Avoid These 3 Mistakes When Deploying Security Operations Centers

Welcome to the latest installment in our blog series on Security Operations Centers (SOCs). Last week, we focused on the issues accelerating the need for SOCs. This week, we’ll examine the misconceptions and false starts that have given SOCs a bad name in recent years.

No matter how sophisticated company’s cyberdefenses are, hackers have proven they can find a way into their systems due largely to the people aspect of cybersecurity: As long as networks are built and maintained by people, there will be mistakes made creating opportunities for hackers to exploit.

Let’s be clear: most companies’ network environments aren’t pristine. Devices access the network without IT knowing it. Data resides on their networks for which IT didn’t account. There are a number of exceptions and workarounds employees have created – usually not maliciously, but for the simple fact that they want to get their jobs done as quickly and easily as possible.

Chief Information Security Officers (CISOs) have known this for quite some time, but in order to make the right investments to secure data, they need buy-in from senior leaders such as the Chief Financial Officer (CFO). We’ve said this time and time again, but it bears repeating: Cybersecurity is a business issue, not just an IT problem. When you run the risk of losing millions of dollars in fines, lawsuits, and brand reputation after a data breach, you quickly understand that it’s not just about firewalls and virus scanners. This is a prime opportunity for security professionals to partner with their colleagues in the business.

While many CISOs still report to Chief Information Officers, recent surveys find that 10 percent of CISOs now report to CFOs – a number which will only continue to grow. Why? Their focus is on how cyber investments impact the bottom line by preventing losses due to risks, or increasing revenue by providing customers with greater confidence in doing business with the company. CFOs often look at a measure referred to as Value at Risk (VaR), which assigns financial values to the loss of organizations’ most valuable data and applications. CFOs track VaR over time to see how, for example, implementing security measures can reduce the organization’s exposure to attacks. Ultimately, this provides a standardized means of measuring risk exposure to help companies prioritize their next steps.

The most common next step has been to create a Security Operations Center (SOC). SOCs are essentially facilities where enterprise information systems – such as websites, applications, databases, data centers, servers, networks, desktops, and other endpoints – monitor, assess, identify, and defend against cyberattacks.

SOCs generally use a security information and event management (SIEM) system that aggregates and analyzes logs and monitoring security events. Primarily, the SOC creates all the analysis and monitoring rules and acts on the output, running processes and procedures to resolve suspicious events and incidents.

However, SOCs have fallen short in recent years due to the lack of understanding and coordination among senior leaders. Most organizations are not prepared for the significant time that it can take to realize value from their SOC investments. On average, it takes three years to realize ROI on their SOCs. Although the driver for SOC deployments are often on the back of an audit finding or compliance requirement, the ultimate business goal is to reduce risk and provide real time alert for cyberattacks. This ultimately enhances business resilience.

Here are three reasons why SOCs have failed due to a lack of coordination between IT and the business:

  1. The SOC provider monitoring IT environments is managed by another service provider. This creates a problem with privileges, permissions, and who’s accountable when things go wrong.
  2. Where the SOC has permission to make changes, it doesn’t extend beyond perimeter devices such as firewalls and web gateways. Internal systems and applications are often not permitted. 
  3. Where incidents occur as a result of a business process, it is often difficult for the SOC to make a change. This is because the SIEM and SOC are often run as IT security solutions and they don’t integrate very well with business processes. 

While the challenge can seem enormous, the good news is that there is a blueprint for building an effective SOC that brings IT and the business together and has the power necessary to not just identify cyberattacks but stop them before they do any sustained damage to your business.

Come back next week as we share the first step in our four-point plan to build a world-class SOC: defining roadmap and requirements. Can’t wait until then? Visit our website to learn how US Cyber Vault’s managed security services deliver security operations center, analyst, threat intelligence and incident response capabilities rapidly, enabling companies to save up to 90 percent on traditional cybersecurity costs.