Demystifying the SOC, Part 1: Whether You Know It or Not, You Need a SOC

This is the first in a series of a dozen or so blog posts entitled “Demystifying the SOC” covering several topics on security operations centers (SOCs). My goal is to help dispel many of the myths and answer many of the questions that I heard over thousands of conversations with clients while I was a technology analyst at Gartner covering SOCs.

When I was at Gartner covering Security Operations Centers (SOCs), I had hundreds of discussions with organizations looking reluctantly to build a SOC after a breach was declared, or to buy a security information and event management (SIEM) solution after failing an audit. “Isn’t it a waste?” they would often ask. “I’m a mid-market company selling widgets. Why would hackers be interested in me?”

As you’ll see, it’s very dangerous to assume you’re not a target. The good news is that you don’t need a Pentagon-style war room filled with scores of full-time screen monitoring security experts to have a SOC.

In fact, as I’ll discuss in Part 3, you likely already have a SOC. Here, I’ll break down the reasons you need a SOC.

You’re a Target

Why does every organization, including yours, need a SOC? First, there’s no such thing as an organization too small to be a target. According to Verizon’s 2020 Data Breach Investigations Report (DBIR), 28% of security breaches in 2019 targeted organizations with less than 1,000 employees. Further, according to IBM’s 2020 Cost of a Data Breach Report, the average total cost of a data breach was $2.64 million for organizations under 500 employees.

Perhaps you think that your organization or market category is not one with the type of sensitive data prized by a nation state or criminal hacker. However, this doesn’t mean that you are safe.

You’re not Safe

Your company may even suffer a cyberattack simply as collateral damage from an attack on a bigger target. The notorious non-Petya attack of 2017 targeted financial institutions in the Ukraine but also inflicted collateral damage on numerous other organizations worldwide using the same infected software update site. The losses were steep even though those companies were not targets, ranging as high as $870 million for pharmaceutical giant Merck, with a lot of smaller companies damaged in its wake.

The more recent SolarWinds attack is another example of organizations being collateral damage in a wide campaign.

Perhaps you think that you have all the required prevention tools, and that such a scenario cannot happen to you? In the next post, we’ll discuss why prevention is not enough. You need threat detection, investigation and response, you will need to bring your organization back to a known, good state, you truly need a SOC.

Cybersecurity expert and Chief Strategy Officer at Exabeam. Former Gartner analyst driving SIEM and SOC research and builder of the Splunk security ecosystem.