You walk through the door locked with a badge reader, and there at the front of the room are a bank of TV screens: a news channel, the Weather Channel, one showing a picture of the world with intermittent lines bouncing back and forth, a few with graphical information, and maybe even one monitoring a CCTV or camera. In front of this, row upon row of analysts sitting at computer terminals working intently. It sounds like something you would see in a NASA control center, but this scene is becoming normal at many companies around the world. Companies are beginning to see the need for a Security Operations Center and how they are critical to protecting and saving their organization, its data, and its customers from the ever growing threat of cyber-attack.
What is a Security Operations Center (SOC)? How Critical Is It? How Much Is It Going to Cost?
In short, a SOC is a location, or hopefully locations to account for backup and failover, where all of the security information for your company is collected, sorted, saved, analyzed, and if need be acted upon. We have all heard in recent years about major retail breaches that expose millions of customer’s payment card data and personal information. We have heard about financial institutions that have been breached, that we still don’t know the full impact of. The SOC is the group/team/organization that is in place to keep you safe. That being said, we want to populate the SOC with highly trained personnel that know a lot about the technologies that they are supporting and using on a daily basis. They need to understand Security Information and Event Management (SIEM) systems, loggers, physical security infrastructure, protocol analyzers, Intrusion Detection System, vulnerability scanners, and much more. There are many different ways and places to collect this information, directly from your computers, servers, routers, firewalls, and software that you run on any of these devices, just to name a couple. The personnel that you have in your SOC need to know these sources, how to collect the information from these sources, what to do with that information, and how to fix any problems or threats that they find.
As you can see above, there is a lot of information and experience that is needed in a SOC. Why not just leave it all up to that poor security engineer that is sitting in a corner somewhere mumbling to him/herself? Yes, that person may say some strange things sometimes like: breach, botnets, ransomware, data loss prevention, clickjacking, and compliance. While it sounds like that person might be going a little loopy, these are all things that companies need to be aware of and know how to implement or protect against. There is so much information and so many changing ways to expose, access, and utilize that information that it becomes highly improbably for one person alone to be able to interpret and protect it all. Enter the SOC, a team of highly trained, and trainable, people that are helping that poor security engineer look out for the network, to keep the perimeter safe, and to help get the bad guys out when they do get in, and they will get in. Do a Google search for “Information security not if but when”, and you get article upon article that will tell you that many companies are now operating under the assumption that they have already been breached. Even the NSA operates under the assumption that it has been compromised and builds its systems on the assumption that adversaries will get in. This is why the SOC is critical, more eyes looking at critical points of information and technology, the knowledge and background to deal with breaches, and of course to keep that poor security engineer from going mad having to do this all by themselves.
Now the important part, how much is this going to cost. There are a couple of ways to look at this. First, is the cost alone of brining on all of the technologies that you need, the people to run all of it, and the facilities to house the people and information? To counter that, how much would it cost if your company did not meet compliance with HIPPA, PCI-DSS, or any other regulatory requirement around your data. Even worse, what would the cost be if you had a breach like Target, JP Morgan, or any of the dozens of other big corporate breaches that we have heard about in the last couple of years? The problem with Information Security is that you can calculate easily the cost of implementation, maintenance, and improving your security, but the end result is nebulous. In fact, if your SOC is doing their job well, you should never have a significant breach or loss of data and how do you put a dollar amount on that? There are multiple ways to implement a SOC, full internal – the company owns the technology, hires the people, and maintains the facilities: Managed Security Service Providers – where you ship all or part of your information to a 3rd party for them to interpret and send you reports on where possible threats could be that your team will need to fix; or a Co-Managed approach – where you have your internal SOC team and technologies that are supplemented by a 3rd party that act as an extension of your team and all of your data remains in house, to help increase awareness, expand the knowledge base, and reduce incident detection and response time.
So what does this all mean, the simple fact is that eventually every organization is going to need a SOC, a team of intelligent professionals that can help secure your company, and its data, from an ever growing and changing threat. The axiom says “it’s not if, but when”, don’t you want the best team available to help make that “when” as small as possible?