Demystifying the SOC, Part 2: Prevention isn’t Enough, Assume Compromise

Gorka Sadowski
4 min readJan 5, 2021

--

In our previous post, we discussed why every organization, including yours, needs a Security Operations Center (SOC) to detect and address security breaches and maintain the infrastructure in a known good state. SOCs are part of a longstanding shift in cybersecurity from prevention to a blend of prevention and threat detection, investigation and response (TDIR), the latter of which is the mission of the SOC.

It wasn’t long ago that the industry was focused almost exclusively on prevention via firewalls and network proxies aiming to create the so-called “network perimeter.” Inside the perimeter was the “trusted zone” of the corporate LAN, where everyone went about their work safely and there was little need for airtight security. Outside the perimeter was the Wild West of the “untrusted zone,” full of script kiddies and other villains probing and beating on the walls trying to get in. This was sometimes called M&M security — with a hard shell and soft inside.

Unfortunately, over time that illusion of the protected perimeter was dashed as more and more well-protected organizations suffered massive security breaches costing them millions of dollars in damages. The most expensive breaches ever cost Epsilon a whopping $4 billion, the Veteran’s Administration $500 million, Hannaford Brothers $252 million — and the list goes on from there.

The truth is, as we discussed in the previous blog, no organization — big, medium or small — is safe from a breach. That’s why it’s assumed today it’s only a matter of time before a breach happens, despite the firewalls, the proxies, the intrusion prevention systems, the anti-malware tools and a program of rigorous security updates to operating systems, security tools and applications. Worse, maybe you are dealing with a malicious insider who’s got valid credentials to log in? When a breach does happen, the SOC must detect, investigate and remediate it as quickly as possible before it spreads and wreaks havoc on the business.

Why is it that organizations with massive investments in security couldn’t protect themselves?

The Old Perimeter is Gone, a.k.a. Identities Are The New Perimeter

Enter mobile, cloud computing, SaaS applications, bring your own device programs and the Internet of Things, which are common today at most organizations — not to mention Covid-19, a human virus that has forced everyone to work at home on who knows what.

All of these trends have burst the perimeter wide open, such that there are no longer trusted and untrusted zones. It’s all the Wild West. Security firms have devised numerous tools and strategies for protecting all these devices and their users, but it’s a much tougher job than it used to be, and a cat and mouse game between the security industry and hackers constantly finding ways to thwart each other.

In fact, it is accepted today that “Identities are the new perimeter”. Welcome to this new world.

Hackers Are More Sophisticated, and Insider Threat Risks Are on the Rise

The days of teenage script kiddies hacking from their basements being the only threat are long gone. Today, armies of hackers are hired by organized crime and nation-states such as Russia and China, to create and harness sophisticated hacking tools designed to break through all but the most advanced defenses. These hackers penetrate organizations with advanced persistent threats (APT’s) that hide and spread across the network for weeks or months looking for valuable sensitive information or with ransomware that locks valuable data and attempts to force the victim to pay large sums of money to get it unlocked. Many of these advanced tools are available on the dark web to anyone that wants to use them and there are new ones every day.

These attacks can take advantage of small configuration mistakes, overlooked firewall or operating system misconfigurations or anti-malware software lacking the very latest updates and upgrades. Many use zero-day exploits that have no known malware signatures.

Your employees might help these hackers penetrate your network inadvertently by falling victim to social engineering strategies, such as clicking on a phishing email or visiting a web site infected with drive-by malware.

Risks from insider threats have also risen lately, and are expected to continue being a major source of worries for organizations. According to Ponemon’s 2020 Cost of Insider Threats Global Report, insider threats at companies with more than 1,000 employees increased in number by 47% from 2018 to 2020. This includes malicious insiders, compromised insiders and incidental insiders (more on this subject in a subsequent post).

That’s why today, despite the best prevention approaches, organizations must assume that bad actors have already penetrated their infrastructure. According to IBM’s 2020 Cost of a Data Breach Report, the average time to identify and contain a data breach is 280 days. Stakes are high, according to the same report. Average savings from containing a breach in less than 200 days versus more than 200 days is $1.0 million. It is hence critical to have a strong program to catch these hackers, understand what happened and bring the network back to a known good state as soon as possible. That’s why a SOC is indispensable.

But don’t despair, because most likely your organization already has a SOC, even if you’re not aware of it. What is a SOC, what does it do exactly, and who is running your SOC? We’ll cover that information in our next post in this series.

--

--

Gorka Sadowski

Cybersecurity expert and Chief Strategy Officer at Exabeam. Former Gartner analyst driving SIEM and SOC research and builder of the Splunk security ecosystem.