Today’s security operations center should have everything it needs to mount a competent defense of the ever-changing information technology (IT) enterprise. But it doesn't. How can a vast array of sophisticated detection and prevention technologies, a virtual sea of cyber intelligence reporting, and access to a rapidly expanding workforce of talented IT professionals fail over and over again to stop attacks?
Three decades ago, a radical political group responsible for a string of bombings boasted that the authorities had to be right every single time to thwart the attacks, but the bombers? Well, they only had to be right once.
Hackers are in the same position. It's an asymmetrical contest that pits an army of them against you, the solitary fort on the lonely hill.
If you think most SOCs can change this, you're wrong. Here's why. The deck is clearly stacked against the defenders. While the adversary must discover only one way in, the defenders must defend all ways in, limit and assess damage, and find and remove adversary points of presence in enterprise systems. And cybersecurity experts increasingly recognize that sophisticated adversaries can and will establish lasting footholds in enterprise systems. If this situation were not bad enough, more often than not, we are our own worst enemy. Many SOCs expend more energy battling politics and personnel issues than they do identifying and responding to cyber attacks. All too often, SOCs are set up and operate with a focus on technology, without adequately addressing people and process issues.
The reality is that unless you’re a service provider like a major MSSP then your core business is not security and security operations. So many organizations try extending themselves by investing millions into building and operating a SOC but generally these efforts result in failure and nothing more than waste of company resources. Building and operating a SOC is difficult, expensive and requires expertise that is hard to come by.
It is surprising how many organizations point to their SIEM and call it their SOC. Tenders are regularly released all over the world requiring a SOC, but take a look inside and they are simply asking for a SIEM. But a SIEM is not a SOC. It's just a tool you need when your network gets big enough to warrant purchasing one. The implementation of a SIEM system does not equal a mature security monitoring capability. In fact, without a well designed SOC, the full benefits of a SIEM implementation will never be realized.