October 26, 2021

Pull your socks up and get a SOC

By Information Assurance Specialist at Data#3 Limited

Your Business Needs A Managed Security Operations Centre (SOC)

Investing in high-quality socks can give you generous support and comfort. Investing in a managed SOC can have a similar effect.

A Managed SOC, You Say. What Is It?

Most of us know what needs to be done regarding our information assurance, but not all of us know how to go about it. This may be due to resource limitations and being run off our feet just trying to ‘keep the lights on’, or a result of complex systems that very few understand. Increasing regulations and control of information (think GDPR and the Notifiable Data Breach amendment to the Privacy Act here in Australia) plus the ever-evolving (perhaps mutating) threat landscape, mean we’re under the pump trying to stay on top of things, let alone keeping them adequately secured.

A Managed Security Operations Centre, or Managed SOC / MSOC (commonly called Managed Security Services) can take considerable pressure off your already-strained IT department, especially when it comes to tough day-to-day security operations. We never seem to find time for complex tasks until things come unstuck.

From essential services such as firewall management to more complex data analytics and forensics, getting the right people involved is a good idea.

At one time, having a managed security services provider meant you had someone physically in your office for this very reason. It was just like having another full-time employee on board, but it cost more. It cost a lot more. Often, they were ‘the person’ for several sites, so they may not have been yours exclusively and maybe had a tendency to disappear at crunch time when you needed them most. You probably thought about hiring a dedicated security expert. Still, if you did, you often found they got pulled into everything non-security, or you couldn’t justify the expenditure to management, who saw them as just another IT person.

Presently, with X-as-a-Service (XaaS) offerings ranging from a tenancy in a data centre to full-blown cloud services, the ability to consume security services, including Managed SOC, makes it more affordable and readily available than before. If you’re not thinking about a Managed SOC, you should be. That is, of course, unless you have your own Security Operations Centre (SOC) and dedicated security team to operate it. Having your very own SOC is only a reality for precious few, but a pipe dream for everyone else.

I’m not sure where to start in considering a SOC?

The very mention of Managed SOC can have a variety of effects on people. Some IT staff feel relieved because it takes the pressure off them. Others feel apprehensive because they worry they are relinquishing control over their information assurance.

Some in the business may object because they think a Managed SOC is an unnecessary expense, and they already have a ‘security person’ working for them. The truth is, this ‘security person’ often ends up being another overworked staffer who scrambles to keep up and cannot merely dedicate themselves to cybersecurity as you intended.

The first question is whether you have dedicated security resources. If the answer is yes, then you need to ask what they’re doing well, and what can improve. If the question around improvement gives you pause for thought, ask them what support they need, and pay attention.

Those of us who make our living in information assurance want to do our best, and often go above and beyond the call of duty, but sometimes come up short. If you can definitively answer that you have dedicated people who are doing well, and your environment is adequately protected, then we say, “well done”. Either you are big enough, well-resourced enough, and structured enough to manage the situation (and I commend that), or it could be that you cannot gain sufficient insight into your present security posture to give an informed answer.

I apologise if that hits a nerve; I speak from experience. It’s not a criticism, just an observation. We need to look out for each other. How do you know what you don’t know? Hint, get the right people involved. Starting with an assessment can help you to get better clarity.

If you have an information assurance gap or, at the very least, perceive you might, then it’s worth your while to get key stakeholders together to decide if it’s finally time to raise your hand and ask for help. I certainly hope you do. There are quite a few excellent managed services providers and Managed SOCs out there, some local, and many more with global 24/7/365 follow-the-sun offerings. Most will tailor their offerings to suit your specific needs, so engage them to figure out what those are. You will truly get out what you put in. Everything should be on the table and prioritised, unless you already know exactly what you need help managing.

Will you require 24/7 help or just 8/5 business hours? What about after-hours? What about support on demand when there is an incident? Reporting? Alerts, and event notifications? Moves, adds, and changes? Upgrades and updates? The combinations are endless, and you can quickly get a Managed SOC offering to suit your specific needs.

You can choose to have resources dedicated to you on a full-time or part-time basis. More commonly, you can select an extensive service offering with global SOCs that receive all your logs and alerts, monitor your systems, and take action based on their wealth of security intelligence. This way, instead of jumping at shadows when the phone rings, you know it is the real thing. Based on the security intel the Managed SOC possesses, you can be very proactive in knowing what to look for before you must deal with it.

Just like leasing a car or equipment, a Managed SOC becomes more affordable, and you only pay for the portion you use. In other aspects, SOCs are like ride-sharing, where you benefit from sharing the cost with others who have similar needs. Take time to figure it out, ask the right questions, and get the right people involved.

Now that I have given you a lot of considerations to work through, how about an example to help add context?

The use case for Managed SOC

Let’s say you have a medium-sized enterprise environment consisting of a couple of data centres, a few offices, with headquarters in a major Australian city and several branch offices around the country including a few remote locations. Your production networks work well, but your team is run ragged trying to keep on top of everything. After a recent cybersecurity assessment, you fared better than expected but had a lot of room for improvement.

Some of the key findings from the report were too many layers of technology, a lack of integration between those layers, leading to a lack of visibility and inevitable human error. You have a small, but highly-skilled IT team but no dedicated cybersecurity people. Some of the team have basic security skills, but you simply cannot justify hiring an expensive cybersecurity resource. The reasons the board gives for knocking back the resource request include the big salary, and the fact that you don’t have enough work to keep them busy all the time. The board points out the last time they hired someone with cyber skills, they ended up doing everything except cyber, and resigned after a few months.

Recent data breaches in the media have caught the attention of the board and they want to know how the business is positioned. Your IT Manager doesn’t pull any punches and tells the board where your gaps and overlaps are, and how simply improving visibility and operations will go a long way to boosting your defences. The IT team can look after the maintenance, but they don’t know what to look for and don’t have the time to do it.

The board mentions a Security Information and Events Manager (SIEM) as it was mentioned by a vendor some weeks ago. The IT Manager tells them “yes, but” and outlines how operating a SIEM would increase workload and the volume of alerts, and only offers the team minimal advice for how to address the risks it uncovers. Another member of the board suggests building a Security Operations Centre because a competitor recently did, but the IT Manager highlights how they had to increase their headcount, blow out the budget with the capital expenditure, and still don’t have it working well.

It seems like a problem with no solution, until someone from the business read an article about managed security services and Managed SOCs. They mention it to the IT Manager, who brings it to the board for consideration. The board agrees to look into it.

A systems integrator long seen as a trusted advisor in Australia, especially on matters of cybersecurity, meets with the business to discuss their needs. Instead of a death-by-PowerPoint meeting, the security sales specialist and the enterprise security architect ask the business why they want a Managed SOC and listens intently to the litany of challenges and solutions considered. The integrator’s team wants first to understand the “why”, and just as importantly, the desired outcomes and objectives.

Based on this, the integrator recommends a Managed SOC solution with a trusted partner that can offer 24/7/365 managed security services including intelligence review, action, reports, alerts, regular catch-ups via video conference, and a local presence via the integrator’s managed services team. A demonstration is arranged based on the business’s real-world needs, using a typical scenario the business faces daily to show how the Managed SOC works.

The Managed SOC demonstrates how events can occur, and what information triggers alerts, as well as offering forensic analysis of alerts to provide proactive maintenance advice. When specific criteria are met, an automated process underpinned by a manual review occurs to verify the event, declare it an incident, and escalate the matter to a dedicated security engineer who contacts the customer and works with them through to resolution.

For example, in the middle of the night, a cybercriminal discovers an exploit for a popular firewall and scans for businesses that use this technology. Accessing this intel on the dark web, they identify a victim and target them with a uniquely crafted attack that breaches the defences of the network. The security appliances send out some logs, as they normally do, but the source, destination, and packet size of the traffic is anomalous.

Local log collectors send the information to the Managed SOC and it triggers a rule for anomalous traffic. A security engineer is alerted, investigates, and determines the incident is legitimate. The matter is escalated, and the customer contacted to take action based on the Managed SOC’s advice. The malicious session is blocked, and all forensic data is captured. Necessary changes are implemented, patched, and tested while the rest of the network is monitored for irregular, related activity. Threat hunting is performed and eventually the network is given a clean bill of health, and the matter closed out jointly between the integrator, customer, and Managed SOC provider.

While this barely scratches the surface of the reality of breaches, incidents, and other accidental or deliberate events, it demonstrates the power and capability of a Managed SOC standing guard 24/7/365.

I’m Interested. How do I make a SOC work?

Once you have a handle on where you need help with information assurance, have asked the questions and have the right people involved, including a reliable SOC partner, it’s time to let it go (and no, I’m not about to start singing some number from Frozen!) By this, I mean deploy the SOC, let the system start machine learning your traffic and consumption patterns, and leave your partner to do the heavy lifting for a change. You might be surprised at the improvement of your sleeping patterns!

Of course, I’ve simplified the SOC implementation quiet a lot. After initial consultation with a partner, you can expect to go through an on-boarding process, establish secure links to the SOC, set up accounts and permissions, configure the access and feeds, and finalise the reporting, alerting, and management details. You will also need to assign a primary point of contact and internal escalation team, and alternate contacts when those people are unavailable.

Unavailable, you laugh? You know, when we take leave, get sick, get busy, all that stuff management never wants us to do? Ideally, you’ll already have (or will create) a hierarchy to handle notifications when they come to you from the Managed SOC.

I’ve had the good fortune to tour many SOCs from several Managed Security Services providers. I must say, they’re impressive, and the process they use to recruit their world-class security professionals is rigorous. An option for many businesses that pair well with a Managed SOC is taking on a consultant that resides in-house, and dedicates their time to information assurance as part of the service. If you use this option, be sure you have a clearly-defined SLA to ensure they stay on task and don’t get pulled in a million directions. Managed SOC providers should offer this service as an optional extra, and Data#3 offers it with or without a Managed SOC agreement. We have an IT Recruitment and Workforce Services agency embedded within Data#3 that can help you source top-notch tech talent in all shapes and sizes, even CISOs as a Service.

With everything in place and correctly set up, you should relax and focus on other pressing tasks. Consider Managed Services for more than just security. You could benefit from having the experts look after the technology, so you can do what you want to — run the business.

Are there any pitfalls?

Surprises can occur as a result of poorly-defined expectations for Managed SOC. Don’t just blindly assume your Managed SOC provider will look after everything security-related; be explicit in determining what is in scope and what is out of scope. Assign responsibilities. We can’t fault a SOC provider for an issue that isn’t in their SLA (but we both know we can get thrown under the bus just the same). Take the time to sort it all out first before signing on the dotted line.

Equally important is a clearly defined set of procedures to follow. Security playbooks that document best practice response and remediation are gold. Use your change management process and incident response plans wisely too. A highly skilled and experienced Managed SOC provider is an excellent investment, especially if they pull you up before making a change that may introduce risk; they shouldn’t just blindly follow your requests. They’re the experts, after all!

What are the ghosts in the machine?

With more eyes (virtual or physical) on your systems, you may find yourself dealing with more security matters than before, now you have the visibility to identify them. I’d rather know than not know because I can’t fix a problem I didn’t know existed.

Also, be prepared for some people to get their noses a little out of joint. Some of the office inhabitants may feel uncomfortable with unfamiliar scrutiny. Ensure you communicate with everyone that the Managed SOC provider’s role is to help with the security of the business, not to be the fun police or act like a cyber-nanny.

A Managed SOC is like an insurance policy. It is an expense, but man, are you glad to have it when you need it! Full respect and appreciation for Managed SOC providers and what they must handle; goodness knows it is stressful at the best of times!

Is there anything missing?

When your Managed SOC brings something to your attention, be sure to act on it. By the time it gets to that point, they’ve already vetted it and escalated it for action. If they recommend a patch, set the wheels in motion to apply it.

If you need help with a Managed SOC, please feel free to contact the Data#3 security team anytime, here.

Data#3 Managed Security Services

Data#3’s Managed Services offering has evolved over 30 years to become what it is today. Our Managed Security Services are designed to rapidly identify and limit the impact of security incidents, through the provision of 24/7/365 threat monitoring, detection and targeted response. To do this we combine the experience of our dedicated Security Practice with cybersecurity consultants, as well as our security operations partner, SecurityHQ – a global team of over 250 analysts who offer the highest degree of visibility and protection against cybersecurity threats. This is enterprise-grade advanced threat protection with the agility for any size business.

Stay safe out there!