Security Operations Work to Achieve a Security-First Mindset

Security operations, also known as SecOps, refers to an organization combining internal information security and IT operations practices to respond to threats and manage cybersecurity incidents. SecOps is a set of security operations processes to improve the security posture of an organization. Historically, most organizations have treated security and IT operations as discrete functions handled by independent units using distinct approaches and methodologies. As a result, SecOps is frequently formed from a combination of security and IT operations staff, and is a highly skilled team focused on monitoring and assessing risk and protecting organizational assets, in some cases operating from a security operations center, or SOC.

The NIST Cybersecurity Framework describes the SecOps functions of Detect, Respond, and Recover well.

• Detect - SecOps must detect the presence of adversaries in the system, who are incentivized to stay hidden in most cases, allowing them to achieve their objectives unimpeded. This can take the form of reacting to an alert of suspicious activity or proactively hunting for anomalous events in the enterprise activity logs.
• Respond - Upon detection of potential adversary action or campaign, SecOps must rapidly investigate to identify whether it's an actual attack (true positive) or a false alarm (false positive) and then enumerate the scope and goal of the adversary operation.
• Recover - The ultimate goal of SecOps is to preserve or restore the security assurances (confidentiality, integrity, availability) of business services during and after an attack.

This presentation will provide an overview on how a medium and large university and BCNET design and deliver their security operations and work to achieve a security-first mindset and fusing security into IT operations processes.