These four words embody a modern SOC and security service. Security is a game of trust and reputation.
All SIEM and SOCs must demonstrate customer security value to instill confidence. Your service and tools must offer a monthly heartbeat and flexibility to deliver what customers want from security in a format they can consume.
Your security program should have instant security monitoring, priority alerts, patch management and solid firewall rules. It should get to a stage where a lot doesn’t happen. But that doesn’t instill confidence. It’s not enough to simply say “we watched but nothing happened,” you want to say “not only were we watching, but we went on a threat hunting expedition, put together some reports, reviewed them dynamically and are certain you are secure. Your environment is safe and healthy.”
If you don’t constantly do that, it’s hard to maintain a relationship and trust. We think of it as three outcomes: gold, silver and bronze.
- Detecting a breach is a gold outcome, but you don’t want this every day for obvious reasons. In one example, we detected a ransomware attack in 20 minutes and escalated the activity. That was the only breach we detected for that customer in a year. If we only spoke to that customer when there was a critical issue or when it was time to pay their bill, we wouldn’t have a healthy relationship as we wouldn’t consistently highlight the value of our offering.
- Silver outcomes are where we identify attacks or specific vulnerabilities where we can give meaningful, actional reports. For example, with customers in the financial services industry, we can inform them when there are groups targeting the industry, supply examples of phishing emails, offer advice on how to protect themselves from these threats and how to run drills internally. These things demonstrate value.
- In bronze, we work with the SIEM. It isn’t enough to just install it. SIEM is part of your team. You need to maintain it, keep it trained, and filter out the noise. Over the course of a bronze relationship, we keep customers informed on the extra work we are doing and if we add support for new detection technology such as LogPoint’s UEBA. If we identify any particular risks in the environment outside of security, ie. compliance issues, we can proactively add more detection.
It’s critical within a modern SOC to demonstrate and maintain this level of communication and trust.