Cyber Security Breakdown 101 Series. Part 2 - Why is a ”SOC” not the solution to all your problems?
Well, firstly a SOC or Security Operations Centre is a misrepresented definition of a packaging of cyber security services and people haven’t really caught on to that yet, so let’s break it down.
?
To create a “service” of something technical you need PPT… not PowerPoint… It’s People, Processes and Technology, but let’s toss them around in the usual manner of thinking within IT. ?
?
So within the technology there might be some active mitigating high tech stuff, like an EDR (Endpoint Detection and Response) and maybe a SIEM (Security Information and Event Management) solution. There can be a lot more techie products, but these two seems to be the most common ones which could be a hit or miss, but I’ll get into that further down.
?
Now we have the cool mitigating and monitoring tech in two products. To be able to manage these we need a set of rules on, for instance, how to act when these do stuff, like send an alarm or notification that something probably isn’t right. Enter the processes that stipulate: If This, Then do That – so that we have control over that a Critical alarm is acted on based on the process of a Critical alarm whilst and Informational alert is acted upon as the process stipulates an Information alert should be. Even more importantly, it also stipulates which variable processes, for example what type of alarm or notification is to trump the others in different scenarios. Of cause there are more processes than that, but let’s keep it simple.?
?
We now have the cool mitigating and monitoring tech, we have the processes to manage the tech… Now we need warm bodies to handle all this new stuff in a controlled manner.
Human beings are thrown into the mix to do everything from on-boarding an environment to manage its security during its lifecycle and off-board it when the lifecycle is over, aka. contract period isn’t extended, or the service is moved elsewhere.
?
Given these variables and taking organizations differences do you think that ordering “a SOC” will give you what you actually need? - It might, but it’s fairly unlikely that it will deliver the best bang for your bucks.
?
And if you as a customer go out in a tender process to shop for a complete IT-outsourcing of your IT-infrastructure and services, and within the scope of the tender write that you need cyber security and set a checkbox on: Yes/No we can deliver a SOC solution for the price per month €_________
?
Do you think that you will get the best solution for your environment? - or do you think you get the best solution for the upcoming partner that wants to win this tender?
I can almost guarantee you that it will be the latter of the two.
?
But if you look at the same tender I can also almost guarantee you that the section for the “End user support / Support of user environment” will contain a whole lot more info.
It’s almost always stipulated that the support shall meet a set of SLA’s (Service Level Agreements) and there is pricing options for extended support outside of office hour, what capabilities the ticketing system has, what the RMM (Remote Monitoring and Management) needs to be able to handle and the list goes on and on and on with pricing for all of the different aspects of the Support of user environment.
?
?
A SOC in itself is a set of people and hopefully base processes, just as servicedesk is a set of people and hopefully processes – it’s warm bodies supporting other warm bodies on the other side of the table in a controlled manner. But a SOC cannot mitigate threats unless you add the technology, just as a servicedesk cannot remote control a user’s laptop unless you add the technology.
?
So, for you to be able to go in to a tender process and get the right security solution for your organization, or build it on your own, you have to be able to define what assets you want to protect, to what extent you want to protect them, what KPI’s (Key Performance Indicators) you need to be delivered and what you are willing to spend on protecting your valuable assets. It is first after you have this information that you can define the service you need for your organization.
?
You must be able to understand what is important in different scales as most organizations do not have the monetary means to protect everything to the teeth.
?
?
Back to the first section and if the most purchased technology in a SOC is the right ones.
SIEM plus EDR – It’s a hit and half miss.
?
So by just filling in that you need a SOC in a tender will probably give you the people, the processes and the technology in the form of a EDR plus SIEM, or even just the EDR.
领英推荐
?
So, lets imagine you’re a municipality that handles 160?000 inhabitant’s personal information about where they live, how much tax they pay, what their children’s names are, in which school they go to, etc. etc.
?
-?????? Will a SIEM be a hit or miss? – It’s a hit!
?
For example, you want to extract the logs from the systems you use to handle the data of your 160?000 inhabitants to have the traceability to these systems and whom did what, ideally you also get to know who does what in “almost” real time, and in the event of a breach, be able to trace back what and hopefully how and where the data leaked.
?
But if you are a web shop company that does a 100% of the revenue online then?
?
-?????? Will a SIEM be a hit or miss? – It’s a miss.
?
If you have a limited budget and need to protect the most valuable in your business and SIEM won’t do that, but it will cost… a lot… as it is one of the more complex systems to implement and manage throughout the lifecycle.
?
A web shop company would be way better off spending their money on a WAF (Web Application Firewall) and penetration testing than a SIEM, it would protect the business to a far greater extent that a SIEM ever would, no matter if you have a classic SIEM or a “NG” (NextGen) SIEM with UEBA (User and Entity Behavior Analytics) and SOAR (Security Orchestration and Automated Response), it just does not matter. ?
?
?
The EDR… An EDR is suitable for all organizations, always – if you do not have it… Call your cyber security partner and get it, now… And it needs to be managed, either by your own organization or a 3:rd party one, as a service within a SOC for instance.
?
Formerly used “antivirus” where semi-flawed in their days, today they offer zero protection to advanced threats. So if a threat actor gets to cherry-pick whom to breach between two equal organizations and one has an antivirus, whilst the other one has a managed EDR service… tough luck for the antivirus one…
?
So, if we roll back to the tender and the web shop business for a second.
If they were to go out in a tender process and instead of writing “SOC – Yes/No to what cost” they were to do an internal audit to specify what is important, they would most likely find out that the web shop is their primary, or only, source of income so it needs to be up 24/7, aka. the whole environment is mission critical. They would need their order admin staff to be able to handle the purchases, so they too are mission critical, and they work from home on their laptops, as such the laptops are also mission critical, so on and so forth.
?
Knowing this, why would this company spend a third or maybe half of their cyber security technology spendings on a SIEM solution when they can get a state of the art WAF and repeated penetration testing for roughly the same amount of money but many times the mitigation capability? – well, they shouldn’t.
?
Implementing a WAF will protect everything from DDoS attacks to deceptive use of the web shop, and how do you know if you can misuse the webs shop, you let a “Whitehat” (Hacker that works on the right side of the law) to hack it and tell you, and you protect your infrastructure and users with the EDR, all managed by a SOC that has the people and processes to deal with the technology in a controlled and repeatable manner.
??
?
We know how to set demands on a Support function from vendors, we know how to set demands for a NOC (Network Operations Centre) function from vendors… But we still think a SOC is a magic box that will enable us to relax and sleep well at night…
It’s not, but it can be once you understand what it actually is.
?
?
Security is never a checkbox, it’s a bunch of them…
?
?