What Makes an Effective SOC?
Security Operations Centres (SOCs) is not a term heard often outside of large Enterprise organisations. We believe that this doesn’t adequately reflect their function, and their purpose to an organisation of any size. By definition, SOCs are centralised units that deals with any security issues on an organizational and technical level. The important functions of a SOC are real-time monitoring of all infrastructure (physical, logical, logistical, etc), Access Management, and Incident Response and remediation. There are few organisations mature enough to have this specialisation in-house, and, in our experience, much less of those implement and practice it effectively.
When it comes to the Security management of organisations, the first thing we recommend is a specialised and independent approach. This applies to all types of organisations, even those with an internal security function. There are several reasons for this. Firstly, internal functions usually have their resources split between explicit Security concerns, and business objectives with the applicable stakeholders. A lot of time is spent talking about Security internally, and what would be “best practice”, but frustration arises as the internal professionals lack the time/budget/latitude to perform this function optimally. Secondly, the depth that an external SOC has the capacity for can rarely be replicated in-house. Specialised functions (when externalised) allow for optimal management and information transfer to the organisation, and this aids in the decision-making process. Thirdly, the value of an independent perspective cannot be overstated. This is why decisions are not unilaterally made, and even with pieces of work to be published for example, it literally pays to have someone else check it for you. There are several biases that we are all under the influence of, and the net effect of those biases create certain blind spots. These should be appropriately classified as risks, and they can be effectively managed by partnering with us @Fortsafe. We make it our mission to understand your objectives, and assets your company utilise to execute those objectives. This list can go on ad-finitum, but the point is, this is a situation where a second (or first-external) opinion definitely pays dividends, and saves in potential impact to your brand in the marketplace.
Why You Definitely Need A SOC Function
Imagine going into a brawl without backup of any sort. What chance of a successful outcome would you give yourself in that instance? That is the equivalent of operating a business utilising the Internet, without Security Operations as an active function in your organisation. The number of threats “in the wild” is astronomical and growing by the second. To add to that, the implementation of new technologies increases risk. The newer the tech, the less that is known about it. Zero Day vulnerabilities are a very real factor in adopting new technology and should be carefully calculated for. With the advent of point-and-click security ‘tools’, script kiddies are now a little more dangerous. Attacks do not have to be sophisticated to give you and your company more than just a headache.
Efficiencies are also an important factor in this equation. Economies of scale are realised when you calculate the cost of having a fully effective SOC function internally, versus a partnership contract with a specialist organisation externally. We recommend you also factor in the cost of remediation in the case of a breach; damage to brand and reputation, operational downtime for any asset of the business, including people in the event that the computer network is rendered inaccessible or unusable in the normal business context, etc. That number gets quite high, quite quickly. It makes sense to choose the option where you pay the least overall, and worry the least because you have the appropriate backup so to speak. The value of assurance in the business world cannot be overstated, and in the world of cyber security, trust and assurance are worth their weight in gold.
SOC Best Practice
Whether you are planning to implement a SOC function, or use one currently, we believe a list of the best industry practices is a worthwhile discussion.
Effective Monitoring and Reporting
A well-designed SOC not only has a clear understanding of all available infrastructure, it keeps that kit under effective management utilising a variety of tools for monitoring purposes. Logs are king in this part of the world, and adept operators tune software to alert them of the most sensitive and critical system events. Within this, they have a real-world understanding of which system events to pay attention to, and what effect those events have on the core business unit’s function. This understanding breaks down the communication barrier between the Technology and Commerce verticals in the business, and make the road to efficient real-time decision making much smoother for all involved. In a crisis situation, ineffective communication has a very high cost to the business. The time and money lost trying to get the decision-making authorities to understand the implications of a critical incident and therefore follow (hopefully) pre-set remediation strategies, could cause irreparable damage to the brand and the bottom line.
Real Time Threat Intelligence
Vision of the threat matrix your organisation faces is invaluable in a fast-paced digital world. The best decision makers in business tend to be the most successful. Factors for success might be – the right amount of correct information, fused from data, factored by impact and importance, producing a favourable outcome. An SOC function is keeping an active eye on current and future threats, while having a solid understanding of the assets you are trying to protect. Vision is as critical in business as it is in Security, and with the stakes being so high, you want the best vision watching out for your interests.
Defence in Depth Approach
SOCs follow best protocol when it comes to infrastructure and network design. Defence in Depth as a philosophy basically advocates for a tiered, hierarchical design structure, with rigid trust boundaries, and elements of authentication/authorisation between zones. The easiest way to understand this is “not putting all of your eggs in one basket”. If compromise of one element of your network grants an attack access to all of your network assets, all of the investment into Security goes down the drain, and you suffer the full consequences of inadequate protection. Security organisations start from the ground-up, looking at the elements that need to talk to each other internally, how they can do so safely, and which of those elements need to talk “outside” ie. the Internet. Once those assets are identified, and the levels of risk are accurately categorised based on software, hardware, code structure, known vulnerability history, patch cycles, and remediation strategies, they can be adequately monitored and protected. To put it more bluntly, more eyes and more time is spent on these assets because they present the greatest risk to you and your interests. The risk is offset by the potential reward gained by whatever purpose the asset is fulfilling, but it is a delicate balance, and a good SOC will help you tip it into your favour.
Benefits of Outsourced Capability
Security can be perceived as a major cost centre in organisations that don’t understand it’s value. Good security can appear very expensive when looking at a $ amount on a balance sheet, for example, but one must also understand the $ amount involved in not attending to risk factors present to the organisation properly. The overall impact of a Security incident hurts more than the bottom line of an organisation. Outsourcing this function removes the internal barriers to effective Security practices. Employing an industry expert ensures all major and decision-making stakeholders enjoy peace of mind as they know they are getting the best advice. A SOC, with all of the infrastructure, personnel, tools, and training is a very expensive undertaking, one that most businesses are not equipped for. Partnering with one gives you all of the benefits of active Security Management, and other fringe benefits such as the depth of knowledge and understanding utilised in daily operations, the breadth of looking after multiple infrastructures or company units means that they are well versed across a wide variety of technologies, and are monitoring them all in some capacity. If this were insurance, you would be covered for most items at a minimum-viable price-point for the service received. It is an approach we highly recommend, and hope your Security posture improves with this advice.
To understand how the rest of the pieces of the puzzle can be lifted to improve your security posture, you can reach out to Fort Safe and we’ll help you put it all together.