Nobody wants to pay more than they need to – but still, everybody knows that when selecting an insurance plan, the price doesn’t tell you how well you are covered until the “unexpected” happens.
What should you expect to find in the fine print of a Security Operations Center (SOC) service description?
In planning cybersecurity, it is critical to start the planning from the actual threats and the company’s business operations. Thus, it is possible to direct the investments made in cyber defense at the areas critical for the business and at the real threats these are exposed to.
Traditionally, companies have built their information security mainly on strongly preventive controls – the goal has been to build a large and strong barrier that keeps evil at bay. The thought of the barrier may give one peace of mind—but only temporarily, since in reality it does not work.
When it comes to cybersecurity, it is important to understand that building a perfect security is impossible. The mere pursuit of it requires taking extreme controlling measures by the company, and such measures cannot be utilized in standard operational environments. If a company places all of its energy and resources in preventive controls and these fail, the company will no longer have the capability to detect possible security breaches and react to them as required. This becomes evident in studies revealing that detecting a security breach takes approximately 200 days.
During the past couple of years, more and more companies have acknowledged this fact and started to invest in their supervision and reacting capabilities. Since building one’s capabilities is highly demanding, most companies decide to purchase this service from a service provider. Similarly to any other outsourcing, when it comes to monitoring services, it is essential to make sure that the purchased service actually meets the needs of the company and is able to produce the required capability.
No security without monitoring
As a central area of cyber defense, it is a good idea to examine the monitoring services from the perspective of the company’s business operations and risk management. In order to the monitoring to detect and manage the threats that are critical for the business operations, the company must first be able to define the systems, processes and people critical for the system and the threats that are realistic. In other words, every company must decide whether it is most important, from the perspective of the business operations, to protect the company from business espionage, to prevent general mass attacks or to keep the logistics chain running.
It is important for the success of cyber defense to ensure that the monitoring service has the required visibility to the systems and the necessary understanding of their criticality. There are several means of producing visibility, such as on the network level or via log data. It is essential to consider the visibility via threats, i.e. how the threats can be realized and how this can be discerned.
It is also essential to consider the service level (SLA) of the monitoring service and to proportion it in relation to the criticality of the business operations. When examining the continuity of the business operations related to the critical functions, we often talk about recovery time objectives (RTO), i.e. how quickly business operations can be returned to normal after disruptions. The service level of monitoring should be proportioned to this recovery time objective. If the recovery time objective of the company is, for example, 24 hours, the monitoring service must, in practice, be in operation 24/7 and offer, in addition to monitoring, the capability to react to and process information security incidents. If this is not the case, it is not possible to meet the recovery time objective during weekends, for example.
When the company has taken care of the matters mentioned above, i.e. made sure that the monitoring service covers the areas critical for the business operations and offers sufficient service level, it is time to test the service in practice. With testing, the company can ensure that the monitoring really detects the deviations and that they are reacted at appropriately.
In addition to testing, continuous reporting should generally be required from the service. The minimum level of reporting covers the detected deviations, but we should not settle for this. The monitoring service should provide the organization with information on the general threat situation as well, on the new attack methods and on the changes in the company’s own threat assessment. This information is highly essential in order for the company to be able to ensure that its cyber defense and observation capability are maintained in good condition as cyber threats are continuously changing.
Originally published in 13.04.2018 on tivi.fi (in Finnish)