The purpose of a security operation center (SOC) is to protect an organization from cyber attacks by setting up defenses, monitoring to detect cyber incidents, enforcing security policies, and responding when an incident inevitably occurs. Think of the security team of the organization: they make up the SOC.
One of the biggest challenges we face at Block Harbor is communicating the value of a “Managed Security Operation Center”. It’s expensive, and the only tangible deliverable that comes out of it is frequent status reports highlighting key risks and trends that we detect in data.
This is a huge problem for us: we were built on the premise that companies do not need more tools, they need people that can perform the tasks in security that can’t be automated.
While we’re adamant that this is true, how do you convince a company that previously had a 1-person security team that’s also the IT team that it’s worth investing in a group of experts that can become your security team, your SOC?
Why a Security Operations Center is Important.
1. IDENTIFY assets so you know what you have to protect. Typically done with a risk assessment.
2. PROTECT those assets you’ve identified. Stand up defenses, make sure they’re secure. Then, validate your work with a penetration test.
3. DETECT when an attack is happening. You’ll never be able to protect a system from a constantly changing landscape. Set up the ability to know when an attack is happening as rapidly as possible, so you can do something about it.
4. RESPOND to an attack that was detected. You can minimize damages significantly by having rapid response processes and technologies in places. Stop the attack in minutes or hours instead of weeks or months.
5. RECOVER operations. Once the attack is isolated and minimized, get systems back up and running as soon as possible to minimize business impacts.
Statistics around average time to detection vary wildly, but they’re always in 3 digits.
However, these statistics rely on detecting breaches in the first place! Who knows how many companies have suffered breaches but have not discovered it? It’s really hard to quantify… and, disclosing breaches tend to be very expensive from regulatory fines.
I don’t even want to know how many companies found something, recovered, and swept it under the rug.
You’re seeing the repercussions of this everyday. Breaches are making headlines constantly.
Identify and protect all you want, but all of your defenses could be compromised by a simple misconfiguration or a phishing campaign that exploits the human element. Why would an attacker struggle through all of your defenses when they could send an email to George in HR and trick them into handing the keys to the kingdom over? Sounds much easier.
A SOC achieves the last 3 principles: DETECT, RESPOND, and RECOVER.
A SOC achieves the last 3 principles: DETECT, RESPOND, and RECOVER. How?
Technology is stood up to collect data from all sorts of different entry points into your organization. Then, we perform deep analysis to understand what the data is saying and to correlate data to detect complicated attacks and indicators of exposure that might facilitate an attack. Finally, response procedures and technologies are stood up so that we can adequately handle an incident and keep your organization safe.
A SOC reduces “time-to-detection” from 197 days to minutes. More than likely, an attacker will not even make it to the sensitive data because the SOC stopped the attack before it could be successful.
There are no guarantees in cybersecurity, but a well-engineered SOC gives you unparalleled visibility into your system paired with technology and personnel that can do something to stop the attack.
Let me add one more item to explain SOC.
Regulatory penalties for breaches are extreme (CCPA sets a floor at $100 USD per record. 1 million records, a trivial amount for modern databases on the internet, is a $100M USD fine).
This is because all guidelines, regulations, and frameworks in cybersecurity follow the principles I outlined above: they’re stating that you need a SOC, even if it’s worded sometimes as “you need to do security due diligence”.
The financial risk of a breach extends far beyond the business impact.
So, that’s a SOC and what it’s achieving. But why would you ever outsource this? Sounds like something you could build in-house. Let me highlight a few advantages of looking to a team like ours to build that SOC for you.
It’s much more expensive to do in-house. You’ll need a staff, and you’ll need to train them.
Cybersecurity personnel are hard to find with a 0% unemployment rate, so you’ll have to pay them well. It’ll take a long time to build this out. It’s cheaper to let our staff that’s already trained become experts on your system, set up a SOC, and achieve that 24/7/365 monitoring that you were looking for without having to lift a finger. You can focus on your organization’s mission.
A company like ours brings deep experience from working with all of our clients, many of which are Fortune 500 customers. In our case in particular, many of the systems we stand SOCs up for are cyber-physical, where a breach could jeopardize safety. If we can handle the cybersecurity to keep people safe, we can certainly handle information security.
We bring a diversity of experience. This is incredibly important — we help to think of attacks and ways into a system that might be missed by in-house security teams.
I’m sure Target wasn’t focused on securing the HVAC systems that led to their massive data breach (https://krebsonsecurity.com/2014/02/target- hackers-broke-in-via-hvac-company/).
We have a deep insight into the latest trends, attacks, and more. Cybersecurity is all we think about, and we can actively see what’s going on inside many other companies. Your in-house SOC won’t have that.
Software costs are insane. The technologies you need to power a SOC are ridiculously expensive. We can share our tools and reduce our cost for all of our customers.
We can meet that regulatory need. We’re constantly dealing with different regulations, from PCI-DSS to HIPAA to the latest drafts in automotive cyber regulations. We can help you meet it, and then our partners can audit to make sure you’re in alignment (we’re not going to audit the systems we set up, after all. We’ll let some other smart people grade our work).
Curious what a report for one of our clients looks like? Here’s an SOC Report: https://blockharbor.io/soc-report/