Whether you are trying to better your security posture or want to meet compliance requirements through SOC services, monitoring your environment is key to developing a mature overall Security Program. If you’re part of the growing trend, you’re also likely pivoting away from building and managing your own internal SOC, and are looking for Managed SIEM (Security Information Event Management) or MDR (Managed Detection and Response), instead. So whether you are starting from scratch, simply looking to augment what is already in place, or want to compare available options with what you have currently, you may be asking yourself– How do I determine organizational readiness? What’s the right balance of automation versus human input? What makes one solution more well-suited for me, specifically, than another would be? Through their up-close involvement with countless customer implementations, our experts have learned a thing or two about SOC services. Their collective experience points to the wisdom of getting the most accurate picture possible of your current risks, existing internal assets, and clearly defined goals in order to better also align your needs, budget, and timing with the right corresponding services. To that end, we’ll walk you through a few steps to evaluate a) your company’s Risk Threshold and b) the staffing considerations around implementation to help you find what makes the most sense in the context of your own Security Ecosystem.
Meet our Expert
Scott Williamson, CCDP, CCNP, VCP, runs a tight ship at the TRUE Labs SOC. If you have had the pleasure of talking with him before, you already know that. If you’re one of our SOC customers, you may even have been on the phone before with Scott and his team as part of their white glove support, or a response effort to something happening in your environment. If it was a high priority incident during a weekend or during the night–not an uncommon attack time for threat actors–you may not have wanted your phone to ring at 2am. We’re betting that as of 6am the next day, though, you were glad it did, and that the people you spoke with knew what they were doing. As our Director of SOC Services, Scott drives the ship, so to speak, working closely with his hand-picked team of trained analysts to tend to our customers’ environments 24/7/365, working to understand and respond to correlated events. He maintains a strong interest in seeing our customers implement SOC services effectively in the context of their overall security programs, with their teams and ours working hand-in-hand to achieve effective outcomes.
Scott has learned a thing or two to help guide you through the sometimes confusing alphabet soup that comprises SOC Services, to evaluate and find the right solution type for your environment. We’ll attempt to tackle the first two key facets of a solid SOC services selection process: Measuring Your Risk and realistically aligning your existing team with the Resources Required to meet at least your minimum Risk Threshold. (For a more detailed breakdown, see their recent webinar, Top Critical Mistakes in SIEM Deployment.)
Measuring Your Risk Threshold: 3 Key Inputs
- What Needs Protecting?
First, it’s important to look at specific contextual risks in light of your own environment, including IT infrastructure, critical and non-critical assets, vendors, technologies, human components, and so on–understanding how (and how well) each piece of the puzzle works with the rest. This will be most informative if evaluated in the context of a trusted standard, like the NIST Cyber Security Framework. Yes, we mean a Risk Assessment. Whether you have already undergone this process before or are just getting started, a Risk Assessment will give you a benchmark for where you are and where you need to be–the hard data essential to successful planning and deployment. Ask anyone frustrated with their current solution and you’ll quickly see that taking this step can save you valuable time and money, noting what needs to be addressed before rollout and selecting the right solution from the start.
- What Are the Real Costs Associated With a Breach?
Second, decide exactly how much financial risk is acceptable to your organization. This approach accepts the fact that you will always face threats, but helps you and your leadership team decide where to draw the line in how long you are willing to wait before detecting and remediating incidents, based on the cost of a delay. According to industry analysts at Gartner, many companies they talk with are either still in process of deploying SOC services, or are unhappy with what they currently have–meaning most people are struggling with sub-par monitoring efforts. Given that struggle and its implications on how long it takes them to identify and remediate bad actors in their systems, it’s easy to see how breaches have become so costly. The 2018 Ponemon Cost of a Data Breach Report places the average cost per record exposed for US companies in the last year at $233, (compared with $148 globally)–apparently, it’s expensive to be compromised in America. So multiply that number by the volume of individual customer, financial, and human resources (or other sensitive file type) records you currently have–taking into account all of the places those records are used or stored for access, business processes, or analytics. Now add considerations specific to your industry, like compliance requirements, notification and remediation costs, or breach penalties. For example, if you are a Healthcare organization, the average cost jumps to a staggering $408 per patient/customer record exposed. Now, align this with your sensitive assets and every place they live in your environment. If we are only talking about a stolen laptop that holds 100 patient records, that will be a mere $40,800. For larger systems, those numbers add up in a hurry. So you can see how, in the end, an accurate Risk Assessment and some industry figures will help you determine how much financial risk you are willing to take.
- What is the Real Cost of “Dwell Time”?
Third, determine how much risk you can afford to take with what industry experts have termed dwell time. Dwell time is defined as the measurement of days a threat actor is allowed to sit inside your system before being detected, and there is a direct correlation (predictably) between the length of this time period and the cost of a breach. The Ponemon Cost of a Data Breach Report directly correlates these two key measures across hundreds of breaches over the last year. If companies detected intruders within 100 days, their average cost for a breach was $3.11M (that’s million, yes, and will be relative to data sets, industry, as well as other unique aspects of your environment). If intruders were allowed to go undetected for longer than 100 days, that number jumped 35% to $4.21M. Whatever the size of your incident, the point is that it will cost you 35% more if you leave threat actors in your environment longer than 100 days undetected. So looking back to your Risk Tolerance, if your threshold is high as an organization, that may be acceptable, relative to your own figures and the results of your Risk Assessment. Setting this data against your key assets that need to be protected will then help you determine the length of time you are willing to wait before an analyst is available to look at your logs. Does it need to be real time, 24/7/365–handled as soon as possible? Or are you okay with not knowing about activity that may happen outside of the normal work week–like on a Friday at 6pm, after your team has gone home for the weekend? Scott Williamson details stories of truly urgent incidents for which he has had to wake customers in the middle of the night. Those are not fun phone calls to make, but when it’s really important, our customers value them, knowing they have someone available to walk them all the way through a response right away.
What Resources Will Be Required to Sustain Your Threshold?
After determining your company’s Risk Tolerance, you will want to inventory your current information security human resources, measuring those against what will be needed to manage the solution that best meet your goals and expectations. Unfortunately, this one is easy to underestimate, leading many organizations to failed or lackluster implementations over time. The internal lift is simply more than they anticipated on a day-to-day basis in order to effectively monitor, tune, and manage their solution, and it becomes a time suck on internal teams. It’s no secret that talent is key to the success of your program, so you’ll want to list out your current full-time employees and how much time each of them can to dedicate to the program.
Once you determine how much time your team has available, the next consideration is how they will be trained. By way of comparison, TRUE Labs partners with our SOC analysts’ professors and programs throughout their 4 year educational tracks, preparing them to work with our tools. Effectively, this means that before they ever set foot in the lab, their curriculum is crafted to prepare them for exactly what they will be doing, and that when analysts are ready for full-time monitoring and response, they have had hands-on experience and training on each of the tools we use in the SOC–both provisioned and proprietary–and they understand the correlated data they are reading. So you’ll want to make sure your team is already familiar with processes, protocols, correlations, and how a “response” should look. (As TRUE CEO Rory Sanchez often points out, “Is that RESPONSE with a big R or response with a little r?”)
If you are considering outsourcing some piece or all of your monitoring services, you’ll also want to look into the training of all analysts who will be working with your data and what will happen as part of their response. How will they communicate with you to avoid alert fatigue, but still inform you with reporting? What happens in an event or incident? Who will you talk to if you call them with a need, or if you receive a call as part of a response? For example, when our customers have an incident that needs to be escalated, or if they have a problem on-site, they can pick up the phone and know they are talking to an analyst who knows their environment–not an unfamiliar person who is sitting in a call center somewhere. You’ll personally talk to Scott, or Jessica, or one of our other specialists. That’s something our TRUE Labs team emphasizes as invaluable, and feedback from our customers lets us know they are always relieved to know they can get to someone right away, and that person will not only understand their situation, but could even come on-site in case of an emergency. When time is of the essence, if you have been compromised, that is peace of mind.
Taking this one step further, we dig into the cost of staffing this internally, helping customers make predictions based on realistic figures. To help you calculate this, correlate the extent of monitoring you expect (hours required during the work week) with how many full time employees (FTE) would be needed to fulfill those hours. So if monitoring only 8am-5pm, M-F is acceptable for your organization, this will call for 2-3 FTEs, conservatively, when you allow for sick days, holidays, leave, etc. Multiply that number by what starting analysts make at your organization. If you require 24/7/365 monitoring and response, the number of FTEs required will be more like 7-10, again on the conservative side. (Some industry estimates place that number closer to 12 FTEs.) That will help you determine whether you want to manage all, some, or none of your SOC services in-house, informing your decision to go with SIEM, Managed SIEM, co-Managed SIEM, MDR, etc. The way to evaluate and compare is by the level of service you are getting on the management and response side for each. Since providers will delineate their services differently, it’s a good idea to really dig into what you are getting and work with an expert at each provider who will help you compare “apples to apples”.
Money Lost Between Multiple Providers
Something else we hear often from our customers is that they appreciate being able to go to the same provider for their assessments, support with their GRC program, IT needs, and their SOC services, because it saves them time and money. One team of experts can collaborate with the other team of experts, together building a clear picture and road map to execute the projects at hand–and if the need arises to address IT engineering issues during remediation, or they need help aligning controls with their governance or compliance program, we have experts at the ready to help with that too. What we hear is that when they have used multiple providers for assessments, SOC services, GRC, IT engineering, etc., in the past, they lost money, time, and efficiency in the hand-offs. Their projects took longer and were harder to streamline or consolidate. Also, when you use ad hoc strategies, one project is not necessarily informed by another. We find that a unified approach gives clearer insight into which tools are addressing which problems, how they are configured, who is managing them, and how those efforts are helping you to meet your overall governance goals.
A Holistic Approach to Your Security Ecosystem
When you hire TRUE, you aren’t just purchasing a tool, you are buying security expertise. We are going to evaluate the tools you want to use and make recommendations based on your environment, your unique risks as a business, and your budget. That means helping you compare your options with SIEM, Managed SIEM, and MDR in an informed way that will save the most time and money, because our success depends on ensuring yours. If you would like to hear more about how your team can partner with TRUE for a holistic approach to IT Security, working together as an extension of the same team, contact us today.
Click here to watch our Top Critical Mistakes in SIEM Deployment webinar on-demand.