When it comes to security, one of the most common buzzwords is “24×7 SOC.” It sounds impressive, implying that a team is constantly monitoring for threats and keeping everything secure. However, as Gary Derheim from PTP explains, the idea of a 24×7 SOC might not be the best approach for all organizations, particularly mid-sized companies.
A Changing Perspective
To understand why the 24×7 SOC might not be the ideal solution, Gary uses a sports analogy. When he was a child playing soccer and running track, the norm was static stretching before events—holding stretches for 10 seconds or more. Today, athletes focus on dynamic stretching, doing exercises that warm up muscles and reduce the risk of injury. This shift in thinking reflects an understanding that times change and new information can lead to better decisions.
Similarly, in security management, particularly for mid-sized companies, the traditional focus on a 24×7 SOC may not be the most effective approach. Instead, companies could find more value by investing in other security tools and working with niche vendors.
The Real Threats and How to Address Them
Some of the most significant threats that mid-sized companies face and suggests effective ways to address them without relying solely on a 24×7 SOC:
1. Lost or Stolen Passwords: According to various studies, about 80% of breaches are due to lost or stolen passwords. This can be mitigated by implementing multi-factor authentication (MFA), a low-cost solution that significantly enhances security.
2. Phishing Emails: Phishing emails are a common way that breaches occur, even when email filters are in place. Solutions that focus on phishing training and education are proving to be highly effective at preventing breaches.
3. Out-of-Date Software: Basic software hygiene is crucial. Regular vulnerability assessments and timely patching of outdated software on servers and endpoints can prevent many security issues.
Investing in these areas can provide robust security for a fraction of the cost of maintaining a 24×7 SOC.
The Role of Security Monitoring
While security monitoring and management are critical, the focus should be on scalability and the quality of the security monitoring process, rather than on continuous surveillance. The challenge with a 24×7 SOC is the high volume of alerts and the need to switch between platforms and tools. Instead, a viable solution that can aggregate and correlate events, allowing for effective management, is a more scalable approach for mid-sized companies.
Quality Over Quantity
A key takeaway is that most alerts from security monitoring tools are likely to be false positives or low-level incidents. These often indicate that the security systems are doing their job by blocking unauthorized access attempts or triggering other expected activities. The real threats, such as malware, often require thorough investigation and a deeper understanding of the environment. Gary mentions that studies show that malware can remain undetected for 150 to 200 days, indicating that adversaries are not rushing in but rather moving quietly and cautiously.
Therefore, rather than focusing on the 24×7 aspect of a SOC, organizations should emphasize the quality of the incident response process, including how incidents are prioritized, triaged, and resolved.
What Really Matters
Instead of asking about the number of SOC analysts per shift or the size of the team, companies should focus on questions like:
- What’s the process for incident identification, triage, and resolution?
- What level of engineers will we engage with?
- How will you help us improve our security posture over time?
These questions get to the heart of effective security monitoring—having a defined process, the right tools, and skilled people to investigate, understand, and respond to threats.
Conclusion: A New Approach to Security
At PTP, the focus is on providing the best people with the best tools to work with clients in detecting, responding to, and recovering from security threats. This approach prioritizes quality over quantity, ensuring that organizations are well-protected without the unnecessary expense of a 24×7 SOC.
Ultimately, a robust security posture is about effective processes, tools, and people, rather than constant surveillance. It’s time to rethink the traditional approach to security and focus on what really matters.