Digital Creed went into the heart of a Security Operations Centre (SOC) in Mumbai to find out what goes on behind the scenes. Pankit Desai, Co-CEO & Founding Director, Sequretek gave us a guided tour of his SOC. We also spoke to some of the security experts who work in this 24X7 SOC. They keep a watchful eye on the infrastructure of one of the largest banks in India (among other clients). We have now understood what impact a security breach can have on business, and why timely action is crucial. Here are 10 reasons why it makes perfect sense to let the experts manage your security.
1> Security management is no longer a manual task
The scale and frequency of attacks on applications and organizations have increased to such an extent that it is no longer possible for humans to keep tabs on everything. The infrastructure of a large institution, such as a bank, faces hundreds of thousands of malware and hacking attempts every day. Its various security systems (firewalls, domain controllers, IDS, IPS etc.) throw up hundreds of thousands of alerts. Each security system records these events in a log file. The events in the various log files must be correlated before an analysis can be done, to identify the nature of the attack — and then contain it. This analysis is called SIEM or Security Information and Event Management. And it needs to be done in real-time.
It is not possible for even an army of security specialists to do SIEM manually. That calls for algorithms, automation and specialized tools. You also need experienced and certified security specialists to do this analysis.
Pankit Desai, Co-CEO & Founding Director, Sequretek says organizations have spent millions of dollars on various security solutions. Yet they cannot be sure that it works for them, or how helpful they are.
“There is nothing that gives a full picture of what is happening in your organization. There is no way to get a security posture,” he says. “Based on your industry and risk posture, we will identify the gaps. To do this, we create an enterprise risk scorecard for our customers. The scorecard has three elements: a governance element, security management, and security operations (the SOC). We measure the effectiveness of governance across each of these parameters, monthly. As they (customers) complete tasks we get a better score. The scorecard shows the ROI on the investment. SOC is the only vehicle that shows you the effectiveness of your security investment.”
Desai is saying that SOC provides an integrated approach to security. It offers a top view of an organization’s security and ensures that its security is always updated – using a combination of automation, tools and highly skilled personnel. A SOC can correlate threats as they manifest in an organization’s environment.
2> SOC is always updated
There is so much (security) information available globally, and if you are focusing only on your organization, you will not get that information. On the other hand, a SOC gets its information from multiple sources and is always updated. It can quickly share this information with its customers, through technical advisories, and prompt them to take timely action to avert attacks.
“We have our own centralized threat feeds and we aggregate data from 84 global sources. We have also set up our own honeypots or networks that solicit attacks. This is for getting samples for analysis. And we work closely with government to get that information,” says Desai. “All this information gets pumped into the SOC. This along with the customer data is the only way I can help customers understand that there is something happening in their environment. The landscape is continuously changing, and it is important to understand how today’s threat versus today’s data is relevant.
3> Nip it in the bud
When a new virus or malware surfaces, it exploits an unknown vulnerability in the application to breach systems. To counter this, the application developer must patch its software and release an update. The anti-virus and anti-malware companies must also release updates with the latest signatures — and push those updates to users’ computers. However, users do not update their applications regularly, putting themselves at immense risk. There is a possibility that software developers may not release their updates on time.
Experts working at a SOC can proactively create these patches and send it to their customers — even before the software companies do. In fact, the SOC can also handle the patch management for their customers (as an optional service). This timely and proactive action minimizes the risks for customers.
4> SOCs do a complete vulnerability assessment
Organizations must periodically do an inventory of all their information assets and scan these for malware and vulnerabilities — this is known as vulnerability testing. Malware found in one system is removed. But it may have also spread through the internal network and breached other systems. The malware must be completely eradicated, from wherever it occurs. Specialists at a SOC can do this. They use special tools to scan your IT infrastructure for all traces of the malware.
5> Technical skills and experience
A SOC recruits highly qualified personnel with academic degrees and security certifications. People also have years of experience and extensive knowledge.
Sequretek, for instance, hires people at three levels. The fresh talent comprises those with academic degrees such as M. Tech and MS Cybersecurity. “Of the 200 people that we have, around 60 would be in this category,” says Desai. “When we hire freshers, they undergo training with us to convert the theoretical knowledge to practical knowledge.”
The second type is lateral hires – the CISPS, CISAs and those with security certifications. And the third type are those who have done hard-core product development.
Considering that security talent of this kind is in short supply, and that there is always a temptation for people to pursue greener pastures elsewhere, it would be a challenge for an organization to sustain a team of highly qualified professionals. And that’s why it makes sense to outsource security.
6> Research and development par excellence
We met experts at Sequretek who showed us how they go about checking files or systems for infections. They showed us patterns that indicate suspicious or abnormal activity. In effect, a SOC is also a research centre, as it devises its techniques for detection, analysis and remedial action.
There are various activities undertaken to make a SOC more proactive. Some of these activities are malware risk analysis, actionable threat intelligence and active threat hunting.
7> Technical advisories
When a new malware infects enterprises, information about its behavior must be shared and communicated. This happens through periodical technical bulletins called Technical Advisories.
Desai and his team at Sequretek showed us the technical advisories they issued to their customers during the recent ransomware attacks. These documents provide details of how the malware attacks and spreads (behavior). There are detailed instructions on how to patch systems and how to find and remove the ransomware. Organizations who follow these instructions and take timely action will not be impacted.
8> Remote monitoring and remediation
Security experts at a SOC monitor their customer’s infrastructure 24X7. They have systems and tools that look out for anomalies and suspicious behavior. They can do deep root analysis and confirm if a threat is malicious. Accordingly, remedial action is taken to avert an attack and its consequences. The SOC is also researching new threats and advising its customers through technical advisories.
“A SOC can tell you if a breach is likely to happen, if you already have been breached or if there is a breach in progress, says Desai.
He also talked about incident response, which comes after a threat is detected.
“There are alerts that need to be acted upon. Cyber Security Incident Response (CSIR) becomes a bridge between the offsite capability and the onsite customer environment. It ensures that whatever is identified, is also remediated. It also ensures that the problem is permanently fixed for the long-term as you do not want the same issue occurring again in some other system. This goes beyond patching,” he says.
9> What kind of organizations opt for SOC?
Contrary to popular belief, SOC is not only for large organizations. Desai says it is a matter of finding out what is important enough to protect. For some companies, that could mean intellectual property (IP). For others, it is customer information and transactional data.
Financial services companies, retail organizations, FMCG, IT/ITES, Telecom and e-commerce organizations have a lot to lose if their data is stolen or their systems are compromised. It makes sense for these organizations to outsource their security management.
“SOC will make sure you have a view to your security posture,” says Desai. “Smaller manufacturing companies have less to lose, so they may not prioritize it as an investment. SOC may not make sense for them. Manufacturing companies that have some IP may want to consider a SOC for protection,” he says.
Of course, companies in a regulated industry do not have a choice.
10> Does it make sense to build your own in-house SOC?
It is an expensive proposition for an organization to build and manage its own security operations in-house. Desai estimates that a team of five people, working in shifts, will be needed to manage each resource 24×7. He says at least 15 – 20 people are needed to manage a SOC. Apart from that, there’s the capability investment.
There is so much (security) information available globally, and if you are focusing only on your organization, you will not get that information. Desai says an outsourced provider has the advantage of working with multiple clients. When it observes a threat elsewhere, it has a good chance of finding a similar pattern in your organization.
However, some organizations such as the large banks also build their own SOCs. Based on the assumption of the RBI cybersecurity guidelines, there seems to be a tacit understanding that at least the large banks should make their investments. Large banks also have the appetite to spend and can create a class-A infrastructure and capability.