SIEM & SOC: What Are They? Why Do I Need Them For My Business? - Webinar
Mike Bazar: Good morning or afternoon
or whatever it might be, wherever you are. I'm traveling. I'm in
Denver right now and normally in Central Time, I'm in Mountain Time, and people
in East Coast are getting real close to that lunchtime. And so anyways,
glad to have you guys on this webinar. And so what we want to go over
today is really to talk about SIEM and SOC and what are they, why do you need
them in your business? This and I'll say that SIEM and SOC can seem really technical, and the truth is on
the back end they're incredibly technical and they can be very difficult to
wrap your head around.
Mike Bazar: So we're going to try to
bring this down as much as we can to talk about it and get it as digestible and
understandable as possible in terms of what the real impact is for your
business and what that really looks and feels like for you. The other thing
I would say is you guys have questions, please. We've got a Q and A and so
put them in there and we'll make sure to catch those at the end. We might
not catch them all as we go along, but we'll certainly try to catch them at the
end. So if you guys have questions, please click those in. So kind of
hitting on a couple of things. First things first, who am I? Why do
you want to listen to me?
Mike Bazar: I'm the CTO here at Vector
Choice and partner with Will in it. So I started an MSP I don't know a
decade ago in round number. Will and I have known each other for a while
and we decided to merge this year and create the kind of new Vector Choice. So
we've done that. But I've got a mechanical engineering degree. Went
to school at the Colorado School of Mines, where I was a super nerd by
training, and ended up in the It industry shortly after that, worked in mining
with a bunch of Fortune 500 companies doing these big networks and getting
exposed to all of this kind of Fortune 500 stuff. And so how do I bring
this back to small business and how do I help them with it?
Mike Bazar: And so that's kind of when
I started my company, like I say, a decade ago, was trying to solve that
problem and bringing these security and technology solutions back to
it. So a lot of experience, spent a lot of time in the industry and doing
that. And then Jon DePerro, who, he's done a lot of things he can't talk
about.
Jon DePerro: That's not true. I
talk about all of them. Nothing's as cool nothing as cool as a recruiting
poster makes it sound.
Mike Bazar: Well, that's it,
right? So he was us. Army counterintelligence. He was special
agent. He's member of the American Bar Association. He's got two
decades in security and risk management. A lot of that was with army and
counterintelligence. And so he's our chief compliance officer. So
really Jon, we always kind of kid and say he loves and geeks out reading
through all these contracts and other things. But at the end of the day, I
think he says it well in his one line. What he's trying to help everybody
do is make informed risk decisions and really talk about, hey, there's things
you have to comply with. You agreed to this in a contract or whatever that
is, looking through those and identifying that and help them figure that out,
and then bringing that back and saying, here's the stuff you agreed to.
Mike Bazar: Here's the agreements that
you have, here's the compliance and the regulation you got to deal with, and
then you can decide what parts to tackle with. And that's where as a team,
we kind of come in and help wrap all that together. So I don't know if
you've got anything to add to that, John, but.
Jon DePerro: No, it's hard following
my degree is in anthropology, cultural anthropology. It does be no, Mike's
got this great technical engineer background. I'm like, oh, I was in the
army. But yeah, I try to take Mike's technical and Bo and our team of
technical engineers and I just try and walk that to what is the human business
function that it either enables or prohibits.
Mike Bazar: Yeah, so kind of who we
are as a company too, just, again, kind of hit on this so you guys know where
we're coming from and you don't think we're just a bunch of yahoos running a
business out of a closet and don't know what we're talking about. This is
our executive know, so Will and I are partners in this. Sarah is our
COO. John, as I mentioned, is our compliance officer and then Bo Dickey is
our chief security officer. He had a thing come up today, so he was going
to be on as well, but wasn't able to get on. But point being, we've got a
good solid executive team and we continue to build a team out. I think
accounted the other day, I think it's 45 people just on the technical side that
doesn't include our SOC.
Mike Bazar: We've got several people
in the SoC and then accounting, management, sales, all the other stuff. So
I think we're up to 75 people or something. So the company continues to
grow and that is evidenced in some of the awards and things that we've done. Again,
not to bore people with it, but we've MSP 501, which is the list of kind of the
top 500 MSPs in the world. We've been on that list for several
years. The Inc 5000 we've been on the last few years, several kind of
regional awards around the Southeast in terms of best businesses to work for
and those sorts of things. And then as you can see here, we continue to
grow. And so the blue is where we currently have offices but the yellow is
where we've also served clients.
Mike Bazar: We may not have an actual
office there, but we serve clients. And then internationally as well, we
worked with companies that are in the UK, costa Rica, Netherlands and kind of
around the world. And so we've got a big reach, a big understanding. That's
really what we're trying to kind of push through some of that. We offer a
wide range of services from Cybersecurity to managed It, to different
consulting, cloud support, a lot of kind of as a service where we can help even
in co-managed situations. I know a lot of the time when people think of it
providers MSPs. MSSPs. Especially if you're in house it and you're on
this call, our job isn't to come steal your job.
Mike Bazar: It's to augment it's to
help take the things off of your plate that either you don't have the expertise
for don't have the time for allow you to focus on things that are more
transformational for the business. So there's a lot of these pieces where we
come together in a comanaged kind of environment and help work through those
things. And so we do that a lot. But then there's also times where,
say, maybe you're a smaller firm, 20, 30, 50 users, you don't have or don't
need an in house It guy and we can do soup to nuts, all of the It
cybersecurity, all those kinds of services.
Jon DePerro: Yeah, another thing I'll
just piggyback on that Mike, is what we help to do is build the business case
around It. When you're an It guy looking for It tools to solve It
problems, you're always getting to It budget, right? And people say, well,
I've been in business 20 years without a SOC or a SIEM, why do I need one
today? Right? So it's helping to align the business needs to where
you've got allies within your staff, the sales department, the CFO, other
people saying oh hey, I don't care what it costs, we really need the SOC and
SIEM. How do we elevate the discussion from It tools to solve It problems,
to enabling business risk management or business?
Mike Bazar: Exactly. As a bonus,
if you guys want on this, you scan that QR code, it'll take you over. So
will that's earlier CEO, he wrote this new book, the compliance formula. I
think probably John wrote most of it and then will just for it. I'm just
kidding. But anyway, so that book is out QR code take you to
Amazon. So if you're looking for CMMC compliant strategies, that books out
there. But also keep in mind a lot of the time the strategies to be
compliant with say you don't need CMMC. The strategies across a lot of
compliance are the same in terms of how you build those processes. So
getting into the meat and potatoes of this thing what is a SIEM and what is a
SoC?
Mike Bazar: And so a SIEM stands for Security
Information and Event Management, which is just a big word for saying it's
software that aggregates data. And then SoC stands for Security Operations
Center. And so next couple of slides here, we'll kind of go through
that. So SIEM really is software solution that's collecting aggregating
data. And so what it is, if you think about it right now, before SIEM were
readily available, you had a firewall and you had a bunch of logs
there. And you have desktops, and you have a bunch of logs there. You
have servers, you have logs there, you have applications, you have logs
there. And if I really wanted to see what's going on, I had to go look
through all of those different things to try to pull data together. And so
SIEM is an application that does that for you. Right.
Mike Bazar: It integrates into all of
these different solutions. It pulls all of this data and aggregates it
into one spot, which gives you significantly better visibility into a lot of
things, some of it's performance related. Right? If we're pulling
logs and data, I can see across a server farm or a set of virtual servers what
the usage and the loads are. And then that can even lead into the security
piece of we can look through all these logs for security, but we could also
look for sudden, weird changes in the way a server is running and functioning
and the amount of Ram it's using as a CPU. Those spikes and things could
indicate changes. Disk I O jumps up a bunch of read writes that could be
somebody encrypting a bunch of files if that's not normal, and that could be
ransomware.
Mike Bazar: So there's a lot of these
different pieces that get pulled together that individually, it'd be really
hard. Like if I asked John to go collect all of that data individually, by
the time he collects the data, the security damage is done, the other things
are done. It's hard to correlate what that moment in time was around a
performance issue. And so while we're focusing on security as we talk
through this, also keep in mind that a lot of the time, a SIEM can also just be
used for performance monitoring, seeing what else is going on, and just the way
you're collecting a lot of those logs and other stuff. There's other
applications that are built for some of the performance monitoring
specifically, but you can pull all these different pieces together and to help
and figure out what that is.
Jon DePerro: Yeah. Another way I
would say that for anyone who may be not as technical on the call is when I was
an army counterintelligence agent, bad things would happen and we'd investigate
and we'd figure it out. And then part of that was always looking
backwards. What would have indicated, you know, if Mike's a big spy and he
goes to China and gives up all our secrets, what about Mike? The year two,
three, four, prior. Should we have noticed, right, his overspending on
hair products? Maybe he needs a lot of looking backwards to say, what
should we been looking at to catch this before it happened? Well, that's
what we talk about analyze in the SIEM, the industry is always looking attacks,
and we call attack vectors, and they're always looking attacks after the fact,
saying, well, what would have been an indicator?
Jon DePerro: So the SIEM takes all
that information from literally around the globe as we learn about attacks and
what that signature looks like, and it starts saying, am I seeing any of that
in these logs?
Mike Bazar: Right?
Jon DePerro: The other thing that a SIEM
helps us do is when Mike talks about network operations and just we establish a
baseline of what is normal, right? What's normal is it normal for your
computers to spike usage every day at three? Maybe that's when you upload
your sales. Like, we don't know, but we figure out what normal is for you,
and then we just sit there looking for abnormal. And it's really that
simple, right? If normal is this much usage of your server and it spikes
to this, that's abnormal. Right? So two things analyze based on old
attacks that have happened in the past, and then look for abnormal, and
then.
Mike Bazar: That leads into SOC. So
the SIEM is a tool and a SoC is a group of people, is usually what it
is. Right. And SOC will use a bunch of different tools, and a big one
is the SIEM. And SoC is the actual security professionals who are behind
that. They're monitoring, responding to the security incidents, and
they're typically going to use the SIEM to detect and respond to those
threats. Exactly what John was just talking about. They're looking
for the abnormal. They're pulling all of those pieces in. And we'll
hit on that a little bit more kind of as we go. But that's the primary
difference, right. You can't have like a SIEM by itself is worthless
because I can collect a whole lot of data and stack it in the corner and do
nothing with it.
Mike Bazar: But if I have a whole SOC
and I don't have a way for them to get the data, well, then that SOC is really
inefficient and I have to have a lot more people. And labor is a very high
cost in that. Right. And so if you start looking at those things, you
really need those things to work together, to really run an appropriate SOC and
really do the data collection and really do what you want in terms of how to
respond and talk through that. Like I said, we've got some slides that
kind of get in how they're used here in a minute, looking at this,
right. So why do you need a SIEM?
Mike Bazar: And that's kind of we're
talking to that's why I say you'll see a lot of crisscrossing that happens in
here, but today's threat landscape, it's more important than ever to get more
and more visibility. That's the thing that we're constantly trying to push
into. How do we get more and better visibility across the industry, across
the network? You have people working from home. You have all these
other things that are going on. And so it becomes really important to try
to figure out what's going on. And so you need something that can help
aggregate that data, give you better visibility into this kind of changing
landscape of bring your own device and working from home and all these
disparate people and more cloud applications.
Mike Bazar: And as we have destroyed
the walled garden, right, you came into the office, I could build a perimeter,
I could protect the stuff that was in there. You weren't supposed to take
the data out. That walled garden got kicked down very quickly in COVID and
continues to get kicked down and rebuilt and redefined and everything
else. So you need something in this changing landscape to help pull all
those pieces together so that you can, number two there detect, right? You
really want to figure out and analyze and look what's going on and detect
what's going on. And then how do you identify those threats? How do
you identify what's going on to continue to help you from not only just
protecting your data, but from a compliance perspective?
Mike Bazar: I truly believe the more
we get into this, the more your cybersecurity becomes a selling
point. It'll become a market differentiator. It's going to be
something that you can talk to people about because you secure your data,
because you treat it in a different way, because you can prove that you're
compliant. That gets more and more important as time goes on because every
state now has data privacy laws. The federal government is only a little
bit of time before they catch up to Canada and GDPR and the EU and all these
other things.
Mike Bazar: And so, as you have all
these compliance regulations come down, it's going to be a bigger and bigger
deal, because a lot of it's going to get forced through, say, the department of
Defense, and maybe you're not directly working with them, but you're going to
work with a vendor that works with them, and they're going to start having to
enforce these things to be able to do business with the government. All of
these things that will happen. So you're going to start seeing more and
more of this get pushed down out to industry and it's going to start from
certain points. I mean, it's already happening. It's not that it's
going to it's just you might not have noticed it yet, but it's changing, and
it's changing very quickly. So that gets into some of this. Why do
you need a SIEM?
Mike Bazar: Is because you have to be
able to start dealing with these things. And it gets really hard to do
that without the right tools.
Jon DePerro: And even at a simpler
level, I mean, forget the DoD and forget if data is critical to your business,
you should know what's happening with it. If you can't do your business
without data, then you've got to have a plan for how to protect your data, how
to recover your data. And we're not going to talk about recovering those
other things today. But a SoC and a SIEM is the very front of
understanding what's happening with your data, right? It's looking for
changes, looking for people who may be trying to steal ransomware, lock down
your data. So I ask business owners all the time, what information that just
went away, right? Like Mike's a business owner, right? What
information that if I just deleted, it would affect your business?
Jon DePerro: If you don't have a SOC
and SIEM, looking at the places that store, process, and transmit that data,
you can't answer the question, where is your data and who's using it and
how?
Mike Bazar: Right?
Jon DePerro: So forget government
regulation. And I know this sounds weird coming from the compliance guy,
okay? Who cares? The very first step is if data is critical to your
business, you have to understand where it is, how it's being used, and how to
get it back. And SOC and SIEM are critical to that answer. Second is
you're going to get sued by lawyers way before the government gets to you if I
give you my data and you don't protect it. The class action suits are pre
COVID. It was Sony and Target and big companies getting hacked and dealing
with lawsuits. And they got better at cybersecurity and the ransomware for
service. The hacker, the bad guys have learned small, medium business are
wide open. They have just as much data and they're more likely to just
throw 50 or 100 grand and getting it back.
Jon DePerro: In the news
today. For those of you watching this live, Las Vegas casino shut
down. Bazillion dollars lost the minute. Like these numbers are so
big we can't fathom. Yeah, but when you actually look at the total
aggregate for the year, the Las Vegas losses right now pale in comparison to
what's happening to small and medium businesses around the country.
Mike Bazar: Yeah, no, they just get
hit a lot more often. So the benefits of a SIEM and SOC and this gets
pretty straightforward here, right? It's improved visibility into your
security posture. If you don't know what's going on, you don't know what
you don't know. So if you know more information, you get better
visibility. That leads to the second point there, which you reduce your
risk of data breaches because you get faster detection of threats and other
things. And back to what John said earlier, you can start looking for
anomalies ahead of time. So you can start looking for, hey, this last security
event, and maybe it wasn't a full on breach, but the last security event here
is the preceding indicators.
Mike Bazar: Let's start looking for
those first so that we can go back and try to go back and look and stay ahead
of that. And those are the things that you really start looking at, which
leads to, I can't talk, increased compliance and overall efficiency in your
security operations because again, this comes down to a dollar figure a lot,
right? Like, that's what it is, what's the budget? And if you have a
good tool and you can be efficient, you can do this for less money. But
it's a bear, and we'll keep talking through that, but it's a bear to go
through, set it all up and deal with all of it. So the real benefits of
the SIEM and SOC is to start pulling all this together. And I think, too,
it's important to say, and John kind of hit it.
Mike Bazar: A lot of people aren't
worried about, say, a HIPAA law, right, in terms of and I'm not saying that
flippantly or whatever, but you go and look and it's what, 30 or 50 people got
dinged for HIPAA last year. There's not a lot of them. They got dinged
for it. But as the lawyers see dollars, they're going to come out and
start suing everybody they possibly can if they think they're out of compliance
with the law, because there's dollars on that. And that's what's going to
drive a lot of this, too, is these lawyers and these lawsuits are going to come
out and start chasing people down because there's money, right? They chase
doctors right now for ambulance chasing and all the other stuff. And it's
not long and it's already starting to happen. How do we start chasing
cybersecurity breaches?
Mike Bazar: How do we start chasing
these things and saying, you didn't comply, you didn't do this, you didn't do
that. And that's what's going to force. It not the government
regulator. It's going to be the lawsuits that come out because you had the
data breach and then they're going to trace that back to regulation that you're
supposed to meet for the basis of the lawsuits.
Jon DePerro: Yeah, I talk to lawyers
literally every week of my life. I serve on a committee for American Bar
Association on privacy and cybercrime. And there are some lawyers that are
chomping at the bit, drooling over that the world is learning what negligence
is, right. If you simply don't protect your environment and it's lost, the
victims can get lost. And a lot of people are not thinking about the true
source of these lawsuits say, well, I don't have credit cards and I don't have
people's Social Security numbers. We're good. Don't you? What
does an employer actually have on their own? Employees. You know
everything about your employees. You have everything you need to set up a
whole new fake identity in your employee's name, right, and you have their
medical information, you have benefits information. You know everything
about your employees, data-wise.
Jon DePerro: And that's what's being
compromised. That's the new big hot thing is go after people's employee
data, right? And then resell that on the market.
Mike Bazar: And I'm saying to tie it
to the s SIEM and SOC discussion, right? That's where if you have the SIEM
and the SOC, you can analyze that data. You can look at that and you start
looking and saying, hey, Susie, accesses this data. Bob never
does. Why did Bob just access that data? He's not supposed to,
right? And with SIEM and SOC, you can start pulling that together and
looking at it. Because the truth is, and this is why you need a SIEM, is
you can't have somebody look at those 24 hours a day, but you can have
software. You can have AI. You can have them look at it, and they can
feed it to a SOC. That can make sense out of those alerts as they come
back up.
Mike Bazar: And so this is why you
need to have the SIEM and SOC in your business, right? Cyberattacks are
more sophisticated, more frequent to what John was just saying. They're
coming after your employee data. They're coming after what can I use for
fake identity sometimes? I'm still trying to figure this one out. We
got a request the other day for a school. They wanted to basically buy
$200,000 worth of laptops, and this just happened last week. So email
comes in, says, hey, we want to get this. Somebody's emailing back and forth,
good English, whatever. Turns out it was a hacked account. So they
had a legitimate email account they hacked from this school and they were
sending in a request. It's the right time of year, they're buying
equipment, all of the things line up. And then they started asking for
terms.
Mike Bazar: And that's what threw the
immediate red flag up, right? And they started saying, hey, we need it
delivered in two weeks. We won't pay you for 30 days. We're like,
no. Those conversations instantly start throwing the red flag, but everything
else felt better than it was. Skeptical, but going back and forth in
it. So we end up calling the school, and this is the part I can't figure
out, because the first couple of times we called, we got voicemail. Then
when we called about a week later, we actually got their phone attendant, and
it was the same phone number. So we're trying to unravel some of those
pieces.
Mike Bazar: But at any rate, turns out
they did have somebody that did get their email hacked, and they were sending
out emails that the bad guys were and as they dug through it, somebody else had
shipped them $130,000 worth of laptops. They haven't gotten it yet, but
somebody shipped it out. So that's the part I can't figure
out. Usually they're trying to get you to ship it to a bogus location, and
they're going to go sell those on ebay or overseas or whatever. They're
going to flip the laptops and make the money and screw you by not paying
you. But this one, it looks like the laptops are shipping directly to the
school. That's the part I can't figure out because I get the stealing the
laptops. I can't figure out why they would let the laptops ship to the
school.
Mike Bazar: But anyway, that
cyberattack is more sophisticated, better. English didn't have the normal
indicators. They're getting better and better at doing these things and
hacking accounts and everything else. And so you need to be able to stay
ahead of and identify those things. Because we didn't lose any money, we
didn't have anything, we had stuff in place to make sure of that. But
what's the reputation damage potentially that school, if all these vendors are
sending them equipment or jerking them around or whatever, now that's going to
be harder to build trust with those vendors. And if they were local
vendors do I know your hack? There's a lot of potential issue that comes
out of that.
Jon DePerro: Second, the insurance
company for the vendor that sent them could be filing a lawsuit saying your
email. So not again. A whole thing about agency applications
functioning on behalf of users, that's a whole deeper dive into security and
compliance. But what is an email? It's a message, it's a
communication from my organization, yours. And it's coming from the
organization it's coming from@compromiseschool.com, or I should say,
right. So I'm not saying that you'll win. I'm not saying you'll
lose. I am saying you'll be in a lawsuit. That's how lawsuits
work. They name everybody, then they peel back the layers of liability
like an onion to figure out who's going to pay.
Mike Bazar: And so if nothing else,
it's a distraction, right? Like even if you win the lawsuit, an expensive
distraction.
Jon DePerro: That's it an expensive
distraction.
Mike Bazar: So those are the kinds of
things, if you have the SIEM and SOC in place and you're looking at that, you
can say, hey, this lady logged in from this area and then instantly, or a
minute later, she logged in from 100 miles, 500 miles, 1000 miles
away. That's not right. Let's correlate that, look into that. Let's
go figure that out. So if they have SIEM and SOC, they would have picked
that up and it would have been no harm, no foul. Somebody stole their
password, they logged in and then they got found out and kicked
out. Right? Like that's. No harm, no foul. That's what it's
going to be. And so that's that other stat in 2022, 623,000,000,000
cyberattacks worldwide, there's some crazy statistic I heard the other day, and
I think it's like Microsoft.
Mike Bazar: I think there's like 100
million, or maybe it's 300 million. It's a huge number of fraudulent login
attempts every day against Office 365. And the number is the same for
Google and the numbers the same for there's tons of these attempts where people
are trying to break into mailboxes and other things and do what I just talked
about. So the SIEM and SOC together can help you respond and detect those
events. Pull that down. And then why you want it is because there's
attacks in the bottom, right? You want to reduce your risk, you want to
reduce the distractions, you want to reduce your liability, you want to reduce
all those other things. That's why you're doing it. You don't want to
do SIEM and SOC because you just feel like it.
Mike Bazar: You want to do it because
there's a legitimate business impact on the other side and that's what you're
trying to do. And then the other piece of that as well that fits in there
is compliance with standards and other things. If you have SIEM and SOC,
it's a whole lot easier to say we did these things and we can prove it. If
you're monitoring those, if you're looking for that, those kinds of things that
can happen around it. So, so how to choose a SIEM and SOC right? This
gets into the next steps of like, okay, well now what? Right? If I
know I need it, what do I need to do?
Mike Bazar: So the first one, and I
think there's a lot that feeds into this and so even though it's only a couple
of lines of the consider, right, what's your organization size, your budget,
your security needs really that needs to be driven by your size, your growth
and your security needs that'll determine the budget. And the reason why I
say that is as you start evaluating and being scalable and looking for easy,
those things are going to impact the budget and those become the needs.
Mike Bazar: If you have a one man shop
and you want to put in SIEM and you don't want to hire somebody like us to help
you do that, then you need a more expensive, more complicated, more difficult
to set up, unless you're paying a lot more money than it might be easy to set
up system with better AI and tools and everything. Because one guy can't
do it by himself. He just can. That's the goal. That's what
you're trying to do. You're going to need way more budget for that tool,
right? And so you really start looking at what are the securities, what do
we have available to us? And then that determines by your organization
size and what your budget. You can go out and look at different solutions
for SIEM and SOC.
Mike Bazar: Again, there's a whole lot
of different tools that are out there. And if you just Google SIEM and SOC,
you're going to see all of the different options out there from little niche
players up to big guys like Splunk that do these huge things and integrate into
everything. And Splunk's been around for a long time but is also really
expensive. And then the scalable piece of that too is what do you want to
monitor, what does it look like? Because when you start going to guys
especially big guys like Splunk and everything else, your ingress and egress
data becomes a real cost. How much data do you collect? How often do
you collect it? Where are you sending it? All of those requirements
to go back to the security needs, start impacting the cost.
Mike Bazar: And then the easy is, how
easy is it going to be to deploy, manage and use? And I will just tell you
it's never easy. Like you can find easier. But there is no easy
button in doing SIEM and SOC. It is generally difficult and hard to do
because you're doing a lot right? You're pulling data from multiple
different sources, pulling it in, trying to analyze it again to what John said
earlier, what happened in this hack? What happened in this breach, how do
I fine tune this, how do I detect earlier? All of those things become a
full time job to really deal with this. And then the reputation, who's got
a good reputation or track record, that really becomes important in the SoC as
well. Because now you're talking about who's going to use that data and
respond, what's their reputation, what's their size.
Mike Bazar: And this isn't something
where I want to go knock it because I started out as a small shop. I
started out as a one man band. I started out as that. But if you want
to entrust true high level security, SIEM and SOC, this kind of stuff, we're
talking about a one man shop has a harder time doing that, right? You need
to get some scalability in that or they can outsource it. And that
happens, right? And not that's necessarily a bad thing, but you want to
make sure you look at that. What's the reputation? How are they
dealing with it? If it's a smaller company that is your current It
provider and they say they can do this well, who are they using and how are
they outsourcing it?
Mike Bazar: That becomes a real
legitimate question because if they say we're doing it internally and there's
two guys they can't do that well now they can use a third party service and
that's okay. And there's a lot of these guys that do it because once you
build the tool, it's a lot more scalable and easy to aggregate the
data. And bringing on an extra 100 endpoints or 200 or 500 endpoints when
you're managing 50,000 is easy, comparatively. But if you're the guy
trying to set up the first 500, it's super difficult.
Mike Bazar: And so when you really
start looking at this, you need to ask a lot of those questions and start
looking at who's doing it, who are they running, who are they using, what's it
look like in the back end, asking some of those different questions and those sorts
of things so that you know what's going on with them. So as we keep moving
through here, we want to talk about running a SIEM and SOC. And I kind of
mentioned that before, right? The first thing you're going to do is you
want to collect all the data. So how do we dump all this data in, collect
it, and then normalize it? Because it's coming from different systems, and
I need to correlate it so that we can analyze it, which is step three, and then
use it to generate alerts.
Mike Bazar: All of these things come
together, and at some level that sounds easy, but at another level, I can tell
you it's incredibly difficult because you're having to try to what are you
going to collect it from, how are you going to use it, how are you going to
normalize it? So the way you need to do it is you set up all this data
collection, then you figure out how to make it pull together and interpret
data. If you've ever done that, trying to run financial reports against
operations, KPIs, that can be a big bear to try to struggle to get all that
together. And again, back to the previous slide.
Mike Bazar: The SIEM that you use will
help some of these, but you're probably going to pay a trade off cost of cost
to find things that will help you collect normalize, analyze, and then generate
the alerts. If you have the alerts that now goes over to the SOC and the SOC
now will use those alerts and they'll investigate it, they're going to be
looking at what those alerts are. They going to determine is it a real
incident, is it something that's not maybe somebody's traveling and they hopped
on an airplane. And so that login that happened was because of a VPN or
because the airplane, they connected to the airplane's WiFi 20 minutes after
they were in the airport.
Mike Bazar: And that created a weird
alert, but they can dig in and look at that and put intelligence behind it
instead of just some of the alerts, they can respond to it. So in the case
of that school that were talking about earlier, they could go to that user and
say, we need reset your password. We need to make sure your two factor is
turned on. We need to do these other things. Maybe it's a deploying
extra security measures or changing policies or whatever it is, but you can go
out and respond to that. Then you want to document that as
well. Because again, going back to the compliance side of it, what if a
lawsuit happens? What if something else happens? You need to make
sure you have documentation around all of that so you continue to learn.
Mike Bazar: You can defend yourself if
you have to, against lawsuits down the road showing that you were responding to
these events, those sorts of things. And that last dot there is it's
complex, right? Doing this internally, doing this with a small shop, it's
hard and it's complex. And you want to get the right people doing it to
have the right set of expertise across multiple platforms to be able to pull
all this together. And so that's why Shameless plug in all this. We
have that team. We have those things and those pieces. I'm not saying
you can't go do it on your own, but we have those things. And so if you're
looking at how do we roll it out, how do we deploy it, how do we use
it. One, we can help you, right?
Mike Bazar: If you're a larger
company, again, those comanaged deals, we can come in and help you do that,
help you manage it. Or we can be a layer that you add on that can kind of
abstract this off of you so you can focus on the other things and we can help
just bring the alerts and the responses and what's going on so that you know
what's going on and do all the documentation on the hard parts. So
additional things or additional tips for running a SIEM and SOC,
right? You've got to update it. You're constantly going to have to
update it with security signatures, lightest, threat, intelligence, updating
It, training, it doing what John was talking about earlier. How do we
identify those hacks and those things earlier? What are we going to look
at?
Mike Bazar: We're going to have plans
for responses in terms of how do we respond to a security incident, how do we
continue to monitor and how do we be proactive? Right? So it's this
constant, ongoing cycle that you're going to be running through of we need to
update it, then we need to train more, then we need to train people, then we
need to update the structure, then we need to change monitoring. Now, how
do we be proactive? And it just becomes this constant, ongoing
cycle. And when you're deploying and putting these pieces in place, you
need to think about that and how you're going to use those kind of going
forward and wrapping it around. The other big factor we see a lot of it
when you're looking at it, is who are you going to hire to run it?
Mike Bazar: And so you need to be
looking at their experience. Do they have an understanding of security
concepts and procedures and the compliance pieces? Because I may be really
great at cybersecurity, but if I have no idea what industry standards or government
standards that you need to comply to, I might not be building that into the SIEM
and SOC. So you need both of those pieces a lot of the time to really be
able to build that correctly. And so then you got to look to at the skills
and how good are they at problem solving, rolling these things out,
accomplishing these tasks, rolling these projects out. Can they work
24/7? Again, this gets back into when you do it in house, like having a
soccer.
Mike Bazar: A SIEM is great, but if
you don't respond to alerts for 12 hours, of the day because you're sleeping,
that's when the bad guys are going to go act. They know these things, they
look at these things, they realize when the team is on and off and that's when
they start doing. And then you want to make sure who you're looking for
has relevant security certs and those kinds of things. Point being, and
this is not necessarily always easy and it's not always one person, if you
really want to pull all these skills and pieces and everything together, that's
why it can be really good to go look for. How can you find somebody to
help? So the latest threats and looking at some of that is really looking
at security is complex, ever changing landscape, so it can be difficult to
manage.
Mike Bazar: And so this is why you
really want to look for when you're hiring people and is it in house or is it
somebody that you're using outsourced? And why we say an It company or
somebody that specializes this is better is we know these latest threats. We
spend more time with the expertise and experience pushing people to train
running 24/7 doing those things and outsourcing. Some of this or having
somebody come in beside your team to do these can really help make that be an
easier thing and really be more proactive around it and give you more peace of
mind as you go through it. The big thing is, if you guys want to contact
us today, we can help talk through this, right?
Mike Bazar: Whether it's help planning
a project, whether it's help talking with your internal team, doing more
experience, or if it's something that you want to bring us in to take it over,
we're happy to help scope and look through that. We've got a real proven
track record of doing and implementing these solutions. We've got an in
house SEC Ops team, multiple people on that team so that we can respond to the
availability and what you're looking for. And then we always are running
reports and generating data and giving that back to you. So you've got the
data to show what we're doing and how and why and everything else. So,
average cost in 2021 of a data breach was 4 million to John's point
earlier.
Mike Bazar: A lot of time that seems
like big numbers, but the point is they cost and they can cost a lot of money
and they usually cost more than you think. 25% of data breaches involved
wrongly configured or failures of SIEM and SOC. So that's a big deal to
make sure you got somebody doing that. IBM found that organizations that
have SIEM in place can reduce the cost of a data breach by up to half. So
that's a really big deal when you start talking about how do we cut these costs
and those sorts of things. And then Verizon found that organizations that
have a SoC in place reduce the mean time of detection by 20% and the recovery
time by 30%. That's real dollars when you really start talking about how
do you reduce these impacts.
Mike Bazar: So with that, I don't know
if anybody has any questions. I know we've got a stop coming up here, so
if anybody's got any questions, we're happy to answer. But if not, then
what I would encourage you guys to do is shoot over an email to info@vectorchoice.com
you can direct, know, subject line, put it was you're on this? Know you've
got a question for me or for John DePerro? And we can certainly help you
with that, or you can give us a holler and talk to us, but we're happy to talk
about that. And then you can also see we've got multiple different
webinars. When we do these, we put recordings, so we'll put this recording
back up so you can go to vectorchoice.com webinars to see upcoming webinars and
ones in the past and everything else.
Mike Bazar: So, yeah, with that, happy
to have all you guys on here and thank you for all being on and yeah, let me
know if you guys have any questions.
Jon DePerro: Hey, bye,
everybody.
Mike Bazar: All right, appreciate
everybody. Bye.