Security Operations Center (SOC) and Security Information and Event Managment (SIEM) – Be careful of the buzzwords
SOC and SIEM… the Latest Buzzwords
About 8 years ago when Managed I.T. Services was starting to gain a foothold in the small and medium sized business space, the term “Proactive” was coined as the hot buzzword. Outsourced I.T. services were transitioning from a fully reactionary model in which businesses paid based upon block hours or a “time and materials” based approach over to a flat fee approach in which service providers were trying to figure out how much time to include and what services all at a predictable costs each month. Fast forward to 2019, and the term “proactive” has lost all meaning and quite frankly – it makes me cringe every time I hear how some organizations are using it, claiming that their version of “proactive” is still an automatic alarm that their monitoring software alerts them to AFTER an issue has already occurred. There’s nothing proactive at all about most service provider’s approaches like this, it’s simply an automated reactive support model.
As we wind down 2019, there are some new buzzwords that are starting to take the place of “proactive”, which is a welcome relief but is still wrought with similar misconceptions, flawed approach, and quite simply – huge potential for businesses to be led further down a rabbit hole of thinking they are better protected than they really are. Enter the buzzwords – Security Operations Center or “SOC” as it is commonly referred to and Security Information and Event Management or SIEM. Both buzzwords are starting to be leveraged in the sales conversation and used in marketing initiatives where wildly colored dress “socks” are being given away as a quirky way to do something different than talk about “Proactive”.
What Does SOC and SIEM Even Mean?
Before we get too deep into the dangers of blindly accepting these buzzwords, let’s first take a step back and define what they even mean. A Security Operations Center or SOC, is simply a practice of having dedicated security engineers actively watching over clients’ networks on a consistent basis. Normally this is provided on a 24/7/365 basis since the bad guys who are trying to do bad things are not considerate enough to at least launch their attacks during normal business hours. So in essence the big differentiator in terms of what a SOC provides is dedicated security engineers watching over your stuff on a dedicated consistent basis.
Now let’s add in a Security Information and Event Management(SIEM) component. All this really means is that while you have people watching over your stuff on an ongoing consistent basis, you add in the benefit of having a security event log repository that these security engineers can analyze in real-time or from a historical perspective if an issue does arise that requires more advanced diagnostics and detective work.
So What Do We Need To Be Cautious Of?
Neither of these two services are a bad thing! In fact, these are a HUGE step forward in getting business owners and managers aware of the significance and reality of the threats that are hitting their operations on a daily basis. Because security engineers are not cheap, nor are they available in any sense of abundance in any market, many service providers are outsourcing these two services to larger security vendors that can provide a framework for scale that allows for highly specialized engineers to be leveraged for multiple clients and networks. Again there is nothing at all wrong with outsourcing the SOC and SIEM operations to a larger security focused partner since it allows for better skillsets, better tools, and better infrastructure than most small Managed Services Providers or Managed Security Services Providers to provide in-house. In fact DaZZee leverages this model as well and utilizes one of the top security partners and services in the industry to provide our 24/7/365 SOC and SIEM.
So if these services by themselves are not bad, and the idea of outsourcing to a specialized partner is not bad, where is the danger that most businesses need to be worried about with the advent of these new buzzwords? Simply put – these buzzwords cannot be the sole focus of the security discussion and framework. If they are, businesses and organizations are making huge false assumptions about their level of protection and security for their operations. SOCs and SIEMS are nothing more than tools in a tool bag. Organizations must recognize that a hammer can’t build a house on it’s own, it takes an architect, a skilled contractor, and detailed plan to make it happen. Thats where the flaw and mistakes are being made especially in the sales discussion with service providers today just like they were several years ago when the discussion was about being “proactive”.
To help further outline the danger of blindly buying into these buzzwords, think of it this way;
You have an alarm system on your business. Thats a great step – getting something that can generate an alarm if something bad or unexpected happens. So the next step is that you want to hire a monitoring company that can respond to the alarms if something bad happens in the middle of the night and if necessary call the fire or police department on your behalf. That again is great – you need someone looking at those items 24/7.
But… you don’t start there or only implement these(or at least hopefully you don’t). You also make sure you build your office in a great location that has a lower crime rate. You install multiple locks and security points inside the building so that it is much more difficult for someone to get to your valuable items, money or intellectual property. You make sure any cash is stored in a locked safe, and that any cash on premises is kept to a minimal for operations. You do background checks on your employees to make sure you are hiring credible, honest and trustworthy staff. You establish policies for access and who can get to what data or physical items. You install security cameras to deter theft and to provide security footage in the event something happens. You may have a security service on premises after-hours. Simply put, you don’t start with an alarm system and a monitoring company… you start with all the tools and measures needed to physically secure your operation and the alarm system and monitoring company are normally the last steps.
So the real danger when it comes to SOCs and SIEMs in the discussions for cybersecurity and how it can help or impact your operations is, just like the buzzword “Proactive” was thrown out ambivalently without any context, the same thing is happening with SOC and SIEM as industry buzzwords. We are seeing an influx of people trying to get into the managed services and managed security services market due to the perceived simplicity of some of the technology today as well as the lucrative potential for reoccurring revenue. People and organizations that have had really no background or at best limited background in their core business model around network infrastructure and security are now representing themselves as “Security Experts” and Managed Security Services Providers(MSSP)(another buzzword being overused). They are leveraging the buzzwords, outsourcing the monitoring and management services because it is becoming cheaper and easier, but at the core of their operations, they have limited in-house experience to design, operate, and maintain a secure network environment.
What Do We Need To Do To Make Sure We Are Using The Proper Criteria When Choosing an MSSP?
So the questions you need to be asking if you are being presented with a Managed Security Service offering are;
- How many years has your organization been in the network security and network design field as a core competency of your business?
- What security specific certifications do you in-house techs and engineers hold?
- What is your in-house level of experience as it relates to cybersecurity and the mechanism needed to design and secure the infrastructure and processes of our organization
- Who would be onsite with us from your team in the event of a cybersecurity incident and what does that response plan look like?
The good news is that businesses are now starting to have the security conversation about their business and operations. Just make sure that you are not putting all of your eggs in a buzzword of the month basket.