Tech

Corporate Cyber Security Part 1: Overview

NORAD Command Center

We all hear about big corporations and their security teams, usually under less than ideal circumstances, but what do these teams really look like? What do they actually do?

The answers to these questions can vary greatly, depending on the size of the company and what they are trying to protect, but it generally boils down to a single security team or department. Their mission? Collect relevant cyber security data and analyze it to detect and respond to incidents in a timely fashion.

Starting with larger companies, this mission is generally split between between two efforts: the security operations center (SOC) and the security architecture team (tech or tools team). Keep in mind that physical security is generally handled by a separate team altogether.

Cool, two teams. So, what is the SOC?

Malware alert

Much like the name “security operations center” implies, this is the team that analyzes security events and resolves incidents on a daily basis. It generally operates under a centralized command structure with analysts that carry out the investigations.

The analyst team lives out of a system called the Security Information and Event Management platform (the SIEM). This (in theory) is the single pane of glass in which all of the SOC analysts are able to view relevant logs from across the network to correlate into security events and assist in the various types of investigations. This is also the team, under most circumstances, that performs any forensic level of investigation whether for legal, compliance, or breach-related purposes.

All of this is dependent on the data that feeds the SIEM. That is, data from system security, network security, and everything in between.

What is this “data” and where does it come from?

Basic network map

That bring us to the architecture team. None of what the SOC does can happen without the most important aspect of cyber security as a whole: data. Analysts need data. It is the architecture team’s responsibility to get that data to centralized locations for easier analysis, but also deploy all of the architecture into strategic locations within the network in order to best protect the firm.

What does this consist of? Quite a bit. Keeping this at a high level, below is a list of the major categories. However, something like Data Loss Prevention can consist of a software install on every system in the company AND appliances in the network designed to intercept and analyze data traffic in flight. Simply put, this is by no means a comprehensive list.

  • Antivirus (Standard protection against known threats)
  • Advanced Malware Agents (Advanced exploit detection and prevention capabilities assisting in the fight against unknown threats)
  • Endpoint Interrogation (Hey computer, give me certain files or attributes so I can better figure out what’s going on)
  • Data Loss Prevention (Prevents sensitive data from leaving the network, sometimes managed by the privacy team)
  • Intrusion Prevention and/or Detection (Stops attacks on the perimeter of the network based on various aspects of the network traffic)
  • Vulnerability Scanning (Detects what is currently vulnerable and to what so the company can prioritize fixes)
  • Packet Capture (Think of this like a DVR for the network. Analysts get to turn back time to see exactly what traversed the network. This can also get super expensive.

What else?

This is just the beginning. Standards, processes and procedures, and bureaucracy all play their important parts in this realm. I do want to give an honorable mention to the client relations teams, however. These are the associates that respond to requests such as “what are you doing to protect against this threat that I saw on CNN 20 minutes ago?” or “this vulnerability was released to the public an hour ago and has no fix, have you fixed it yet?”

While the answers to these questions is usually something more politically correct than “yes, we’re doing what every other company on the planet is doing and minimizing our threat landscape,” it is important that this time isn’t taken away from the analysts trying to keep the company and its data safe.

Images courtesy of Wikimedia and Pixabay

Please Login to comment
avatar
  Subscribe  
newest oldest most voted
Notify of
Mason
Member
Mason

Great article Alex. For us, not so seamless or single pane of glass. Cost always trumps functionality, whether it be bodies to man the stations and do the investigations, or cost of the platforms themselves to plug all the holes. Someday though, we will get there, I just keep chipping away at it. We are not that bad off, but still have a ways to go. IDS/IPS, endpoint advanced Malware, and AV are in effect for us. Throw in URL filtering, with OpenDNS and we are somewhat proactive vs. reactive.

homanj1
Member

Alex-Nice job with this article. Where I work it takes me at minimum 15 minutes and four separate passwords to be logged in. Many parts of the internet are blocked. If I tried to log in to theFreq at work I would be blocked. Security actually sends out fake phishing emails and they expect us to report it with a button on the system that automatically forwards it to them. Information security training is mandatory twice per year as well. If I leave a secure document on a copier or go to the bathroom without locking my computer, I could… Read more »

Mason
Member
Mason

First, LP good to see you man! Hope Christmas was good, and have a great New Years. I am the firewall and Internet rules guy and guess what (@Alex)??? The Freq is blocked by our firewall also. I haven’t taken the time to review the logs and see which rule it is hitting. Not a common one like a porn category or something, because I would get a warning. So it must be triggering some type of malware/phising or other boogeyman. Will let you know when I get off my lazy butt and track it.

homanj1
Member

Hey Mason. Nice to be here and Happy New Year to you and other readers as well. If I get on a blocked site, I can call my buddies in IT and they remotely take over my station and open up the site temporarily because they trust me. But alas, the next time I go to the site it’s blocked again. The simple fix is to carry my personal iPad. The other stuff is too frustrating. I once went to go to our corporate website and it got blocked as being “potentially dangerous”. The IT guys loved that one.

Mason
Member
Mason

If they trust you, they should just whitelist it by your user ID, since your IP probably changes. You tell them I said to do that. If they can only do it by IP, I just furrowed my brow in disapproval. lol.

georgehand
Member

When I was contract to the DOE I worked in a program called Counter Terrorism Operations Support (CTOS). We researched terrorism and taught related subjects. Imagine how hard it was to try and research for course development when every page you try to get to trips a rule at the firewall. It’s those rat bastards like Mason who were to blame!! (ha ha ha),

Thanks for posting, Alex.
geo sends

Mason
Member
Mason

Just for you Geo, I would whitelist all the stuff you wanted to get to, but it would cost something. Beer, more than likely.

Mic-Mac
Member
Mic-Mac

Alex, I really do like reading the cyber security articles. I have always taken as much caution as I can when it comes to my home computer. Even disconnect from the internet at night. My work on the other hand has a lot at risk. They only load our computers with the free version of AGV Antivirus, nothing else. Nothing to check malware or anything else. A few days ago, someone did get some type of threat so they had to shut everyone down (Massachusetts and Florida locations) and disconnect all from the network. Then one by one set up… Read more »

Mason
Member
Mason

Gaaack! that is turrible! So many better ways to do that, but this is Alex’s show, he can detail.

homanj1
Member
homanj1

McMac-I got a death threat email the other night from a hit man. Supposedly I needed to pay him more than the person that hired him. And he would rat on the person that wanted me dead. I thought it was kind of funny. It scared my wife to death. A simple search on the web found the exact email was going around all over.

Mic-Mac
Member
Mic-Mac

LPD, I got that Hitman one also mid December. It did shock me for a few minutes. Then I googled it and found that it was circulating for a few weeks. I have since received another in Chinese. I didn’t tell my daughters because they would be needlessly concerned, or my husband as I didn’t want to give him ideas (haha) just kidding. I made the mistake of telling another relative and they asked me to never send them another email or text! They think i’m contagious now.

homanj1
Member

Mic-I’m in trouble with the IRS and Social Security. They both leave me messages. My warranty has expired on several cars I no longer own. I have car dealers calling to buy back those cars at a premium. Charities with very low ratings, mostly veterans and Police groups call. My Nigerian Uncle that has willed me millions hasn’t emailed me lately. I’m concerned for his health. Sadly, all the BS phone calls and emails we get make it harder for legitimate charities.

Recon 6
Guest

LOL… seems those are circulating all around… tho I did get a c.c. hacked a couple of years ago by Russians… everything was in the Russian language lol….

%d bloggers like this: