Ransomware, phishing, and IoT attacks disturb and change the rules of the business game. Protecting company’s sensitive data is a critical mission for all business. That is why the Security Operation Center (SOC) is now one of the hottest topic in IT. In particular in the context of forthcoming new GDPR regulations. Maciej Rosolek, IT Risk & Security Department Manager, discusses the latest Security Operations trends, including SOC technologies, differences between in-house and outsourced SOC and shares his thoughts on the future of SOC.
Malgorzata Zabieglinska – Lupa: At the core of a Security Operations Center we usually find SIEM. We see SIEM system as one of the main trends in security markets. But as technology matures more and more things must be integrated into them, and SIEMs themselves are in transitions. Is SIEM really so important for the current SOC? What other trends are you seeing?
Maciej Rosolek: Firstly, let’s explain what SOC is. SOC, or Security Operations Center, is a team of security engineers, using very sophisticated hardware and software products, detecting and analyzing security events in own or customer’s infrastructure, depending on the business model. Basically, a team of geeks, for whom safety is a never-ending adventure and who, with the help of dedicated toys, detect attempts of attacks and theft, thus ensuring the security of sensitive data.
I remember the beginnings of SOC formation, which was created by a group of enthusiastic engineers analyzing the log of the security event. Such a log may have happened once a week, so now that nearly everyone has a computer with enormous computing power, and the number of attacks and attackers has grown exponentially, even a team of a hundred or more engineers would not be able to analyze the avalanche of logs, correlate them, analyze the results and then detect any incident.
SIEM (Security Information and Event Management) systems, which began to be created together with SOCs to support the work of engineers, unfortunately these days are not sufficient enough. Artificial Intelligence comes with the help. I will immediately point out that this is not an universal method, because an experienced security engineer cannot be replaced by any machine. However, the machine whose software will be powered by the intelligence of SOC engineers can bring many benefits. Mainly, the initial elimination of 99.5% false alarms, leaving only 0.5% to the engineers for analysis. The human-machine cooperation with software capable of learning, correlation and event analysis, being able to additionally react to changes/fluctuations in the behavior of users and terminals (workstations, servers), will be the main trend in the development of SIEM solutions.
Malgorzata Zabieglinska – Lupa: What has changed in the past 5 years regarding SOC technologies? What skills are in demand at the moment?
Maciej Rosolek: As I mentioned before, due to the exponentially increasing number of events for correlation and analysis, systems supporting the work of SOC engineers had to be equipped with an artificial intelligence module, machine learning, whose main goal is self-improvement on the basis of accumulated experience (learning process).
The answer to the second part of the question is a kind of challenge, because the concept of IT security includes more specialization than doctors have to choose from. We start looking for the right competences from the analysis of the business model. We must ask ourselves what kind of services we want or should provide to ensure our clients compliance with the requirements of the contract, while maintaining the security of the data entrusted to us. Having the result of the analysis in front of us, we already know what competences we will need and we start looking for tools that will be able to support the activities of safety engineers while generating synergy effects.
Malgorzata Zabieglinska – Lupa: Let’s take another angle on the SOC and talk about what kinds of challenges are designers now facing while creating a large SOC ?
Maciej Rosolek: Building a large SOC supervising the security of customer data in diverse environments is quite a challenge. Imagine that we have only ten clients, each of them has its own infrastructure built on the basis of different manufacturers and each has different security procedures, e.g. regarding incident management in the organization. Each infrastructure element is a different type of management – both in terms of the interface and in the approach to security.
Each client requires different response times and prioritizes security events differently. In addition to competencies in many areas of security, there are also tools that collect and analyze data from all types of infrastructure equipment, and present the results in a comprehensible way, allowing taking up additional action immediately. SOC are capable engineers and modern systems, it is the ability to cooperate, analyze and correlate, it is the intelligence of an engineer and the speed of the machine, it is the ability to constantly learn, deepen and expand knowledge to protect the most valuable – our privacy.
Malgorzata Zabieglinska – Lupa: SOC helps to efficiently manage mission-critical areas of their daily operations. You have already said that SOC is not only people but also advanced technologies and system, appropriate infrastructure and implemented processes. Let’s stop here for a moment and talk about what solutions are available to overcome these challenges?
Maciej Rosolek: Indication of a specific solution would be breaking confidential rules so I cannot do it. I will only say that every several years we analyze solutions available on the market that support the work of SOC engineers. Such products consist mainly of modules: SIEM + UBA/UEBA + Incident Management + Vulnerability Management + Risk Management + Change Management + CMDB + others. At this point, we are at the stage of testing four solutions/products highly rated by international experts. We verify their capabilities – not only functional but also opportunities to cooperate with a wide range of security systems/products available on the market – we check effectiveness, ability to correlate events and learn while supporting the processes mentioned in the paragraph above. Who knows, maybe after the tests it will turn out that there is a product on the market that will be able to overcome the currently used solution, improving the work of the SOC team, increasing productivity and work comfort by optimizing processes and tasks.
Malgorzata Zabieglinska – Lupa: This leads us to another area that makes the SOC market more complex, namely outsourcing. Why do enterprises need a SOC? How do you see the phenomenon of outsourcing of SOC functions in the market current? Or maybe in-house SOCs?
Maciej Rosolek: I think that after getting to this point, the reader is able to answer the question: why do I need a SOC?. This need is conditioned by the current threats, threats that can be just as harmful to small businesses as well as corporations. Therefore, the size of the company will not be a key factor here, but the type of stored or processed data will. SOC, whether own or outsourced, will be able to identify the potential threat and take actions that will prevent the attack in time and in the right way, thus saving us the loss of valuable or sensitive data, loss of reputation and possible horrendous penalties that may be imposed, based on the new GDPR Regulation as of May 25th 2018.
In-house or outsourcing? The answer is not easy at all. Although the business sense tells me to answer this question with: outsourcing of course and preferably in Comarch. The correct answer is: it depends…
If we manage our infrastructure ourselves, we have excellent engineers from all areas who, in addition, are familiar with security and are willing to work in 24/7 mode, then the construction of SOC in-house is possible and justified. There are also institutions, which for example, due to legal reasons, cannot entrust the care of their infrastructure to external entities, and then the only option is to build your own SOC.
We know clients who care only for the continuity of their business operations and who, as part of the payment, assign responsibility for the application and infrastructure layer to external companies. In this case, it is important that the choice of the outsourcing company is as thought through as possible, preceded by a thorough analysis. Check the competencies of the providers, processes running inside the company, and the certificates held. Conduct an audit of a potential supplier – do it yourself, or use well-known and reliable auditing institutions. Choosing an outsourcing company is a very important element for ensuring business continuity. You must be fully aware of who you entrust your valuable data to.
Companies that lack safety competence and who do not want to invest a lot of money in building their own SOC – hiring experienced engineers, purchasing the necessary tools and security systems/solutions – also decide to outsource SOC.
Finally, a few advantages and disadvantages of each solution:
- Only specific employees of a given company have access to corporate data
- Necessity to acquire competences (experienced security specialists)
- Purchase of expensive tools
- Much more expensive than outsourced SOC
- All necessary competences and tools are provided by outsourcer
- The ability to audit SOC processes and operations
- Responsibility for the operation of business processes and data security, ceded to outsourcer
- Continuous development of competencies, expansion and modernization of security systems/tools is on the outsourcer’s side
- Cheaper than building your own SOC
- Third-party employees have access to company data
Malgorzata Zabieglinska – Lupa: This leads us to the final question: why Comarch ?
Maciej Rosonek: Comarch has been involved in security in many different areas for years. It is worth mentioning here: personal safety, infrastructure security, physical security, logical security or process safety. But besides that, we develop our competences in the area of SSDLC – Secure Software Development Lifecycle, IoT, and healthcare. Each of these areas has specific requirements and regulations.
Dedicated teams of engineers and security specialists work continuously, constantly analyzing events and anomalies inside the infrastructure, in order to capture the potential source of attack in time, thus preventing security incidents.
We work with the best in the world Suppliers of equipment, systems and security solutions with which we exchange knowledge and experience. Direct support of the management board and key directors gives us a wide range of opportunities to develop security-related competences, or the possibility of expanding and modernizing systems.