Eyes on Glass Monitoring: Why Every Organisation Needs 24/7 Monitoring

Feel like booking your next vacation at 2am on a Sunday? 
Perhaps you want to purchase a new TV at 11pm on a Friday? 

It’s a hallmark of our modern digital economy that we have the flexibility to purchase goods or conduct business at any time of the day or night. And should we experience any difficulties, we also expect customer service reps to be on-call 24/7 to answer all our questions. In exactly the same way, cyber-crime is also part of this new digital economy that never sleeps.

The hacking business operates around the clock. In many cases cyber-criminals deliberately launch attacks outside business hours when most organisations cease monitoring their networks closely, ensuring their attacks are more likely to succeed. Just because your business shuts the doors at 5pm on a Friday, it doesn’t mean the cyber-criminals are taking the weekend off too. A Friday evening breach can give the attackers over 48 hours to laterally move across your network, exfiltrate data, install backdoors, execute malware, and much more.

By the time business resumes on Monday morning, the damage can be immense. That’s why you need 24/7 eyes on glass monitoring your network for any signs of malicious activity. Monitoring your environment around the clock ensures immediate action can be initiated as soon as an attack is detected. The goal is to limit the extent of any damage the cyber-criminals can inflict on your organisation, irrespective of when they choose to launch their attack.
In this blog we will explore why 24/7 eyes on glass monitoring is critical, and why every organisation should consider partnering with a trusted Managed Security Services provider to facilitate expert protection at all times of the day and night.

The Challenge of Establishing and Running a SOC 

Having the ability to rapidly respond as soon as a breach is identified is critical for containing and limiting the potential damage. The longer a hacker exists in your network without being identified, the more widespread the damage is likely to be. That’s why many organisations now recognise the importance of establishing and running a dedicated Security Operations Centre, or SOC .

A SOC comprises a team of cyber security specialists that are responsible for monitoring your digital environment on a continual basis. Their objective is to detect any potential breaches by analysing a wide-range of datapoints from your organisation’s networks, servers, endpoints, databases, applications, websites, and other systems. With the right processes and tools, SOCs can be extremely effective at identifying any anomalies that may hint at untoward activity taking place. 

Critically, the SOC team can act swiftly to notify incident response experts as soon as a potential breach is detected. 

For a SOC to be effective, it requires a range of security professionals, starting with the Tier 1 responders. These are the individuals who monitor, classify and prioritise all the data that’s collected from across the environment. Any anomalies are then passed on to Tier 2 security investigators for deeper analysis. A Tier 3 advanced analyst may also be required to uncover sophisticated hidden threats. Of course, managers are also required to run the SOC, whilst security engineers are needed to ensure the SOC architecture and set-up is correct.

The 2022 Managed Security Report by Cybersecurity Insiders found that a majority (56%) of organizations have their SOCs in-house. Establishing and running a Security Operations Center (SOC) is a significant undertaking and can be a daunting task for organizations, especially those that lack the necessary expertise and resources. Below are some of the challenges that may be encountered:

• Skilled Personnel: The people who are required to operate a SOC are the 'eyes on glass' monitoring your network continuously. These people include -analysts, administrators, incident responders, and SOC managers. Even though automation and machine learning can take up a significant part of the workload, human intelligence and intervention is critical for addressing anomalies, analyzing trends, and responding to incidents. Therefore, hiring qualified cybersecurity professionals with specialized skills such as threat hunting, incident response, and forensic analysis are essential in building and maintaining an effective SOC. However, there remains an acute shortage of skilled cybersecurity professionals in the industry. In fact, 57% of companies currently face a cybersecurity skills shortage. The cybersecurity skills gap is expected to continue into 2023. These professionals are in high demand, and the competition for them can be fierce, making it difficult for organizations to attract and retain them.

• Coverage and Operational Model: Lack of 24*7 coverage is the second most persistent challenge that SOCs face, following the cybersecurity skills shortage. If your organization does not have a SOC that is functional 24*7, you might not be able to address incidents that occur after working hours. Moreover, not all SOCs cover the entire IT ecosystem. In fact, a recent report highlights that most enterprises only monitor 5% of their entire ecosystem of networks and devices. 

• Costs: Establishing and running a SOC can be expensive, requiring significant investment in personnel, technology, and infrastructure. A survey by the Ponemon institute shows that an average SOC costs around 2.86 million annually. When you consider the costs of hiring and training SOC analysts, and the cost of maintaining SOC infrastructure, the costs can quickly reach exorbitant levels. Smaller organizations may struggle to justify the cost, while larger organizations may face budget constraints.

• Technology: A SOC requires advanced technology to monitor networks, detect and respond to threats in real-time, and analyze security data. The tools that are required to run a SOC make up the technology behind it. These include SIEM, monitoring tools, a threat intelligence platform, intrusion detection and prevention systems, etc. This can be expensive, and finding the right technology that is compatible with existing systems can be challenging. Moreover, onboarding these tools and ensuring that they work together can also be a challenge. 

• Processes: The processes that are involved in establishing and running a SOC are the procedures and policies, operational guidelines, and knowledge base that are required to run a SOC. Developing and implementing processes for incident response, threat intelligence, and vulnerability management is essential for a SOC because they enable them to respond to and manage incidents quickly. For instance, an incident response playbook is an essential component of such processes because it helps to expedite the incident response process. Some other examples of such processes and procedures include a cyber recovery process, and reporting and escalation procedures. A SOC would be ineffective if these processes and procedures are not implemented, tested, and updated regularly. 

Some other difficulties of establishing and running a SOC include the following: 

• Customizing the SOC to meet business requirements: Simply implementing a general-purpose SOC is not enough to satisfy the unique requirements of a business. SOCs need to be tailored to each company in order to provide effective services and support strategic requirements. However, only very few customize their SOCs. 

• Time-consuming: Building and running a SOC is a time-consuming process when you have to do it in-house. The entire process could take years considering its costs and complexity, and the results might not even pay off. 

• Data Overload: A SOC generates a vast amount of security data, and processing and analyzing this data can be overwhelming. False positives also make up a large part of the data generated. About 40% of the alerts generated by a SOC are false alarms. Without the proper tools, processes, and expertise, it is easy to miss critical security events.

• Compliance: Compliance requirements such as GDPR, HIPAA, and PCI-DSS, can be difficult to meet, and failure to do so can result in significant fines and reputational damage. A SOC is often utilized to meet compliance requirements and help mitigate this risk. However, without a governance board that oversees and supports the SOC, the SOC may not be able to help meet these requirements. The governance board must identify the critical systems that need to be monitored continuously to stay compliant. 

Source: Challenges towards Building an effective Cyber Security Operations Centre, Intl. Journal on Cyber Situational Awareness, Vol. 4, No. 1.

In conclusion, establishing and running a SOC requires significant expertise, resources, and investment. While the challenges are significant, the benefits of having a SOC in place to protect an organization's critical assets can be immeasurable. That’s why many are turning to external Managed Security Services providers.. They have the expertise, and the resources readily available to quickly implement and operate a SOC 24*7. Check out the benefits of outsourcing your SOC in the next section:

5 Benefits of Having 24/7 External Eyes on Glass

Partnering with a trusted Managed Security Services provider is proving to be the ideal solution for many organisations. It’s an arrangement that offers numerous benefits, including:

1. Addresses Staffing Constraints

No SOC can function without highly-trained cyber security specialists. The challenge is that there is currently a significant shortage of individuals with the required skills in Australia. Without the staff to analyse all the incoming data, classify and prioritise it accordingly, and then initiate an appropriate response to potential incidents, a SOC is useless.

Whilst tools exist that can help automate some SOC functions, they cannot replace the expertise of experienced personnel. Skilled experts are essential for interpreting events within the appropriate context. An external SOC relieves your organisation of the challenge of finding and retaining the right mix of specialist staff that are required to make the SOC function.

Despite the exponential rise in cyber threats, and the importance of maintaining continuous eyes on glass monitoring to prevent attacks, some organisations struggle to justify the high costs of maintaining a SOC. At a time of budget constraints, a SOC can come under pressure to cut costs by finance departments that fail to realise the extent of the threats in the wild and the potential costs of a successful attack against the organisation. 
Ironically, a highly-successful SOC that manages to prevent attacks against the organisation can face increased pressure to cut costs, as others in the organisation may assume no attempted attacks are being launched.

Outsourcing the SOC function to outside experts can be a cost effective way to ensure 24/7 monitoring is maintained, whilst at the same time consuming less of the organisation’s limited financial resources.

Managing a SOC can be a challenge for any organisation. Without the right documented processes in place, a SOC can end up becoming dependent on the expertise of one or two individual staff members. This can leave the organisation exposed if the most experienced staff depart.
The idea behind a properly functioning SOC is that all its members perform distinct roles that collectively protect the organisation. This requires extensive planning and management, including fully integrated processes and procedures that are continuously refined and updated. Without these, no SOC will perform optimally.

By utilising the services of an external Managed Security Services provider, the organisation does not need to worry that its processes may be lacking. The external experts will have comprehensive documented processes in place that ensure the SOC functions according to industry best practices.

All too often, an organisation will go about establishing a SOC without a clear strategic objective in mind. A generic goal of keeping the organisation secure is great, but it doesn’t provide the sort of guidance SOC staff need to ensure they are focusing on the specific types of threats that are most likely to emerge against the specific organisation.

Every organisation is unique and faces unique threats. Attack surfaces vary as every organisation has established different networks, has different applications in its environment and different data that it needs to protect. All these factors shape the types of threats the organisation is most likely going to face, and the vectors attackers are most likely to use in launching a breach. 

All this information needs to be brought together in the creation of a comprehensive SOC strategy. Yet, all too often such strategic thinking is neglected. By utilising the services of an external SOC, your Managed Security Services partners can help you develop an appropriate strategy for your organisation, so you can ensure the SOC team is focused on the highest priority threats.

Whilst SOCs are increasingly using a range of tools to monitor their organisation’s environment, there’s a risk of missing important contextual information if the team is overly reliant on technology. Manual expertise that comes from years of experience, as well as exposure to the latest threat intelligence  that is impacting other organisations, is absolutely vital too.   That’s not to suggest that tools aren’t important. Security Information and Even Management (SIEM), User and Entity Behavioural Analytics (UEBA) as well as Security Orchestration, Automation and Response (SOAR) are all critical in providing the SOC team real-time visibility over the environment. 

However, the SOC’s effectiveness will be significantly enhanced if these tools are used by team members who have a deeper awareness of the broader threat landscape. This not only comes from years of experience. It also comes from seeing what threats in the wild are currently impacting other organisations.

By partnering with an external Managed Security Services provider, the SOC specialists will be actively monitoring a range of organisations’ environments. This broad visibility means that your organisation can be protected from potential future threats before the attackers actively target your systems.

At Threat Intelligence, our EvolveMDR (Managed Detection & Response) services combine highly skilled security specialists, with unparalleled domain expertise, together with Evolve – our security automation platform. Evolve delivers unparalleled visibility across your organisation from a single Security Orchestration and Automation Platform.

This combination of skilled specialists and technology enables your organisation to significantly extend your existing monitoring and incident response capabilities to achieve the most effective results. Best of all, it is available 24/7/365 – so you can rest assured that when you’re continuously protected. 
All Threat Intelligence service offerings are fully flexible, and customised to meet your specific requirements.
Contact Threat Intelligence today for a comprehensive demonstration of how we can provide your organisation with the eternal vigilance needed to confront the current threat landscape.