In almost every instance of a reported cybersecurity breach the organization had a security system that detected and reported the breach. It was lost in the noise of thousands of other notifications that were false positives so it is easy to see why it might get missed. In many instances, the hackers could have been detected early if somebody was looking at the data to identify anomalous behavior and doing it every day for every alert. This may sound simple, but in reality, the work required is comparable to looking for a needle in a haystack every day—without knowing whether there is actually a needle there.
Why do companies fail to look at their log data consistently? Cybersecurity is a human problem as much it is a technology problem. Like many things, when the outcome of a process requires human involvement, the result is not always rational. Dieting, eating healthy, and exercise are great examples where we know the right thing to do but are unable to do it. Hackers have changed their methods to take advantage of this. In the past, cyberattacks were similar to bank robberies. The bad guys broke in, stole what was valuable and left as soon as they could. Today, hackers gain an entry through any weakness in the security chain. They then start exploring and looking for a valuable asset to steal. While they do this, they are doing their best to hide from standard security detection methods and even covering their tracks. Once they find something, they slowly steal it over time, especially large information databases.
To combat the new cyber attack methods, companies need to invest in a security operations center (SOC). A SOC is a team of people whose sole mission is to review alerts and analyze logs and is critical to ensuring that a company has a comprehensive view of cybersecurity. A proper SOC can answer the question, “Am I safe?” It ensures that all your security systems are operating at peak performance. When a company does get breached, which his inevitable, the SOC can identify the breach, help remediate, and ensure that the breach is confirmed as fixed. No organization that cares about it’s IT infrastructure should be without a SOC.
The SOC should be staffed with security experts who are using products and tools with SIEM capabilities whose job is to stick to the ‘cybersecurity diet’ every day. But for smaller companies, setting up an enterprise class SOC is cost prohibitive. The initial set up cost for a basic SOC is estimated to be in the hundreds of thousands of dollars. Professional services for SIEM expertise alone will cost thousands per day, with typical engagement lasting four to 12 weeks.
There are alternatives to the do it yourself approach. You can hire a managed security service provider (MSSP) to manage a SIEM for you, but all you have done is moved the work and effort of DIY to a third party who does not know your business. All the same challenges remain. Most MSSPs require a significant up-front free or a long-term commitment because the start-up costs are the same as DIY.
SOC-as-a-service is a better option than an MSSP. A SOC, staffed with security experts, includes automation technologies, forensic tools and robust processes to detect, identify and respond to cyber threats. With the many options out in the market today, the following service features are what differentiates a best in class service.
Dedicated security engineer
Cybersecurity is a serious function, and most MSSPs offer services with alerts that are basic, requiring the customer to perform their own triage, analysis and incident response. A SOC service should provide actionable security intelligence with clear incident remediation support, and this can only be achieved with a dedicated security engineer who gets to know a company’s security and operational requirements.
Fast deployments without significant resource requirements
The whole point of using a SOC-as-a-service is to get up and running quickly. Typical MSSPs require companies to purchase a set of software and hardware products and deploy them as part of the service. In many cases, this can take up to three months. Leading SOC service companies provide simplified set up with set up times that are measured in minutes and not months.
Vigilant cybersecurity is more important than ever. The mistake most companies make is to think that cybersecurity can be improved by purchasing more products. The reality is that cybersecurity is a people problem, and the most effective way to improve it is with a SOC. SOC services can vary in service levels and internal resource requirements. What is important to keep in mind is that the purpose of a SOC service is to simplify the security operations in a company while improving cybersecurity. Keeping this overall objective in the forefront will help ensure a company’s cybersecurity projects are effective and achieve the desired results.