Remember this clause while any enterprise application is being finalised for purchase

How to ensure that, as a CISO, all the tools are properly integrated with your SOC?

Remember this clause while any enterprise application is being finalised for purchase
Photo by Cytonn Photography / Unsplash
Ideally, all security related logs from your IT tools should come to your SOC.
This is important so that SOC team is alerted when any anomaly happens.

HelpDesk/ Ticketing systems, business critical applications (Core Banking Systems, CRM, Enterprise Content Management Systems, version control systems, etc. are some examples of such tools.

There is a catch, however.

Someone needs to figure out those security logs (their construct, the most important security events from these tools and the type of logs that indicate those events) and prepare use-cases and alerts for them. your SOC will be a tooth-less tiger, otherwise.

Your SOC team will know how the SOC and associated tools work, they know how to collect the log, how to create use-cases and alerts. They will also know about logging capabilities of most of IT tools, e.g., firewall, IDS/ IPS, etc.

However, they won't always know which security events are logged by third party applications. They will need support from your SI (System Integrator)/ OEM (Original Equipment Manufacturer).

Your SI, while implementing the application for you, must help your SOC team to prepare appropriate use-cases. They may do so by making your SOC team aware of the what security events are being logged by the application, construct of the log, etc.

However, your SI/ OEM won't help you unless you make this activity, a part in their SoW/ SLA.

Make sure that you,

  1. Put this activity in your SoW (while identifying proper SI for implementing your enterprise application), that you will need them to help your SOC team to create relevant use-cases and alerts. and,
  2. add relevant clauses in your system integrator's contract.

Otherwise you won't get proper logs, nor will you be able to prepare appropriate use-cases/ configure alerts.

You will be sitting ducks when an attack happens.

You also need to ensure that your SOC analysts fight alert-fatigue.