This is for all those who say “I’m way too small to be building a Security Operations Center (SOC) – all I need right now is a <insert any piece of cybersecurity technology here>” … because whether you know it or not, you are embarking on the lengthy, complex, and expensive path of building a SOC, from the moment you buy even one piece of technology beyond anti-virus and firewall.
In this post, we will explain (1) what we mean by a Security Operations Center; (2) why buying security technology means you are on that path, and (3) what the consequences are for the security of your business. Once you are convinced that you are going down this path of building a SOC, the business case for MDR as an alternative makes a lot more sense.
Full disclosure – we’re biased. We position our MDR service against the cost of a SOC to help our clients build the business case for it. While this is ‘fair’ – you’re getting the functionality of a SOC without the cost of equipping, maintaining, and staffing it – it isn’t always seen as ‘applicable’ to small to medium-sized enterprises. SMEs may not understand that a SOC doesn’t have to mean an NSA-grade, military-looking undertaking; it always starts with a piece of technology that requires qualified personnel to operate it.
Our cards on the table, let’s explore why you may be on this lengthy, complex and expensive path already, and not even realize it.
What is a SOC?
At its core, a SOC is the combination of cybersecurity people, processes, and technology, in a centralized location, working towards securing the organization. The concept evolved from the Network Operations Center (NOC) which was tasked with ensuring availability and performance of the technology in your infrastructure.
There is also a functional milestone that indicates you are running a SOC: when you begin collecting and storing information to be able to respond to threats. A representative example of technology that enables such functionality is a SIEM. Earlier in the evolution of your SOC when you lack advanced technology, your response capabilities are mostly limited to disaster recovery – wiping and re-imaging.
So, while technologies like anti-virus and firewall do serve the purpose of securing your organization, they don’t constitute a SOC on their own, because their preventative nature doesn’t equip you to respond to threats – what is your response when something gets past these measures? They also don’t require dedicated/qualified cybersecurity personnel to operate and maintain them. AV updates are easily accomplished by members of your IT team, or even end-users without much disruption (as long as you test first). Even a firewall can require some advanced knowledge during set up, and when updating rules, but is fine for everyday operation by a generalist… but, as soon as you move to technology that requires specialists to manage it, you have added people and process to the mix; you are on your way to building a SOC.
Whatever that ‘next piece’ of technology is, you will come to see that you are ultimately buying a point-product – which starts to require management. This is part of what makes the SIEM seem attractive; the ability to manage each different product in your SOC. But this assumes that an ecosystem of security technology is necessary for security.
Why does buying one piece of technology mean we’re committed to building a SOC?
You need to understand a little bit about the development of the cybersecurity technology industry for this to make sense. Basically, security started with a single-minded purpose: to secure particular pieces of IT in your environment, in reaction to threats targeting them (e.g., anti-virus for endpoints, Firewall at the entrance to your network). As you add more technology to your environment, to enable business processes (like email, and other applications), you need to secure it as well. “How will you be securing that?” became the obligatory question from resellers about nearly any technology. So, as information technology advanced, each category spawned a corresponding cybersecurity technology category – leading to the complexity in the industry we see today.
For this reason, as your datacenter expands, so does your need for cybersecurity technology to protect the components of it… and, people to operate these specialized cybersecurity technologies… and processes implemented to maintain that stuff… what does that remind you of? (Think back to our description of a SOC 😊).
Implications for your business
By having an ‘incomplete SOC’ that doesn’t have people, processes, and technology to protect each category of technology (e.g. just a SIEM, or just an IPS) means your business remains vulnerable to the attacks that exploit technologies outside the particular category you have defended. This is why a tenet of the industry has long been ‘defense at depth.’
Have a look at these examples to better understand the gaps:
- You bought an email gateway. What happens when your employees download malware from the web?
- You bought web-firewall. What happens when your employees get phished?
- You bought a vulnerability scanner and hired an employee to patch your systems. What happens when you get hit with a zero-day exploit?
- You bought all of the above? What happens if you get hit with ransomware? (It’s not a virus, it’s just encryption so prevention technologies can’t detect it).
While this is far from an exhaustive list of technologies beyond anti-virus and firewall, you can see how security point products are meant to protect a given type of technology (or against a particular category of attack) by design. This renders them insufficient, without investing in many different technologies and people to manage them. There is no such thing as 100% secure – how many categories must you protect before you decide it’s “good enough?” The question is rhetorical – hackers are not limited to a single exploit, and how you are being targeted is not random. If you are vulnerable to a particular type of attack, then the risk exists. Period.
So, if you want to secure your organization, and if any one piece of prevention technology is insufficient to do so without risk, then you are committing to close the gaps that remain with other solutions… and to hiring people to manage those solutions… in other words: you are committing to the lengthy, complex, and expensive path of building a SOC.
ActZero offers a Managed Detection and Response service, equipping your business with our own cybersecurity technology, people, and processes to detect and respond to threats (including ransomware). By looking at the outcomes to your operating systems, rather than for a specific signature, our threat hunters can detect and respond to known and unknown threats.