How to cure your cyber security pain with a SOC?
Cybersecurity is a notoriously difficult topic since most companies think about it AFTER the fact. The decision-making circle goes along the lines:
- We had a breach. We need to hire a security expert because our IT people are too few and too busy.
- How much is the salary range of CISO (Chief Information Security Officer)?!? Are you insane?! Let us outsource.
- How much do they (HP, IBM, Accenture etc) charge per hour?!? Are they insane?!
- This is mission impossible. Let us buy a new inexpensive firewall and hope this does not happen again.
- Another breach. We need to hire…
Well, today the world is changing and there is a way to break the cycle and get rid of those security headaches. With the new old magic pill – Security Operations Center (SOC)!
And it all starts with… WHY?!
Before we get into the nitty-gritty of considering running Security Operations Center (SOC) or sourcing one (SOCaaS) it’s important to understand why organizations may need one and why – now. Also, your CFO or whoever controls the money will raise that question before anything else.
1. Implementing a cybersecurity strategy is getting more complex, as are the threats.
Having an antivirus, a firewall and putting all your data into a cloud is not a cybersecurity strategy (or rather a strategy for disaster). Figuring out this strategy and updating it consistently is a titanic job requiring continuously updated knowledge and skills.
2. Implications for breaches are becoming too high.
Ransomware demands are higher. There is a trend for stricter regulation and steeper fines from regulators, be it GDPR, PCI-DSS or local laws in any given country. There is also higher transparency regarding breaches, e.g. damage to reputation and stock price comes quickly and brutally.
3. Demand for security experts, especially C-level, is growing and so are their salaries.
According to Glassdoor, the average CISO salary is a cool 100k USD. That will, of course, vary by country, BUT you shouldn’t hope that bringing on one person will be enough to create a cybersecurity operation. CISO will need a team, so, on average, we are talking 3-10 experts in various security fields.
4. Security software vendors are all better than competition, according to their marketing. Except they are not.
Many companies, correctly, opt for a multi-vendor approach, when it comes to infrastructure to avoid putting all eggs into one basket and optimizing costs. Unfortunately, there are very few “native” integrations between various firewalls, endpoint protection, UTMs, SIEMs etc. The more vendors you use – the more inhouse knowledge is needed.
5. In times of crisis, like now, new capital investment (CAPEX) is off the table.
Doesn’t matter, whether it’s 5, 10, 100 thousand. By now, your CFO has likely a poster in his bedroom saying: “Save money whenever you can until the crisis blows over”. So, buying licenses or hardware might be off the table. However, if the costs are operational (OPEX) you stand a chance of convincing him to open up the wallet.
And there you have it – urgency combined with higher pressure on keeping costs make a strong centralized SOC a great option. Also, it is worth noting that you don’t need to put “everything” into your security centre. It is reasonably easy to start scaling the operation by increments, e.g. endpoints first, then outer security, then data leakage prevention, then cloud security and so on.
But wait! Some may say. This option was always available, and I still need to buy data protection tools and hire people. It’s just even more difficult now. What has changed?
The World of managed and rented security services
There are 3 key components, which are required for successfully establishing a SOC and those were all historically “buy and pay upfront” kind of things. Not any longer.
It does sound obvious, but you do need to have protection covering all angles and devices of your organization. Historically, security solution vendors were relying on “customer lock-in” by gently pushing towards a large upfront investment in a huge stack of licenses or hardware. This ensured that customer, who’s ROI would be 5+ years, would stay longer and pay maintenance and support costs of around 20% indefinitely.
Today, however, the competition across all niches of cybersecurity is intense and customers do not want to be locked in. So, the vendors had to adapt by moving more and more services towards a solution as a service model. Also, in the middle, resellers of security products have often better options for selling “product” as a part of their managed service where the cost of licenses/devices is not even visible to end-customer.
Besides the hiring option, which we have discussed before, outsourcing some or all security tasks was available only to the large rich companies. Reason being that IT-service companies had to make large investments into trainings/hardware upfront to get a strong enough team to be managing enough customers AND remain profitable. Also, since managing someone’s security is much more sensitive than say managing their printers there was a large premium on hourly fees.
What has changed today is the quality of automation and integration tools, available to managed security service providers, like Cybers. E.g. we have been offering firewall and endpoint security management services for a decade, but it is only a couple of years now that we could offer “full-stack SOC as a service” at comparable price.
Security operations centre, as a concept, is pretty simple: configure a SIEM (security information and event management), get all logs/alerts into it, find important ones, fix the problems. The actual mapping of all processes, recovery scenarios, playbooks and trainings however is hugely complex. As one customer (with 20 years of network security experience) told me recently: “Look, I know we need a SOC but I have no idea which end I should start building it from”. Just having all pieces of security puzzle in front of you doesn’t equal having a picture. Every company is unique and SOC isn’t exactly a 32-piece puzzle your 5 year-old puts together.
However, the more matured managed security providers actually have gained enough knowledge and confidence to say:
“We have the process you can copy for 70% of your SOC’s needs (scenarios for malware, ransomware, phishing, unknown IPs etc) and we have a checklist we will use to map out the rest.”
This radically decreases:
- Roll-out costs (100s of “consulting” hours)
- Speed of rolling out the SOC (weeks VS years)
- Pressure on your organization (utter chaos VS orderly approach)
And, somewhat ironically, increases security of establishing the SOC. Unless, of course, your company likes to rollout critical data security projects “learning as you go” and brushing off a myriad of teething problems.
But which SOC model would work for me?
As mentioned, the flexibility of investing into your security operations centre and scalability options are there today. But for simplicity’s sake we normally suggest the customers to consider the following 3 options
1. SOC as a service
This means that your security partner gradually takes over majority of security monitoring tasks, provides technology, advises you on prevention strategy and also reacts to a variety of incidents. In-house IT team focus on access rights management and making decisions about large incidents.
2. Your own custom built SOC
In this model your partner helps you establish the SOC operation, train your people and does a large knowledge-transfer to enable you to run it on your own. This works better within a large organization with a multi-skilled IT/security team, which “merely” lacks knowledge of establishing a centralized security operation.
3. A hybrid SOC
This is a mix of the above two options, which occurs, when a customer needs help with establishing the analytics, SIEM and process side of SOC while already having and managing majority of security technology on their own. “Tell us when there is a problem and we will fix it on our own”.
The choice of model will affect everything from costs to rollout out speed so some things to consider are:
- Your IT team’s available capability
- Global footprint or your company
- Security strategy for 3-5 years
- Security technology on hand
- Relevant threat landscape/areas
- Some sort of target budget
It is likely that your security partner of choice will be open to switching your cooperation model from one to other. We, normally, offer customers to run a 2-month long pilot project to allow them to get a feel of the selected option and how their cyber security responsibility will evolve.
Well, I hope that this has you convinced that beefing up your security with a strong operations centre is both a good idea and not impossible. But rather than just going head on and drawing your SOC on paper and then asking for quotes I suggest you start with a look in the mirror of sorts.
A simple risk and vulnerability audit or a penetration test of your critical systems will tell you exactly where you stand. Also, it will be invaluable to visualize the impact of security issues materializing out of the blue aka the cost of doing nothing.