Security Operations Center Strategy – Introducing a Network Detection and Response System
A hospital wants to enhance their cyber security posture and start building a security operations center. The thesis facilitates research and suggests paths forward, both of technical and administrative nature. It also evaluates and introduces a Network Detection and Response system.
Stöckli Dario, 2020
Bachelor Thesis, Kantonsspital Baden AG
Betreuende Dozierende: Gabriel Felley
Keywords: cyber security, ndr, soc, strategy, network, cyber defence, incident response, automation
The hospital is in need of working out a proper security operations center strategy for the years to come. By doing so, it wants to improve its cyber security maturity and visibility across the infrastructure to better react to threats in the environment.
The hospital is looking into purchasing and operating a Network Detection and Response system (NDR). No solution has been evaluated, installed or configured yet, which is all part of this thesis.
Research on various topics surrounding security operations center and general cyber security measures was conducted, filtered and put into context for the hospital. Recommendations were issued on the steps forward, in order to improve the cyber security posture. Ranging from framework and risk methodology suggestions, as well as the prioritization and focus points of specific initiatives in various NIST CSF functions.
Additionally, an evaluation of a Network Detection and Response system was conducted, including a proof of value and subsequent rollout.
The hospital received recommendations on how it could go forward building and enhancing their cyber security posture in form of a security operations center. Important aspects were emphasized, and the thesis serves as strategic decision paper including a prioritization of administrative and technical tasks. A conclusion throughout the work was that IT security often comes with a considerable amount of administrative overhead, for it to become effective and efficient.
The evaluation contains detailed documentation on the proof of value between two vendors including a professional attack simulation. The solution of choice was deployed across the hospital's infrastructure, yielding unprecedented visibility within the network. By feeding metadata into the centralized log management solution, threat hunting capabilities could be facilitated, and various dashboards were made available. The solution had almost immediately disclosed some latent problems, like misconfigurations, unencrypted communications, unsanctioned remote support software and private cloud data exchanges, which can now be addressed and improved.
Studiengang: Business Information Technology (Bachelor)
Fachbereich der Arbeit: Wirtschaftsinformatik & IT-Management