SOCs: Marrying the business and security
Over the past two years, businesses have had to deal with unprecedented changes. Over and above the technological and cultural adjustments that had to be made to enable remote working, companies of all sizes and from all sectors have had to defend against an ever-increasing volume of cyber attacks.
Forty-five percent of all organisations have seen a sharp increase in cyber threats and security incidents since the onset of the COVID-19 pandemic, according to the latest State of Security Operations report.[i] In fact, more than 40% of respondents reported increased risks from unmanaged devices belonging to remote users, 38% said incident investigation and remediation became harder, and 36% reported insufficient access to onsite security systems.[ii]
What is more concerning is that the Cyber Threats Report found that nearly 90% of businesses knowingly sacrificed security to quickly enable remote work. Unsurprisingly, 25% reported a ransomware or other malware attack in the first three months of the pandemic.
The growing volume of threats has resulted in an equally mounting volume of threat alerts. This is overwhelming the ability of security operations teams in large organisations, the State of SecOps and Automation report found. Nearly all organisations (99%) reported that alert volume is creating problems for the IT security team, and 93% said they are unable to address all alerts the same day.
SOCs being set up to fail
In light of the current challenges facing organisations, many are starting to expand their vulnerability detection capabilities by investing in a security operations centre (SOC). Unfortunately, all SOCs are not created equal, and many companies have ended up with an SOC that does little more than monitor alerts.
In fact, a recent Ponemon Institute study found that many SOCs are set up to fail. According to the survey, many SOCs are ineffective and the security analysts that work in them are being pushed to breaking point. Of the more than 500 organisations surveyed, only about 40% rated their SOC as highly effective. Less than half (47%) have confidence in the ability of their SOC to gather evidence and investigate to find the source of emerging threats.
Despite the fact that many of the survey respondents cited technology challenges such as lack of visibility into network traffic and lack of visibility into the IT security infrastructure as reasons for SOC failure, technology is hardly ever the reason for an SOC to fail. SOCs fail for one primary reason: They are not relevant to the business.
Too many organisations rely on SOCs that use internal technology metrics as opposed to business risk drivers. Any business investing in an SOC needs to ensure that not only is it relevant to the business, it is relevant to what the business wants to do in its market. Does the organisation need to protect its supply chain? Does it need to digitise a platform to customers ? The goals of the organisation must be tied into the SOC in order to effectively identify and defend against business risks.
The SOC should do far more than just monitor alerts. It should monitor proactively as well as reactively, taking a threat-centric approach. A business risk review will provide the context within which the SOC should operate, creating a foundation for effective threat mitigation.
Building a business case
In today’s ever-increasing threat landscape, organisations need to be able to rely on their SOC to mitigate all of the risks they face. This is why they must begin by evaluating what they are trying to achieve through their monitoring efforts and establish what those results look like in a business case.
Every company will be in a slightly different place in their journey, so an SOC maturity assessment will help establish where there are gaps that need to be filled for those organisations that have already started investing in an SOC. For those looking to get started, a security assessment would provide the insight needed to allow the business to pinpoint what investments it needs to be making. In both cases, the assessment results must be linked to a business case to help identify what is needed in order to mitigate specific business risks.
Wherever they are in their journey, companies need to ask how their SOC should be delivering results, what kind of value they are getting, and how to ensure it is effective and efficient. Organisations should be able to have these discussions at board and exco level, and the SOC should be able to provide executives with effective visualisations and convenient dashboards.
Achieving world-class SOC capabilities doesn’t have to be overly expensive, nor is it overly challenging with a partner like Nexio. Instead of having to invest in their own SOC, companies can gain the benefits of a service that has been designed and built to deliver effective threat mitigation and response directly tied into business needs. With monitoring done by highly skilled and certified experts, a managed SOC offers the most effective solution for organisations looking for world-class capabilities.
Based on a threat-centric approach, our 24 x 7 SOC solution goes much further than merely ingesting incident data, using security orchestration and automation through machine learning to ensure repeatable, automated integrated technologies and processes with advanced investigation analytics. A shared services team works across customers on a multi-tenancy basis, providing the highest level of skills and certifications.
As a result, we have the resources to continuously improve, tune and optimise each customer’s SOC to guarantee the highest levels of protection. From the initial technology briefing on what the company’s posture looks like, to identifying how the SOC can be linked to the company’s primary business drivers, to executive stakeholder management, we ensure that the SOC service delivers constant value to the business.