Actual solution or absolute shame: the real cost of a cheap Security Operations Center
In a market where SOC-as-a-Service can be purchased at “significant cost savings,” and where a la carte SOC services allow customers to order their security solutions piecemeal, one must wonder what is most important: the effectiveness of a SOC in protecting a company’s data and assets, or whatever cost savings and convenience it might offer? SOC services that cater to providing the latter do so at their clients’ peril, pretending that a two thousand-dollar SOC can somehow provide relevant detection and response capabilities to protect millions of dollars in data assets.
Unfortunately, the real cost of inadequate cyber security is not often realized until disaster strikes.
Truth or consequences
Learning the truth before a breach occurs will prevent the unpleasant consequences that will surely follow. Although a very low price is the first indication that a SOC doesn’t take security seriously, it is not the only one, finding a SOC that can deliver on its promises requires some insight into their operation.
A fair list of questions one should ask about their current, or prospective, SOC includes the following: Does my SOC provider have experienced analysts, who understand the data they’re looking at and turn it into actionable tasks? Are they tiered to escalate threats as needed (tier 1 - 4), or does one group do it all? Does anyone in the SOC have offensive experience?
Does my SOC provider optimize my monitoring or just does what I tell him? Is my SOC provider bringing in value or just an outsourced staff augmentation?
How many alerts did I receive from my SOC vendor in the past month? How many real cyber incidents has my SOC vendor taken part in for other clients? What were the outcomes? Does my SOC have true incident response capabilities (real experienced IR personnel with actual hacking background) or do they wait till damage is done before acting?
The biggest question – is my SOC provider giving me a fancy Help desk or a professional Security operations center??
These questions represent the bare minimum a SOC must do, if they are going to safeguard their clients’ data, networks, and reputation. You’re guaranteed that any service provider who balks at any of these questions will be paralyzed in the face of even a minor incident, not to mention a serious attack.
Inadequate protection worse than none at all
Every SOC claims they can protect their clients from cyber threats. Some can, but most can’t, and the cost of those broken promises can be truly devastating. The damage of having a false sense of security should not be underestimated, nothing is more devastating and frustrating to a company than learning that the measures they took for security have turned out to be empty of content and redundant when push came to shove.
It’s a frustrating challenge, understanding who’s selling you buzz words and who actually has capabilities, but it is a challenge companies and management must take upon themselves as those responsible at the end of the day.
The regulators and legislators are 40 thousand feet up high, talking about general problems and generic solutions that in most cases don’t really guide companies as much as they force them to take misguided actions in IT and Cyber security.
It is up to organizations, large and small, to ask their vendors the hard questions, demand experienced services and field proven solutions, to no longer except buzz words and fancy terms for a commodity price and paint over the Cyber risks.
If someone were to offer you full health insurance for the entire family for 5$ a month, you wouldn’t consider it, knowing that there has to be a catch, understanding that there is no possible way you’re getting any value for that 5$. You would ask to see what is covered? who is liable? who is behind the company and so on….
So why is it when someone offers you an expert team of cyber analysts to work 24/7/365 including Incident response teams and various expert services, all for a few hundred dollars a month – that makes sense? Ask the same questions you would any other vendor who is offering an unrealistic proposition, see how the answers blow you away.
The best security advice? You don’t have to decide to have visibility and response capabilities, but if you do, make sure you buy capabilities and not buzz words.
At some point in time, you’re going to need that service you’ve been paying for, don’t wait for that day to find out what it really is you’ve bought.
Real defense requires an understanding of offense
With cyber criminals gaining access to over 200,000 confidential records per hour, only SOCs that are geared up for real life incidents can overcome the cyber challenges of today. Defending clients’ valuable resources against the technologically advanced hackers of today, demands that a SOC maintains an offensive posture on all fronts, strategically seeking out both vulnerabilities and exploits.
But at the very least it requires that those designing, operating and responding in the SOC, either have offensive experience or are being guided by those who do.
Tools of the trade
The majority of SOC providers offer little more than a patchwork of security products, accompanied by consumer-grade customer support (a low-level Help desk). Moreover, most have never met a seen a real hack, let alone participated in a real one (defensive or offensive). By contrast, a world-class SOC combines the following tools into a comprehensive security solution that becomes a core component in the client’s organization.
Multi-layer Monitoring: Monitoring means more than relaying alerts to the client. It involves a comprehensive, multi-layered monitoring center, with Tier 1 - Tier 4 alerts prioritization. It’s about knowing what to monitor (where to look) and what not to! Understanding how to separate the relevant from the noise is a challenge that requires experience and it is key to having an efficient monitoring center.
Proactive Services: From basic hunting actions in the network to simply being updated on IOCs and taking day to day actions as required in a live and active SOC. Constantly questioning and investigating the traffic is the only possible way to stay in the game
Expert Response Team: A diverse team of highly-trained cyber-security professionals tap decades of combined experience to keep clients protected, around the clock, from threats internal and external to the organization.
Advanced Forensics: The SOC team brings cutting-edge forensics capabilities and technologies to bear against every threat, to include high-level digital forensics, server and network forensics, and the latest investigative tools.
Cyber Intelligence: To beat a hacker, you have to think like one. Effective protection of high-value client assets requires monitoring of Dark Web platforms to identify emerging threats that may involve the client - right down to cyber threats that may target a high-profile official.
Secure Remote Connection: Secure remote interfacing with the client’s existing system reduces impact on their operations, and ensures that all gateways, networks, servers, and data stores are constantly monitored by trained security experts.
The price of protection
In today’s ever-evolving world of cybercrime, threats come in a variety of guises. From threats as subtle as phishing emails and Trojan viruses, to full-frontal infiltration and service denial attacks, many companies are just one click away from disaster. Whether the motive for an attack is ideological, for personal profit, or for revenge, the outcome is the same - loss of data, loss of capital, and possibly loss of the company’s position in the market.
Companies hiding behind the “we are not a real target – who would want to attack us” simply do not understand the way the attackers work. Over 90% of attacks are absolutely random, the attackers attack vulnerabilities, weaknesses in technology or processes, not caring at all who or what the organization behind it really is or does
More often than not, they have no idea who it is they are attacking. They don’t see the company behind the platform until they have already engaged in the attack. You may think you are not a target but unfortunately – attackers do not share your opinion.
The question isn’t whether or not a company will become the target of an attack – because sooner or later, they will. No, the question that should be on every CIO and CEO’s mind is whether they want to pay the price for a setting up a professional SOC that can secure their digital assets, or do they want to pay the absolutely ludicrous price that comes with a data breach.