SOC at Xcel Energy had a rough beginning. Initially, we werent even focused on the SOC. We had a problematic card access system that was costing a lot of money to maintain and had inconsistent performance issues that were hard to troubleshoot. In 1998, it was only a SOC in name. There was a very nice dedicated room with huge custom consoles and monitors lining the walls. The room was built with leftovers from the control center update and it did look impressive at first glance.

It was a one-security offer post, but it was staffed 24/7/365. The primary duties were to monitor intrusion alarms that came through the card access systems and to remotely open gates at a few key facilities when needed. No distinction was made between this and any other post, and the officers on the evening and night shifts were underutilized and often bored. They had been trained to acknowledge alarms and take no further action because of the faulty system. Essentially, guards were posted there to click a mouse.

Wee not going to go through every detail on transformation, but we will say that once we had replaced the card access with a properly functioning system, it became clear that the security officers assigned to the SOC were undertrained and in many cases, over their heads. The next step of attaining an Underwriters Laboratories (UL) certification to monitor fire alarms required that we always have two SCOs on duty, but made us reevaluate what kind of a person we needed to hire.

This book is broken down by chapters in an order we hope makes sense. We start with a needs assessment and move through the business case, construction on to the hiring, training, and development, and end up with chapters on how to take your SOC to the next level.