Why You Need Security Operations
A fully grown security operations center (SOC) was, until recently, a luxury, affordable for the largest organizations only, but even in global players, budget constraints are real. Unfortunately, the willingness to raise money for security seems to require an incident first.
However, we often forget there’s no need for a dedicated war room, and it doesn’t always require a full team. Centralized security can be outsourced. There are many specialized suppliers who have been successful on the market for several years and offer services under the umbrella of MSSP (Managed Security Service Provider). Quite new are providers of artificial intelligence-based systems who promise faster response time and lower running costs.
No matter how big the investment, you buy one thing above all: peace of mind. Especially important in the jungle of various laws and regulations.
Start Small. Plan Big.
It’s debatable whether there must always be a “center” to carry out “security operations.”
However, undoubtedly in large IT environments, separate, dedicated, and responsible personnel are required for security. In small businesses, you can juggle different tasks and wear multiple hats, but the likelihood of becoming the target of an attack increases with the value of the company on the stock market. Success attracts more than just investors.
Staff should have sufficient time to stay up-to-date outside of their day-to-day tasks. This should be a key factor in staffing plans, and to learn and grow is ideally part of the career path, too.
Acquiring proper tools and correctly using them is crucial. Even the best high-end solutions available on the market won’t help if they’ve only been purchased to mark a checkbox. Unfortunately, comprehensive solutions come with a high degree of complexity, so it takes time until the system is ready for use. Since the demands of large companies are both immense and variable simultaneously, there are no turnkey packages.
One Size Doesn’t Fit All
It should be decided very early in the planning phase whether a comprehensive system will fit the needs, or if a modular approach with a SIEM on top is better at preparing data for the security analysts.
A modular system comes with the advantage that individual elements can be purchased to meet priorities best. Securing an IoT machine park requires different tools and methods than an office full of employees. In fact, machines of any kind and their communication protocols can be monitored relatively well, since any deviation from a baseline represents an anomaly in itself, indicating either a problem or a risk. Simple but reliable methods such as measuring traffic using deep packet inspection can detect deviations in real time.
The situation is different for employees. We humans tend to work outside of baselines, making anomalies more difficult to define.
For global players, there are additional challenges: you cannot simply monitor the users, in this case the employees, without coming into conflict with numerous laws. Even if the data collected only serves to protect company values, it will be difficult to get the workers’ council on board.
Important: Preventive Approach
Of course, while it’s impossible to prepare for all contingencies, reducing risk can be realized, for example, by applying a proper concept of authorization. Simply speaking, if an employee cannot access a resource, the information contained cannot be published or altered accidentally. Using the proper tools to automate user account management can help avoid accidents, such as extending permissions via drag-and-drop and making comments and notes a requirement when applying changes, helping enforce a change protocol.
A permanent audit of the change protocol is also crucial part of a prevention strategy. A traditional SIEM won’t always be able to detect changes to any application; but a specialized tool can do this with ease, and even allows you to roll back changes if necessary. This occurs when the change has been authorized incorrectly, or not at all, or if there’s an unexpected impact.
Just a Technical Problem, or Already a Threat?
Companies with an increased focus on security already use an IT monitoring system to narrow down and eliminate technical problems. Such tools also help with routine tasks to increase security, such as patching operating systems, applications, or network devices, and allow simulating changes.
Nevertheless, it’s a challenge to distinguish a problem with technology from an imminent threat as early as possible. A suddenly slow network connection or a sluggish database, which has always been performing fine, can be a side effect of both. It’s advantageous if the entire IT team works together and involves other teams or departments in case of problems whose nature is still undefined.
Experienced IT pros usually have a good sense of what direction a problem comes from, but they need the data from monitoring systems to prove it. But what if there’s too much data?
Consolidation of Tools
It’s a fine art to be able to combine different data sources in a meaningful way. Different ways allow supporting analysts, for example, forwarding data from one tool to another via an API, so it can be processed elsewhere.
In most environments, a SIEM does the job and uses rules or machine learning to collect and merge variables and ideally visualizes them.
As explained above, the process of adapting a solution to the company’s needs can be very complex, and consulting specialists is recommended, as the message formats and events from different solutions are rarely compatible. If possible, it would be an advantage to obtain various IT security solutions from a single source-vendor to increase interoperability.
Even in large companies, the mindset of “the more the better” isn’t really helping and the advantages of proper planning right from the start are significant. Ultimately, the transformation of an SOC from a pure cost center to an integral part of the company becomes obvious after the first successfully prevented attack.