noun_Email_707352 noun_917542_cc Map point Play Untitled Retweet Group 3 Fill 1

Why Security Operations Center should be the first and last you have in place?

It would be a bit mean to compare a SOC to a band-aid, but reality is that even the best and most modern SOC is never fixing the root cause why an attack is happening.

Harri Kallioniemi / January 23, 2023

If anything, the first part of 2020s will be remembered as the time when our resiliency was really tested. First, we got hit by pandemic, then in parallel with increasing number of geopolitical issues, inflation and cyber-attacks.

Geopolitical relief is outside the scope of services we provide, but we certainly advise and support our customer by improving their resilience against different kind of business continuity risks, including cyber-attacks.
 
And this indeed is a business matter. A recent study on ransomware concluded that on average the systems are down for 25 days. That is 25 days an organization not doing what they are supposed to do. I know a lot of industries where that leads to almost certain bankruptcy. Another study by Deloitte concluded that less than 10 % of the cost of an attack were caused during the attack period, and most cost where the immediate aftermath and then the long-term loss of revenue.

So how should companies improve their resiliency?

An easy answer is to have a Security Operations Center (SOC) in place. That helps companies to detect and respond to a cyber-attack. But not just any type of SOC. The traditional SOCs are based on border protection approach which is good for keeping bulk of the attack volume in check. But what if a burglar tailgates past the front desk (same as phishing attack) and then has unlimited access to your building?
 
You need a SOC that has sensors everywhere and continuously looks for events that are out of place, and especially event combinations. But detecting those from massive flood of events is impossible task for a human, so we need help from machine learning algorithms that continuously look for now events that are associated with an attack, or events that are out of place. As an example, you as a user logging in on Sunday 4 am to a system. The whole idea in modern SOC is not just to detect these, but also stop in tracks. In case of your unusual log in, the system forces automatic two-phase authentication, ensuring that it really is you.
 
But there is a problem on just relaying on a SOC as the solution. It would be a bit mean to compare a SOC to a band aid, but reality is that even the best and most modern SOC is never fixing the root cause why an attack is happening.
 
So that is why a SOC should be the last line of defense that there is when everything else has failed. Those other things are mostly about the more boring side of traditional IT operations. Configuring and updating the systems, managing your user access, designing your architecture to be more resilient. This is a work that is happening every day, and it’s the source for 99 % of your issues.
 
Most cyber-attacks are caused by automated robots trying to find known vulnerabilities or mass phishing attacks, not by targeted effort where a super hacker finds a way through all your firewalls. You get hacked because somebody somewhere forgot to patch a known vulnerability in a system or forgot to delete the user from a system that is not a part of your single-sign-in, or left the default password in a system. These are tedious tasks that are performed by your IT people every day. But there are so many of these things to do, they are many times so complex to execute, and there are too little resources that you can take it for granted that you have a lot of such vulnerabilities in place.  Now it’s just a matter of time when somebody finds it and exploits it.
 
This issue is not going to be improved by just doing more the same. Fortunately, there is a solution, and it’s called cloud transformation. I’m not talking about a place called cloud, but a way of working. What you need to do is to describe everything as a code. How your systems are deployed, how they are configured, how they are maintained.
 
This has massive improvement effect on many fronts. First, it dramatically reduces the human mistakes that are bound to happen in your IT operations. You always have things done correctly, and you even have an audit log to prove it. Secondly, when the worst happens, you’re able to reduce the recovery time from those 16 days to 16 minutes, because you can do a clean installation in minutes instead of trying to fix a leaking boat with duct tape and chewing gum.
 
And there is one more ‘and’ here. When you do that, you also advance your digitalization as now the developers can use your platforms through APIs and their productivity goes up massively. So literally striking two flies in one goes here.
 
One more thing - Protect your data. If you lose them, your right to exist stops. Deploy encryption to all your sensitive data, protect that data with ransomware protected backups and have a copy of your data in a different country. That is a rounding error cost that will save you one day.
 
So, evaluate your current SOC and update that with a modern approach if needed. Ensure your most sensitive and business critical data is protected against the top risks in 2020s. And continue your cloud transformation as that is the only thing in the long run that helps you.

 

Harri Kallioniemi
Head of Growth Enablement, Tietoevry Connect

Harri has a passion for driving change and transformation. With a very broad industry background, Harri is seasoned in developing business from an early stage concept into ongoing business – and he believes we have only seen the first glimpse of the Public Cloud’s possibilities.

 

Author

Harri Kallioniemi

Head of Growth Enablement, Tietoevry Connect

The best Nordic cybersecurity partner

Stay safe and secure from threat scenarios

Share on Facebook Tweet Share on LinkedIn