Security operations is the function of combining cybersecurity processes with ongoing traditional IT capabilities to reduce your organization’s exposure to cybersecurity risks.

A security operations capability requires someone to follow regular procedures to validate that security controls are functioning. Specifically, you want to review the overall system to make sure any deviations are identified in a timely manner and promptly addressed. Deviations could be regularly occurring controls not being performed or detective controls identifying an anomaly.

Security operations brings a structured process to identifying these deviations. In large organizations, it’s not uncommon to have a team dedicated to security operations. In smaller organizations, it may not be feasible to have a dedicated security operations team, but you can structure the activities and establish a security operations mindset.

While this isn’t an all-inclusive list of security operations, here’s a primer of some of the blocking and tackling to get your own security operations function working.

Next steps

  • Define your key systems that need to be monitored: A first step in any security operations function is understanding what infrastructure you have and its importance in supporting your business objectives. You need to identify your most important assets and prioritize your efforts on monitoring those.
  • Review privileged accounts: Privileged and administrative accounts are among the most sensitive components of your IT system. These allow the highest levels of permissions and let whoever is logged in to that account modify your applications and data. A security operations function should be looking at those accounts to identify any unauthorized use. This could include logins or password changes when you’re not expecting those types of actions.
  • Ensure you apply patches: Vulnerabilities in operating systems and applications are constantly being identified, and patches are being pushed out as quickly as possible to address those vulnerabilities. A key security function is to regularly review your systems to make sure those patches have been applied.
  • Verify backup completion: Isolated backups are critical to ensuring an organization’s ability to recover from devastating attacks like ransomware. Too often, organizations have failing backups that they don’t know about. It’s a critical function to review your backup status on a daily basis to make sure you have something from which you can attempt a recovery.
  • Identify and respond to suspicious activity: Hackers and cybercriminals are constantly attacking systems and looking for their next victim. Defensive security solutions such as firewalls, EDR and other infrastructure like Active Directory and event logs on servers capture huge volumes of security event data. This data can help identify instances of unauthorized access attempts and whether they succeed. The challenge is to review this volume of data in a timely manner. If you have a limited attack surface and a clear understanding of what an unauthorized access attempt would like, you might get away with reviewing it manually. Otherwise, you’ll need automation to do the heavy lifting and alert you to anomalies. If you do have this automation in place, a daily check to make sure it’s configured properly and running is a great idea.