Cyber Rangers

SOC is about people. And it's not for everyone.

SOC everywhere you look and for everyone the consolation of cybersecurity assurance. But that is not the case today. SOC is all about people and not technology. And not every organization can effectively adapt SOC from day to day.

The market is oversaturated with SOC (Security Operations Center), that's obvious. At the same time, it is becoming more and more apparent that it doesn't really matter what weapon you put in people's hands as long as it has the same cadence, rate of fire and quality (meaning SOC analytics tools). The trend shows that sooner or later most organizations will have Microsoft Sentinel or a similar cloud-based SIEM and then they will be firing the same guns.

But what does it mean? That SOC provision will be even more than today not about tools, but about people and how experienced and good they are. And most importantly, whether they can detect or stop an attack. So it will also be the speed of response and SLA of the service that will be important, not the tools. This is also one of the reasons why we test SOCs for customers (they need to know if what they have purchased actually works) and why we train SOC analysts on the vendor side to be able to detect a threat before it actually occurs (by simulating real attacks and explaining the context).

The ideal situation is when you arrive at the fire at the moment when someone throws a match into the barn, but it can also happen (not by accident, but relatively surely) that you arrive only when the barn is on fire and then it is necessary to have somewhere to call to investigate and fix the problem quickly enough to stop the fire (incident response and forensic team). You could then breathe in peace, even though your cheeks and hands would be red and you would probably have a few bucks in your wallet.

SOC cannot be connected to an environment that is decaying and that you yourself do not know properly. If you don't know it, then your supplier probably won't know it either. If the wall at your front door is falling down and it opens with a mere knock, then no SOC in the world can save you, even if it has top-notch analytics. Because first you have to get it right internally, get to know yourself and understand if you are mature enough to adapt a SOC, even if it has to be external.

Don't believe a supplier who will claim they will connect anything, anytime. If you don't trust the environment, then a simple SOC won't help you. Map, monitor, audit, get advice and plan and only then can you do it.

Will it be expensive? Yes, it will. Will it be a big investment? Yes, it will. You don't believe that a group of SOC analysts will use their technology to monitor your entire 24x7x365 environment for a few thousand Czech crowns?

Will it take a long time to adapt the SOC? Maybe, and it depends on where you are. If you don’t do it, what happens? Maybe nothing, and maybe someone will wipe you out of cyberspace. At best, it'll only cost a few Bitcoins and the subsequent nerves when your data shows up on the internet, but maybe you'll also shut down and move on to another business a block away or, with the care of a good housekeeper, go take a break for a while.

The decision is always up to you, owners and directors of small or large organisations. We won't let you down, but we have had to say "Sorry, but we can't help you here" too many times, so please keep that in mind when you are planning activities and budgets for the next fiscal year and preparing KPIs for people.