Do You Really Need a SOC?
By: Tzah Malka, Cynet Cyber SWAT Team Manager
These days cyber criminals are more advanced than ever. Often, what stands behind an attack – whether it is randomly spread or targeted – are huge companies that make it their business to steal information and finance their activities through large scale attacks. These organizations have vast resources at their disposal. In fact, they play an integral role in today’s cyber security industry, as their increasingly sophisticated attacks and state-of-the-art evasion techniques lead to the development of better technologies. But to combat these elite, malicious forces, you must have the greatest super computer ever built on your side: the human brain.
Today’s security systems usually detect and respond to malware using automatic processes, some of these involving a type of AI, and others, using sophisticated heuristic engines. Yet these are only good as long as their behavior and characteristics fit a certain profile or behavioral set of actions. Therefore, it is just a matter of time before attackers find a way to overcome these mechanisms and make their way into your organization.
What Does the SOC Do?
A Security Operations Center – or SOC – uses qualified SOC analysts to monitor the organizational networks and detect behaviors which can lead to the discovery of new attacks that are not always detected by automated systems. The analysts can gather indicators which, when put together, can paint a picture to eventually reveal the true intentions of a certain behavior.
Making the SOC Work for You
One of the most important issues when dealing with security threats is: How do I optimize my resources and time? Security systems will produce many alerts. Some are real time threats; some are false positives; some would be considered a false positive for one organization, while for another, they would be considered a ‘High Risk Alert.’ A Security Operations Center should be able to utilize its SOC Analysts in order to separate the important alerts from the less important ones, and, of course, to recognize the false positives.
It is important not to underestimate this ability. It is well known that organizations which neglect using SOC Analysts to prioritize their alerts and filter out false positives waste most of their costly man-hours on chasing dead-ends, effectively putting their systems at risk. The long queue of alerts to handle stretches the time it takes to get to new alerts, and with the sophistication of today’s cyber criminals, even a delay of minutes can cause heavy damage and, in worst case scenarios, result in infiltration.
SOC Analysts Know What Trends to Watch
One of the most important tasks of the SOC analyst is the identification of trends, malware and APT attacks. Analysts like to keep in-the-know of successful malicious trends. And while these trends are usually publicized through digital media and other sources of mass information delivery, by the time the wider public becomes aware of them, it can be too late. It can take days, weeks, and in some cases, even months after the new attacking trend is identified, for people to become educated to the threat. By then, whomever was not paying attention is probably already paying with their hard earned cash.
The human brain is a powerful security device. Regardless of how much money you spend on security, your organizational defense strategy will remain vulnerable if you neglect to include the SOC in your security plan.