SOC - safety concentrate
Evolution of threats
Malware threats have changed radically over the last several years. Viruses, which at the end of the 20th century took the form of pranks displaying funny messages and sound or visual effects, have become a tool in the hands of organized crime groups. Behind today's malware is a thriving black market, where you can choose from offers to sell 0-days, exploits, exploitpacks, backdoors and even ready-made botnets consisting of thousands of hijacked computers. All of this makes it easier for organized crime groups to run large-scale phishing campaigns or infection with TeslaCrypt, CryptoLocker or CryptoWall ransomers.
Approach to protection
Unfortunately, the evolution that has taken place in the field of threats has not yet been accompanied by a change in our mentality in our approach to protection. If you asked a statistical administrator how his approach to securing IT infrastructure has changed in recent years, he would most likely reply that he replaced the floppy MKS with a network, centrally managed antivirus and a simple firewall with a "next generation" device. More aware administrators would boast about taking local administrator rights from their users and using GPO policies enforcing a secure password policy.
Effectiveness
In a typical IT environment today it is difficult to find a computer without an antivirus or a network without a firewall. Despite this, we constantly hear about new cases of data theft, making unauthorized transfers or encrypting files for ransom purposes. It turns out that a computer with antivirus, firewall enabled, and protected by a "next generation" firewall can still be an easy target for intruders. This is because attack vectors are intentionally selected to ignore the most popular security measures. Therefore, the effectiveness of antiviruses is so low and backdoors use encrypted traffic initiated by infected stations from within the network. Which administrator will be wasting time blocking ports for outbound connections?
Comprehensive protection
In the security industry, there is no such thing as 100% security. All activities of security specialists are aimed at minimizing the risk associated with specific threats. Therefore, we must take sufficient measures to minimize the risks in all areas where gaps may appear. Therefore, the basic responsibilities of the person responsible for safety include:
- protection of end devices
- protection of mobile devices
- monitoring and protection of network traffic
- monitoring and protection of wireless networks
- web and e-mail traffic filtering
- collecting, archiving and analyzing logs from both servers and network devices
- data protection, including compliance with the law (e.g. the Personal Data Protection Act, the National Interoperability Framework, the Act on the Protection of Classified Information)
- development and implementation of security policies
- risk assessment
- training to make employees aware of issues related to hazards
- scanning systems for vulnerabilities
- conducting penetration tests
- management of updates
What do we need?
To carry out such a large number of tasks, we need a whole range of tools such as:
- mail filtering gateways
- proxy servers filtering web traffic
- centrally managed antiviruses
- log servers
- IDS / IPS devices
- SIEM type systems
- network monitoring systems
To use these tools, however, we must hire specialists who will be available for a few changes. We must remember that the number of jobs related to security should guarantee availability also in the case of holidays or sick leave.
In order to ensure the appropriate quality of service and response times, and to guarantee the continuity of business processes, it is also necessary to implement procedures, instructions and policies in accordance with the law, industry standards and levels of availability required by the business.
What do we have?
Unfortunately, technical solutions and licenses related to the protection of IT infrastructure are not the cheapest. The same is the case with the salaries of security professionals (auditors, testers, administrators). As a result, very few companies can afford to allocate sufficient funds from the budget to create a separate organizational unit dealing with security. Therefore, some tasks are not carried out, and some fall on the head of random IT specialists. On the other hand, people dealing with ad hoc security issues do not have the appropriate competences. It is not because of their ill will or negligence, but simply because of lack of time. In the multitude of other duties, the average administrator is not able to develop his knowledge, follow trends, test and implement solutions that are abundant on the market, but which do not always work in a specific environment. Here, you need people who are well-trained, experienced and see the issues from a broader perspective.
SOC - the way out of the situation?
So what to do in a situation where our security needs are large and the human, technical and financial resources we have at our disposal are small? The answer may be SOC (Security Operation Center) provided as a service by an external provider. This approach has been quite popular recently, not only among small organizations, but also large institutions due to its efficiency and relatively low maintenance costs. SOC maintained by an external MSSP (Managed Security Service Provider) provider guarantees access to specialized knowledge and tools to a degree tailored to the client's needs. It is difficult to imagine a situation in which a small company employs a person as a security officer, e.g. on a quarter-time basis, or buys a SIEM solution for several hundred thousand zlotys. In the service model, however, this is a quite realistic scenario. We agree with the supplier the scope of the tools available and the time needed to carry out specific tasks with their help, and we settle accounts according to the agreed monthly rates. If at some point it is necessary to disable or enable additional services, we do so overnight without the need to incur additional costs. Flexibility, availability and a high level of expert knowledge are the basic advantages of such a solution.
Security UpGreat
If the idea of maintaining SOC in the form of outsourcing seems interesting to you, we are pleased to inform you that UpGreat has a full range of services related to security in its catalog. For a detailed offer, please contact us at soc @ upgreat.pl, tel. +48 66 77 68 452 or by contact form.