Security Operations Centers add Detection To Enhance Protection
To understand a Security Operations Center (SOC), you must understand the current state of cybersecurity in organizations. Have you ever wondered how many of the Fortune 500 have experienced a breach? The answer is easy, all of them. Former Director of the FBI, Robert S Mueller, III, said “I am convinced that there are only two types of companies: those that have been hacked and those that will be.”
The reason these large firms with big budgets get breached is because at some point, all security tools will fail. Risk can never be eliminated, only reduced to an acceptable level. This is even more true when all security efforts are based on Protection tools. The cybersecurity gurus at the National Institute for Standards and Technology recognized this and made sure Detection was a key part of their cybersecurity framework.
As an example of how MDR fits in, your house has things like doors, windows and a fence to keep people out. But for people with important things to protect, they might add motion sensitive lights, alarms or even monitoring systems. These tools are there because door locks can be picked, windows can be broken and fences can be climbed. Remember, the attackers only need to get through once. All security tools can be bypassed.
Can you claim you are successfully protecting your data and systems 100% percent of the time, 24 x 7, seven days a week, including holidays? No one can, but SOCs help.
Managed Security Service Providers (MSSPs) – Step up your Security
We are a Managed Service Provider (outsourced IT featuring our STAR power) and a Managed Security Service Provider. The Fulcrum Group can enhance your security with a broad variety of Protection tools. Our SPOT Managed Service plans include basic security. Our MSSP services and enhanced tools turn it up a notch and are typically delivered through easier to purchase subscription models.
This provide you access to a variety of complementary security services. Enhanced tools vary from security awareness training to simulated phishing campaigns, whole disk encryption to multi-factor authentication (MFA) and others. We even offer different types of risk assessments and other Identification oriented security services to complement managed detection and response efforts.
But again, what might be right for a 20-person services organization may not be right for larger firm, or one bound by special compliance requirements such as HIPAA/HITECH, CJIS, PCI, FINRA, GLBA, CCPA, GDPR or others. The National Cyber Security Alliance states that 60 percent of small and mid-sized businesses that are hacked go out of business within six months.
Recent research from Verizon’s 2019 Data Breach Investigations Report suggest that it may take only minutes for corporate data to be compromised but that discovering the breach can take six months or more. The five key needs to Detection are
- Configuration of logs to be able to detect breaches,
- Technology to centrally aggregate all your logs,
- Technology to correlate information,
- People watching the information in real time, and
- With the security expertise to understand an actual attack.
Understanding Security Information and Event Management (SIEM)
Most technology on a business network has the ability to generate logs and events. This capability is important for trending, troubleshooting and discovering issues. It is also the reason most IT departments and MSPs implement “managed” devices on the network. While logs can be generated, they must be configured or tuned by an expert.
Logs can be a great thing but they also generate a LOT of noise and require a lot of effort to manage. This is why SIEMs were created. These are network devices or software that act as a collection point and correlate different logs, from different systems, at the same time. The correlation can help identify Indicators of Compromise, or threats on the network that might lead to something worse. If your blood pressure is elevated, you’d rather know sooner so you can treat the issue.
SIEMs can help with this but have their own challenges. Properly deploying this technology requires someone who understands the various systems and can configure them properly as well as customize rule sets to alert you to potential issues in your environment. Tweaking rules against your baseline could take months to deploy before you see the benefits and typically have high upfront costs and complexity.
Your Cyber Security Operation Center (Cyber SOC)
The third component of a successful Managed Detection and Response effort is people. The Fulcrum Group has partnered with Arctic Wolf Networks to help provide our 24 x 7, 365 days a year Managed Detection and Response services. Download our flyer here.
Our partnership targets offering MDR services to small and midsize businesses that have limited security personnel, security tools and/or security budget. Included within our program is a SIEM device for every location with an Internet connection and the ability to monitor some cloud services, such as Office 365, Salesforce and Box.
Around-the-clock, your dedicated security Concierge Team can work through us or through your internal IT contact. Included with your service are activities such as
- Human-augmented machine learning AI for 10 times better threat detection with 5 times fewer false positives
- Continuous network security monitoring (different than just network monitoring)
- Threat detection and investigation (remote investigation with recommendations)
- Triage incidents (including some forensic analysis)
- External vulnerability scans (keeping external eye on your network)
- Weekly incident reports (emailed to you to clarify what things were looked at)
- Scheduled reporting (get an overview of activities and opportunities to improve your security)
- An assigned security advisor (higher-level experts that can advise at a higher level).
- The ability to retain logs for an extended period of time
- Predictable pricing based on number of employees, servers and deployed sensors
Stop guessing that “everything’s fine”.
Malware like crypto-mining and Advanced Persistent Threats (APTs) are different than ransomware, because they don’t want to be detected. Ask your IT team or service provider if a trained security professional is reviewing your important logs throughout the entire day and if they escalate potential issues to a higher-level resource to help you figure out if there are Indicators of Compromise (IoCs). You may just save your company from going out of business.