Matching Your SOCs: A Discussion of Joint IT/OT Operating Models for Monitoring and Response
Trevor Houck at BSides Delaware 2019
Traditional security monitoring and response operations are not sufficient to combat the evolving cybersecurity threat landscape for Operational Technology (OT). While the advancement in tools and technology is helpful, the tools alone will not enable effective monitoring and response.
There are key elements common across many SOC programs: tools and technology, threat intelligence sources, and talented staff. For many organizations, however, the ultimate success factor is a well-structured joint SOC operating model. This model matches IT and OT SOCs together, which feature a holistic view of IT and OT environments from a single dashboard. These environments are then monitored and managed by teams trained to recognize anomalies and identify exposure, with the appropriate context of the operating environments, across all systems and devices. The aggregation of OT and IT data sources help streamline security incident resolution, reduce duplicated efforts, and assist in future collaboration efforts. By centralizing your security monitoring program, seemingly disparate security events are correlated and focus is increased on monitoring and response capabilities across the enterprise.
This session will explore the benefits of joint operations for cybersecurity monitoring across both IT and OT networks and includes real-world case studies of integration efforts. We also will discuss joint operations playbooks and handoff procedures, and lessons learned and procedural requirements for joint SOC operating models. We will discuss the benefits and drawbacks of each approach, common misconceptions when addressing IT/OT convergence, the need for strong relationships, and how the rewards that stem from holistic cybersecurity monitoring can outweigh the risks.
There are key elements common across many SOC programs: tools and technology, threat intelligence sources, and talented staff. For many organizations, however, the ultimate success factor is a well-structured joint SOC operating model. This model matches IT and OT SOCs together, which feature a holistic view of IT and OT environments from a single dashboard. These environments are then monitored and managed by teams trained to recognize anomalies and identify exposure, with the appropriate context of the operating environments, across all systems and devices. The aggregation of OT and IT data sources help streamline security incident resolution, reduce duplicated efforts, and assist in future collaboration efforts. By centralizing your security monitoring program, seemingly disparate security events are correlated and focus is increased on monitoring and response capabilities across the enterprise.
This session will explore the benefits of joint operations for cybersecurity monitoring across both IT and OT networks and includes real-world case studies of integration efforts. We also will discuss joint operations playbooks and handoff procedures, and lessons learned and procedural requirements for joint SOC operating models. We will discuss the benefits and drawbacks of each approach, common misconceptions when addressing IT/OT convergence, the need for strong relationships, and how the rewards that stem from holistic cybersecurity monitoring can outweigh the risks.