Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: Remote SOC Workers Concerns - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Remote SOC Workers Concerns

As a SOC manager, you may need to start thinking about remote works for several reasons: Office move, larger talent pool, disaster recovery plan. Some scenarios may be short term to midterm solutions, here are some initial concerns I came up with when thinking about the problem.

 

Concern 1: Speed of responding

You IR team has to be able to complete its mission of detection and responding so will you be able to be at least able to this task.  A lot of this depends on the toolset you have deployed. If you are using a tool like GRR or others that have a web interface, it makes a response on a more limited system easier. If your typical analysis starts with physically going to someone’s desktop without having an agent pre-deployed, then you will need to have someone be your “Hands” and get the data to a place where it can be analyzed.

 

Concern 2:Physical security at home office

A responders house typically doesn’t meet all the needs of many compliance/corporate policies.  You could require anyone that works remotely have to meet these requirements, or you will have to provide an option to remote into hardware that will not allow data to be copied out.  Virtual desktops or hardware desktops that are setting in the data center might make more since.  Having a server VM with the SANS SIFT might be a viable options to perform most of the analysis.

 

Concern 3: Secure access

SOCs typically have a very stringent access, so you need to make that you have appropriate controls. You may need to require individuals get a static IP from their ISP.  Obviously, multi-factor into the environment is a must.  

 

Concern 4: Collaboration and Mentoring

If your team will be remote for a short time, them building a strong comradery remotely is not a big deal, but if it permanent this can be a challenge.  Having a short dedicated meeting in the morning to discuss topics will help.  Training up IR staff is a little harder, have dedicated time where you have the analysist share their desktop and walk through the current incident they are working.

 

What concerns do you have and how have you addressed them?


 

 

 

--

Tom Webb

Tom

43 Posts
ISC Handler
Solved: Raytheon Cyber

Great Site BTW :)

http://www.raytheoncyber.com/managed-services/vsoc/index.html
KhottonEye

1 Posts Posts
For Level 1 analysts who are mostly tasked with "eyes on glass", monitoring from home brings the challenges of keeping them on the console. It's easy for them to get distracted, maybe they have a TV in their home office and they missed the Game of Thrones finale last night; maybe their kid(s) are home from school that day; maybe they figure this is the time to try getting their Raspberry Pi to work again. Depending on the type of SOC, not all L1's will have a lot of experience in the work force. Some may be fresh out of school, working their first job, and/or may not realize the level of responsibility that comes with the autonomy of working from home.

Another consideration is connectivity. If you're working from home because of a weather related emergency, who knows if you'll have your power for long? What if your internet access goes down? What if the cell towers are jammed because everyone in the are is tethering because *their* internet access is down also?

Are they working from their own computers? What if those machines are inadequate to run the CPU-hungry monitoring software? Do you have enough laptops/desktops to ship off to analysts' homes? Do you rotate a laptop or set of laptops that the analysts keep on their person when they're not at work but on-call? Do those machines get tested out frequently to make sure they're ready to go, i.e. patched, AV updated, etc? (Anecdote: my son managed to not boot up his personal laptop the month leading up to school, then spent an hour waiting for it to patch the first night he had homework. In a DR situation, would you be able to wait while your analysts boot and patch their machines because no one's turned them on in 30-60 days?)

Do they have access from home to all of their intranet tools?

Working from VDIs might also require a policy exception so the users can copy/paste data from one machine to another when doing their investigative work.

Key to all of this of course, a good DR plan will require true testing to make sure the analysts can not only connect, can not only monitor, but can stay connected, and can perform a full shift's worth of work from home/remotely.

The personnel issue, that's a whole other story, and requires having the resources to hire the right L1's in the first place, the right L2/L3's to watch over the L1's, and a good metrics structure to know when someone isn't pulling their own weight.
Servin

1 Posts Posts
As someone who worked in (and assessed) operations center (OC) environments in the military, I can add another consideration to this discussion.
Here are two scenarios that I was involved with that can help highlight another risk involved with remote OC team members.

1) During an incident response event, we had a team member who happened to be a critical subject matter expert (SME) for the event at hand. While the team was working to resolve the incident, communications with the SME were lost due to situations local to the SME (power outage with no power backup or alternate communications). This was an "oh crap" moment for the team.
The team did eventually remediate the incident, but the delivery time and results were not at the quality level expected by the team or service customers.
This event forced the team to review communications and contingency plans as well as highlighted the need for knowledge depth across the team.

2) Similar to the previous story, but more local in nature: During an incident response event, a team member involved with logistics planning and execution for the remediation effort suffered a mild heart attack. Another team member who was working in the OC and had the training and knowledge to continue operations picked up the slack while medical services were provided to the suffering team member.
If the team member who suffered the illness had been working remotely, there is no doubt there would have been direct impact on the incident remediation efforts at the time. It is also very likely that the team member would have perished since there would have not been anyone around to call in medical services. The after-action briefing identified the benefit of having bench depth in talent within the team.

Both of the above scenarios highlight the necessity for a measure of situational awareness within an OC team that is involved with incident response and remediation. An incident response team must have awareness of the operational state of its fellow members to be effective. The classic analogy of "one hand knowning what the other hand is doing at all times" is even more relevant in an OC team that is operating under tight time and measurable quality expectations. Where a team is responsible for remediating life and limb scenarios, this team cohesiveness and awareness factor is even more relevant.

If it is necessary to have an OC team member working remotely, then there should be an effort to establish communications protocols and contingency plans to ensure the OC team has a situational awareness of all team members that is acceptable and reasonable.

For most OC teams I have encountered, the loss of one team member can have a dramatic impact on service delivery. Plan for the worst even within a team.
AlSitte

26 Posts Posts
I think hardware is an issue, but its solvable. Connectivity is a bigger challenge for sure. In rural areas where you may only have 1Mbit or less its pretty brutal. Not much most organizations can do about that for individuals homes. If its a longer term situation, then a possible remote office with better connectivity may be a possible solution, but thats costly in most cases.
Tom

43 Posts Posts
ISC Handler
Good post. As a long time analyst one of the biggest problems I have is trying to find remote SOC work.

While I admit there can be issues with remote SOC work, I think they are highly dependent. And honestly most of the concerns from this post just aren't serious enough to stop people from working from home.

On the concern about power outages in emergencies, these are rare enough in most areas not to be an issue. And indeed, i've seen the opposite, where the business is the one at risk from the emergency and employees are either not advised to get to the building or are unable to due to safety issues. Having good DR is important, in these cases my organizations have had methods to insure operations continued. But having remote workers can sometimes be that DR method.

Speed: people have phones and other collaboration software. Physical security is not really that big of a deal in this case. They face the same concerns as other remote employees, except they will not be traveling which is the biggest way devices are stolen, in transit. Usually from a car. Secure access again, most companies have a contingent of remote workers, so that is already established. Have a policy where they only login from home, using a wired connection, except in emergencies.
SasK

11 Posts Posts

Sign Up for Free or Log In to start participating in the conversation!