SIEM & SOC: What Are They? Why Do I Need Them For My Business? - Webinar
Mike Bazar: Good morning or afternoon
or whatever it might be, wherever you are. I'm traveling. I'm in
Denver right now and normally in Central Time, I'm in Mountain Time, and people
in East Coast are getting real close to that lunchtime. And so anyways,
glad to have you guys on this webinar. And so what we want to go over
today is really to talk about SIEM and SOC and what are they, why do you need
them in your business? This and I'll say that SIEM and SOC can seem really technical, and the truth is on
the back end they're incredibly technical and they can be very difficult to
wrap your head around.
Mike Bazar: So we're going to try to bring this down as much as we can to talk about it and get it as digestible and understandable as possible in terms of what the real impact is for your business and what that really looks and feels like for you. The other thing I would say is you guys have questions, please. We've got a Q and A and so put them in there and we'll make sure to catch those at the end. We might not catch them all as we go along, but we'll certainly try to catch them at the end. So if you guys have questions, please click those in. So kind of hitting on a couple of things. First things first, who am I? Why do you want to listen to me?
Mike Bazar: I'm the CTO here at Vector Choice and partner with Will in it. So I started an MSP I don't know a decade ago in round number. Will and I have known each other for a while and we decided to merge this year and create the kind of new Vector Choice. So we've done that. But I've got a mechanical engineering degree. Went to school at the Colorado School of Mines, where I was a super nerd by training, and ended up in the It industry shortly after that, worked in mining with a bunch of Fortune 500 companies doing these big networks and getting exposed to all of this kind of Fortune 500 stuff. And so how do I bring this back to small business and how do I help them with it?
Mike Bazar: And so that's kind of when I started my company, like I say, a decade ago, was trying to solve that problem and bringing these security and technology solutions back to it. So a lot of experience, spent a lot of time in the industry and doing that. And then Jon DePerro, who, he's done a lot of things he can't talk about.
Jon DePerro: That's not true. I talk about all of them. Nothing's as cool nothing as cool as a recruiting poster makes it sound.
Mike Bazar: Well, that's it, right? So he was us. Army counterintelligence. He was special agent. He's member of the American Bar Association. He's got two decades in security and risk management. A lot of that was with army and counterintelligence. And so he's our chief compliance officer. So really Jon, we always kind of kid and say he loves and geeks out reading through all these contracts and other things. But at the end of the day, I think he says it well in his one line. What he's trying to help everybody do is make informed risk decisions and really talk about, hey, there's things you have to comply with. You agreed to this in a contract or whatever that is, looking through those and identifying that and help them figure that out, and then bringing that back and saying, here's the stuff you agreed to.
Mike Bazar: Here's the agreements that you have, here's the compliance and the regulation you got to deal with, and then you can decide what parts to tackle with. And that's where as a team, we kind of come in and help wrap all that together. So I don't know if you've got anything to add to that, John, but.
Jon DePerro: No, it's hard following my degree is in anthropology, cultural anthropology. It does be no, Mike's got this great technical engineer background. I'm like, oh, I was in the army. But yeah, I try to take Mike's technical and Bo and our team of technical engineers and I just try and walk that to what is the human business function that it either enables or prohibits.
Mike Bazar: Yeah, so kind of who we are as a company too, just, again, kind of hit on this so you guys know where we're coming from and you don't think we're just a bunch of yahoos running a business out of a closet and don't know what we're talking about. This is our executive know, so Will and I are partners in this. Sarah is our COO. John, as I mentioned, is our compliance officer and then Bo Dickey is our chief security officer. He had a thing come up today, so he was going to be on as well, but wasn't able to get on. But point being, we've got a good solid executive team and we continue to build a team out. I think accounted the other day, I think it's 45 people just on the technical side that doesn't include our SOC.
Mike Bazar: We've got several people in the SoC and then accounting, management, sales, all the other stuff. So I think we're up to 75 people or something. So the company continues to grow and that is evidenced in some of the awards and things that we've done. Again, not to bore people with it, but we've MSP 501, which is the list of kind of the top 500 MSPs in the world. We've been on that list for several years. The Inc 5000 we've been on the last few years, several kind of regional awards around the Southeast in terms of best businesses to work for and those sorts of things. And then as you can see here, we continue to grow. And so the blue is where we currently have offices but the yellow is where we've also served clients.
Mike Bazar: We may not have an actual office there, but we serve clients. And then internationally as well, we worked with companies that are in the UK, costa Rica, Netherlands and kind of around the world. And so we've got a big reach, a big understanding. That's really what we're trying to kind of push through some of that. We offer a wide range of services from Cybersecurity to managed It, to different consulting, cloud support, a lot of kind of as a service where we can help even in co-managed situations. I know a lot of the time when people think of it providers MSPs. MSSPs. Especially if you're in house it and you're on this call, our job isn't to come steal your job.
Mike Bazar: It's to augment it's to help take the things off of your plate that either you don't have the expertise for don't have the time for allow you to focus on things that are more transformational for the business. So there's a lot of these pieces where we come together in a comanaged kind of environment and help work through those things. And so we do that a lot. But then there's also times where, say, maybe you're a smaller firm, 20, 30, 50 users, you don't have or don't need an in house It guy and we can do soup to nuts, all of the It cybersecurity, all those kinds of services.
Jon DePerro: Yeah, another thing I'll just piggyback on that Mike, is what we help to do is build the business case around It. When you're an It guy looking for It tools to solve It problems, you're always getting to It budget, right? And people say, well, I've been in business 20 years without a SOC or a SIEM, why do I need one today? Right? So it's helping to align the business needs to where you've got allies within your staff, the sales department, the CFO, other people saying oh hey, I don't care what it costs, we really need the SOC and SIEM. How do we elevate the discussion from It tools to solve It problems, to enabling business risk management or business?
Mike Bazar: Exactly. As a bonus, if you guys want on this, you scan that QR code, it'll take you over. So will that's earlier CEO, he wrote this new book, the compliance formula. I think probably John wrote most of it and then will just for it. I'm just kidding. But anyway, so that book is out QR code take you to Amazon. So if you're looking for CMMC compliant strategies, that books out there. But also keep in mind a lot of the time the strategies to be compliant with say you don't need CMMC. The strategies across a lot of compliance are the same in terms of how you build those processes. So getting into the meat and potatoes of this thing what is a SIEM and what is a SoC?
Mike Bazar: And so a SIEM stands for Security Information and Event Management, which is just a big word for saying it's software that aggregates data. And then SoC stands for Security Operations Center. And so next couple of slides here, we'll kind of go through that. So SIEM really is software solution that's collecting aggregating data. And so what it is, if you think about it right now, before SIEM were readily available, you had a firewall and you had a bunch of logs there. And you have desktops, and you have a bunch of logs there. You have servers, you have logs there, you have applications, you have logs there. And if I really wanted to see what's going on, I had to go look through all of those different things to try to pull data together. And so SIEM is an application that does that for you. Right.
Mike Bazar: It integrates into all of these different solutions. It pulls all of this data and aggregates it into one spot, which gives you significantly better visibility into a lot of things, some of it's performance related. Right? If we're pulling logs and data, I can see across a server farm or a set of virtual servers what the usage and the loads are. And then that can even lead into the security piece of we can look through all these logs for security, but we could also look for sudden, weird changes in the way a server is running and functioning and the amount of Ram it's using as a CPU. Those spikes and things could indicate changes. Disk I O jumps up a bunch of read writes that could be somebody encrypting a bunch of files if that's not normal, and that could be ransomware.
Mike Bazar: So there's a lot of these different pieces that get pulled together that individually, it'd be really hard. Like if I asked John to go collect all of that data individually, by the time he collects the data, the security damage is done, the other things are done. It's hard to correlate what that moment in time was around a performance issue. And so while we're focusing on security as we talk through this, also keep in mind that a lot of the time, a SIEM can also just be used for performance monitoring, seeing what else is going on, and just the way you're collecting a lot of those logs and other stuff. There's other applications that are built for some of the performance monitoring specifically, but you can pull all these different pieces together and to help and figure out what that is.
Jon DePerro: Yeah. Another way I would say that for anyone who may be not as technical on the call is when I was an army counterintelligence agent, bad things would happen and we'd investigate and we'd figure it out. And then part of that was always looking backwards. What would have indicated, you know, if Mike's a big spy and he goes to China and gives up all our secrets, what about Mike? The year two, three, four, prior. Should we have noticed, right, his overspending on hair products? Maybe he needs a lot of looking backwards to say, what should we been looking at to catch this before it happened? Well, that's what we talk about analyze in the SIEM, the industry is always looking attacks, and we call attack vectors, and they're always looking attacks after the fact, saying, well, what would have been an indicator?
Jon DePerro: So the SIEM takes all that information from literally around the globe as we learn about attacks and what that signature looks like, and it starts saying, am I seeing any of that in these logs?
Mike Bazar: Right?
Jon DePerro: The other thing that a SIEM helps us do is when Mike talks about network operations and just we establish a baseline of what is normal, right? What's normal is it normal for your computers to spike usage every day at three? Maybe that's when you upload your sales. Like, we don't know, but we figure out what normal is for you, and then we just sit there looking for abnormal. And it's really that simple, right? If normal is this much usage of your server and it spikes to this, that's abnormal. Right? So two things analyze based on old attacks that have happened in the past, and then look for abnormal, and then.
Mike Bazar: That leads into SOC. So the SIEM is a tool and a SoC is a group of people, is usually what it is. Right. And SOC will use a bunch of different tools, and a big one is the SIEM. And SoC is the actual security professionals who are behind that. They're monitoring, responding to the security incidents, and they're typically going to use the SIEM to detect and respond to those threats. Exactly what John was just talking about. They're looking for the abnormal. They're pulling all of those pieces in. And we'll hit on that a little bit more kind of as we go. But that's the primary difference, right. You can't have like a SIEM by itself is worthless because I can collect a whole lot of data and stack it in the corner and do nothing with it.
Mike Bazar: But if I have a whole SOC and I don't have a way for them to get the data, well, then that SOC is really inefficient and I have to have a lot more people. And labor is a very high cost in that. Right. And so if you start looking at those things, you really need those things to work together, to really run an appropriate SOC and really do the data collection and really do what you want in terms of how to respond and talk through that. Like I said, we've got some slides that kind of get in how they're used here in a minute, looking at this, right. So why do you need a SIEM?
Mike Bazar: And that's kind of we're talking to that's why I say you'll see a lot of crisscrossing that happens in here, but today's threat landscape, it's more important than ever to get more and more visibility. That's the thing that we're constantly trying to push into. How do we get more and better visibility across the industry, across the network? You have people working from home. You have all these other things that are going on. And so it becomes really important to try to figure out what's going on. And so you need something that can help aggregate that data, give you better visibility into this kind of changing landscape of bring your own device and working from home and all these disparate people and more cloud applications.
Mike Bazar: And as we have destroyed the walled garden, right, you came into the office, I could build a perimeter, I could protect the stuff that was in there. You weren't supposed to take the data out. That walled garden got kicked down very quickly in COVID and continues to get kicked down and rebuilt and redefined and everything else. So you need something in this changing landscape to help pull all those pieces together so that you can, number two there detect, right? You really want to figure out and analyze and look what's going on and detect what's going on. And then how do you identify those threats? How do you identify what's going on to continue to help you from not only just protecting your data, but from a compliance perspective?
Mike Bazar: I truly believe the more we get into this, the more your cybersecurity becomes a selling point. It'll become a market differentiator. It's going to be something that you can talk to people about because you secure your data, because you treat it in a different way, because you can prove that you're compliant. That gets more and more important as time goes on because every state now has data privacy laws. The federal government is only a little bit of time before they catch up to Canada and GDPR and the EU and all these other things.
Mike Bazar: And so, as you have all these compliance regulations come down, it's going to be a bigger and bigger deal, because a lot of it's going to get forced through, say, the department of Defense, and maybe you're not directly working with them, but you're going to work with a vendor that works with them, and they're going to start having to enforce these things to be able to do business with the government. All of these things that will happen. So you're going to start seeing more and more of this get pushed down out to industry and it's going to start from certain points. I mean, it's already happening. It's not that it's going to it's just you might not have noticed it yet, but it's changing, and it's changing very quickly. So that gets into some of this. Why do you need a SIEM?
Mike Bazar: Is because you have to be able to start dealing with these things. And it gets really hard to do that without the right tools.
Jon DePerro: And even at a simpler level, I mean, forget the DoD and forget if data is critical to your business, you should know what's happening with it. If you can't do your business without data, then you've got to have a plan for how to protect your data, how to recover your data. And we're not going to talk about recovering those other things today. But a SoC and a SIEM is the very front of understanding what's happening with your data, right? It's looking for changes, looking for people who may be trying to steal ransomware, lock down your data. So I ask business owners all the time, what information that just went away, right? Like Mike's a business owner, right? What information that if I just deleted, it would affect your business?
Jon DePerro: If you don't have a SOC and SIEM, looking at the places that store, process, and transmit that data, you can't answer the question, where is your data and who's using it and how?
Mike Bazar: Right?
Jon DePerro: So forget government regulation. And I know this sounds weird coming from the compliance guy, okay? Who cares? The very first step is if data is critical to your business, you have to understand where it is, how it's being used, and how to get it back. And SOC and SIEM are critical to that answer. Second is you're going to get sued by lawyers way before the government gets to you if I give you my data and you don't protect it. The class action suits are pre COVID. It was Sony and Target and big companies getting hacked and dealing with lawsuits. And they got better at cybersecurity and the ransomware for service. The hacker, the bad guys have learned small, medium business are wide open. They have just as much data and they're more likely to just throw 50 or 100 grand and getting it back.
Jon DePerro: In the news today. For those of you watching this live, Las Vegas casino shut down. Bazillion dollars lost the minute. Like these numbers are so big we can't fathom. Yeah, but when you actually look at the total aggregate for the year, the Las Vegas losses right now pale in comparison to what's happening to small and medium businesses around the country.
Mike Bazar: Yeah, no, they just get hit a lot more often. So the benefits of a SIEM and SOC and this gets pretty straightforward here, right? It's improved visibility into your security posture. If you don't know what's going on, you don't know what you don't know. So if you know more information, you get better visibility. That leads to the second point there, which you reduce your risk of data breaches because you get faster detection of threats and other things. And back to what John said earlier, you can start looking for anomalies ahead of time. So you can start looking for, hey, this last security event, and maybe it wasn't a full on breach, but the last security event here is the preceding indicators.
Mike Bazar: Let's start looking for those first so that we can go back and try to go back and look and stay ahead of that. And those are the things that you really start looking at, which leads to, I can't talk, increased compliance and overall efficiency in your security operations because again, this comes down to a dollar figure a lot, right? Like, that's what it is, what's the budget? And if you have a good tool and you can be efficient, you can do this for less money. But it's a bear, and we'll keep talking through that, but it's a bear to go through, set it all up and deal with all of it. So the real benefits of the SIEM and SOC is to start pulling all this together. And I think, too, it's important to say, and John kind of hit it.
Mike Bazar: A lot of people aren't worried about, say, a HIPAA law, right, in terms of and I'm not saying that flippantly or whatever, but you go and look and it's what, 30 or 50 people got dinged for HIPAA last year. There's not a lot of them. They got dinged for it. But as the lawyers see dollars, they're going to come out and start suing everybody they possibly can if they think they're out of compliance with the law, because there's dollars on that. And that's what's going to drive a lot of this, too, is these lawyers and these lawsuits are going to come out and start chasing people down because there's money, right? They chase doctors right now for ambulance chasing and all the other stuff. And it's not long and it's already starting to happen. How do we start chasing cybersecurity breaches?
Mike Bazar: How do we start chasing these things and saying, you didn't comply, you didn't do this, you didn't do that. And that's what's going to force. It not the government regulator. It's going to be the lawsuits that come out because you had the data breach and then they're going to trace that back to regulation that you're supposed to meet for the basis of the lawsuits.
Jon DePerro: Yeah, I talk to lawyers literally every week of my life. I serve on a committee for American Bar Association on privacy and cybercrime. And there are some lawyers that are chomping at the bit, drooling over that the world is learning what negligence is, right. If you simply don't protect your environment and it's lost, the victims can get lost. And a lot of people are not thinking about the true source of these lawsuits say, well, I don't have credit cards and I don't have people's Social Security numbers. We're good. Don't you? What does an employer actually have on their own? Employees. You know everything about your employees. You have everything you need to set up a whole new fake identity in your employee's name, right, and you have their medical information, you have benefits information. You know everything about your employees, data-wise.
Jon DePerro: And that's what's being compromised. That's the new big hot thing is go after people's employee data, right? And then resell that on the market.
Mike Bazar: And I'm saying to tie it to the s SIEM and SOC discussion, right? That's where if you have the SIEM and the SOC, you can analyze that data. You can look at that and you start looking and saying, hey, Susie, accesses this data. Bob never does. Why did Bob just access that data? He's not supposed to, right? And with SIEM and SOC, you can start pulling that together and looking at it. Because the truth is, and this is why you need a SIEM, is you can't have somebody look at those 24 hours a day, but you can have software. You can have AI. You can have them look at it, and they can feed it to a SOC. That can make sense out of those alerts as they come back up.
Mike Bazar: And so this is why you need to have the SIEM and SOC in your business, right? Cyberattacks are more sophisticated, more frequent to what John was just saying. They're coming after your employee data. They're coming after what can I use for fake identity sometimes? I'm still trying to figure this one out. We got a request the other day for a school. They wanted to basically buy $200,000 worth of laptops, and this just happened last week. So email comes in, says, hey, we want to get this. Somebody's emailing back and forth, good English, whatever. Turns out it was a hacked account. So they had a legitimate email account they hacked from this school and they were sending in a request. It's the right time of year, they're buying equipment, all of the things line up. And then they started asking for terms.
Mike Bazar: And that's what threw the immediate red flag up, right? And they started saying, hey, we need it delivered in two weeks. We won't pay you for 30 days. We're like, no. Those conversations instantly start throwing the red flag, but everything else felt better than it was. Skeptical, but going back and forth in it. So we end up calling the school, and this is the part I can't figure out, because the first couple of times we called, we got voicemail. Then when we called about a week later, we actually got their phone attendant, and it was the same phone number. So we're trying to unravel some of those pieces.
Mike Bazar: But at any rate, turns out they did have somebody that did get their email hacked, and they were sending out emails that the bad guys were and as they dug through it, somebody else had shipped them $130,000 worth of laptops. They haven't gotten it yet, but somebody shipped it out. So that's the part I can't figure out. Usually they're trying to get you to ship it to a bogus location, and they're going to go sell those on ebay or overseas or whatever. They're going to flip the laptops and make the money and screw you by not paying you. But this one, it looks like the laptops are shipping directly to the school. That's the part I can't figure out because I get the stealing the laptops. I can't figure out why they would let the laptops ship to the school.
Mike Bazar: But anyway, that cyberattack is more sophisticated, better. English didn't have the normal indicators. They're getting better and better at doing these things and hacking accounts and everything else. And so you need to be able to stay ahead of and identify those things. Because we didn't lose any money, we didn't have anything, we had stuff in place to make sure of that. But what's the reputation damage potentially that school, if all these vendors are sending them equipment or jerking them around or whatever, now that's going to be harder to build trust with those vendors. And if they were local vendors do I know your hack? There's a lot of potential issue that comes out of that.
Jon DePerro: Second, the insurance company for the vendor that sent them could be filing a lawsuit saying your email. So not again. A whole thing about agency applications functioning on behalf of users, that's a whole deeper dive into security and compliance. But what is an email? It's a message, it's a communication from my organization, yours. And it's coming from the organization it's coming email@example.com, or I should say, right. So I'm not saying that you'll win. I'm not saying you'll lose. I am saying you'll be in a lawsuit. That's how lawsuits work. They name everybody, then they peel back the layers of liability like an onion to figure out who's going to pay.
Mike Bazar: And so if nothing else, it's a distraction, right? Like even if you win the lawsuit, an expensive distraction.
Jon DePerro: That's it an expensive distraction.
Mike Bazar: So those are the kinds of things, if you have the SIEM and SOC in place and you're looking at that, you can say, hey, this lady logged in from this area and then instantly, or a minute later, she logged in from 100 miles, 500 miles, 1000 miles away. That's not right. Let's correlate that, look into that. Let's go figure that out. So if they have SIEM and SOC, they would have picked that up and it would have been no harm, no foul. Somebody stole their password, they logged in and then they got found out and kicked out. Right? Like that's. No harm, no foul. That's what it's going to be. And so that's that other stat in 2022, 623,000,000,000 cyberattacks worldwide, there's some crazy statistic I heard the other day, and I think it's like Microsoft.
Mike Bazar: I think there's like 100 million, or maybe it's 300 million. It's a huge number of fraudulent login attempts every day against Office 365. And the number is the same for Google and the numbers the same for there's tons of these attempts where people are trying to break into mailboxes and other things and do what I just talked about. So the SIEM and SOC together can help you respond and detect those events. Pull that down. And then why you want it is because there's attacks in the bottom, right? You want to reduce your risk, you want to reduce the distractions, you want to reduce your liability, you want to reduce all those other things. That's why you're doing it. You don't want to do SIEM and SOC because you just feel like it.
Mike Bazar: You want to do it because there's a legitimate business impact on the other side and that's what you're trying to do. And then the other piece of that as well that fits in there is compliance with standards and other things. If you have SIEM and SOC, it's a whole lot easier to say we did these things and we can prove it. If you're monitoring those, if you're looking for that, those kinds of things that can happen around it. So, so how to choose a SIEM and SOC right? This gets into the next steps of like, okay, well now what? Right? If I know I need it, what do I need to do?
Mike Bazar: So the first one, and I think there's a lot that feeds into this and so even though it's only a couple of lines of the consider, right, what's your organization size, your budget, your security needs really that needs to be driven by your size, your growth and your security needs that'll determine the budget. And the reason why I say that is as you start evaluating and being scalable and looking for easy, those things are going to impact the budget and those become the needs.
Mike Bazar: If you have a one man shop and you want to put in SIEM and you don't want to hire somebody like us to help you do that, then you need a more expensive, more complicated, more difficult to set up, unless you're paying a lot more money than it might be easy to set up system with better AI and tools and everything. Because one guy can't do it by himself. He just can. That's the goal. That's what you're trying to do. You're going to need way more budget for that tool, right? And so you really start looking at what are the securities, what do we have available to us? And then that determines by your organization size and what your budget. You can go out and look at different solutions for SIEM and SOC.
Mike Bazar: Again, there's a whole lot of different tools that are out there. And if you just Google SIEM and SOC, you're going to see all of the different options out there from little niche players up to big guys like Splunk that do these huge things and integrate into everything. And Splunk's been around for a long time but is also really expensive. And then the scalable piece of that too is what do you want to monitor, what does it look like? Because when you start going to guys especially big guys like Splunk and everything else, your ingress and egress data becomes a real cost. How much data do you collect? How often do you collect it? Where are you sending it? All of those requirements to go back to the security needs, start impacting the cost.
Mike Bazar: And then the easy is, how easy is it going to be to deploy, manage and use? And I will just tell you it's never easy. Like you can find easier. But there is no easy button in doing SIEM and SOC. It is generally difficult and hard to do because you're doing a lot right? You're pulling data from multiple different sources, pulling it in, trying to analyze it again to what John said earlier, what happened in this hack? What happened in this breach, how do I fine tune this, how do I detect earlier? All of those things become a full time job to really deal with this. And then the reputation, who's got a good reputation or track record, that really becomes important in the SoC as well. Because now you're talking about who's going to use that data and respond, what's their reputation, what's their size.
Mike Bazar: And this isn't something where I want to go knock it because I started out as a small shop. I started out as a one man band. I started out as that. But if you want to entrust true high level security, SIEM and SOC, this kind of stuff, we're talking about a one man shop has a harder time doing that, right? You need to get some scalability in that or they can outsource it. And that happens, right? And not that's necessarily a bad thing, but you want to make sure you look at that. What's the reputation? How are they dealing with it? If it's a smaller company that is your current It provider and they say they can do this well, who are they using and how are they outsourcing it?
Mike Bazar: That becomes a real legitimate question because if they say we're doing it internally and there's two guys they can't do that well now they can use a third party service and that's okay. And there's a lot of these guys that do it because once you build the tool, it's a lot more scalable and easy to aggregate the data. And bringing on an extra 100 endpoints or 200 or 500 endpoints when you're managing 50,000 is easy, comparatively. But if you're the guy trying to set up the first 500, it's super difficult.
Mike Bazar: And so when you really start looking at this, you need to ask a lot of those questions and start looking at who's doing it, who are they running, who are they using, what's it look like in the back end, asking some of those different questions and those sorts of things so that you know what's going on with them. So as we keep moving through here, we want to talk about running a SIEM and SOC. And I kind of mentioned that before, right? The first thing you're going to do is you want to collect all the data. So how do we dump all this data in, collect it, and then normalize it? Because it's coming from different systems, and I need to correlate it so that we can analyze it, which is step three, and then use it to generate alerts.
Mike Bazar: All of these things come together, and at some level that sounds easy, but at another level, I can tell you it's incredibly difficult because you're having to try to what are you going to collect it from, how are you going to use it, how are you going to normalize it? So the way you need to do it is you set up all this data collection, then you figure out how to make it pull together and interpret data. If you've ever done that, trying to run financial reports against operations, KPIs, that can be a big bear to try to struggle to get all that together. And again, back to the previous slide.
Mike Bazar: The SIEM that you use will help some of these, but you're probably going to pay a trade off cost of cost to find things that will help you collect normalize, analyze, and then generate the alerts. If you have the alerts that now goes over to the SOC and the SOC now will use those alerts and they'll investigate it, they're going to be looking at what those alerts are. They going to determine is it a real incident, is it something that's not maybe somebody's traveling and they hopped on an airplane. And so that login that happened was because of a VPN or because the airplane, they connected to the airplane's WiFi 20 minutes after they were in the airport.
Mike Bazar: And that created a weird alert, but they can dig in and look at that and put intelligence behind it instead of just some of the alerts, they can respond to it. So in the case of that school that were talking about earlier, they could go to that user and say, we need reset your password. We need to make sure your two factor is turned on. We need to do these other things. Maybe it's a deploying extra security measures or changing policies or whatever it is, but you can go out and respond to that. Then you want to document that as well. Because again, going back to the compliance side of it, what if a lawsuit happens? What if something else happens? You need to make sure you have documentation around all of that so you continue to learn.
Mike Bazar: You can defend yourself if you have to, against lawsuits down the road showing that you were responding to these events, those sorts of things. And that last dot there is it's complex, right? Doing this internally, doing this with a small shop, it's hard and it's complex. And you want to get the right people doing it to have the right set of expertise across multiple platforms to be able to pull all this together. And so that's why Shameless plug in all this. We have that team. We have those things and those pieces. I'm not saying you can't go do it on your own, but we have those things. And so if you're looking at how do we roll it out, how do we deploy it, how do we use it. One, we can help you, right?
Mike Bazar: If you're a larger company, again, those comanaged deals, we can come in and help you do that, help you manage it. Or we can be a layer that you add on that can kind of abstract this off of you so you can focus on the other things and we can help just bring the alerts and the responses and what's going on so that you know what's going on and do all the documentation on the hard parts. So additional things or additional tips for running a SIEM and SOC, right? You've got to update it. You're constantly going to have to update it with security signatures, lightest, threat, intelligence, updating It, training, it doing what John was talking about earlier. How do we identify those hacks and those things earlier? What are we going to look at?
Mike Bazar: We're going to have plans for responses in terms of how do we respond to a security incident, how do we continue to monitor and how do we be proactive? Right? So it's this constant, ongoing cycle that you're going to be running through of we need to update it, then we need to train more, then we need to train people, then we need to update the structure, then we need to change monitoring. Now, how do we be proactive? And it just becomes this constant, ongoing cycle. And when you're deploying and putting these pieces in place, you need to think about that and how you're going to use those kind of going forward and wrapping it around. The other big factor we see a lot of it when you're looking at it, is who are you going to hire to run it?
Mike Bazar: And so you need to be looking at their experience. Do they have an understanding of security concepts and procedures and the compliance pieces? Because I may be really great at cybersecurity, but if I have no idea what industry standards or government standards that you need to comply to, I might not be building that into the SIEM and SOC. So you need both of those pieces a lot of the time to really be able to build that correctly. And so then you got to look to at the skills and how good are they at problem solving, rolling these things out, accomplishing these tasks, rolling these projects out. Can they work 24/7? Again, this gets back into when you do it in house, like having a soccer.
Mike Bazar: A SIEM is great, but if you don't respond to alerts for 12 hours, of the day because you're sleeping, that's when the bad guys are going to go act. They know these things, they look at these things, they realize when the team is on and off and that's when they start doing. And then you want to make sure who you're looking for has relevant security certs and those kinds of things. Point being, and this is not necessarily always easy and it's not always one person, if you really want to pull all these skills and pieces and everything together, that's why it can be really good to go look for. How can you find somebody to help? So the latest threats and looking at some of that is really looking at security is complex, ever changing landscape, so it can be difficult to manage.
Mike Bazar: And so this is why you really want to look for when you're hiring people and is it in house or is it somebody that you're using outsourced? And why we say an It company or somebody that specializes this is better is we know these latest threats. We spend more time with the expertise and experience pushing people to train running 24/7 doing those things and outsourcing. Some of this or having somebody come in beside your team to do these can really help make that be an easier thing and really be more proactive around it and give you more peace of mind as you go through it. The big thing is, if you guys want to contact us today, we can help talk through this, right?
Mike Bazar: Whether it's help planning a project, whether it's help talking with your internal team, doing more experience, or if it's something that you want to bring us in to take it over, we're happy to help scope and look through that. We've got a real proven track record of doing and implementing these solutions. We've got an in house SEC Ops team, multiple people on that team so that we can respond to the availability and what you're looking for. And then we always are running reports and generating data and giving that back to you. So you've got the data to show what we're doing and how and why and everything else. So, average cost in 2021 of a data breach was 4 million to John's point earlier.
Mike Bazar: A lot of time that seems like big numbers, but the point is they cost and they can cost a lot of money and they usually cost more than you think. 25% of data breaches involved wrongly configured or failures of SIEM and SOC. So that's a big deal to make sure you got somebody doing that. IBM found that organizations that have SIEM in place can reduce the cost of a data breach by up to half. So that's a really big deal when you start talking about how do we cut these costs and those sorts of things. And then Verizon found that organizations that have a SoC in place reduce the mean time of detection by 20% and the recovery time by 30%. That's real dollars when you really start talking about how do you reduce these impacts.
Mike Bazar: So with that, I don't know if anybody has any questions. I know we've got a stop coming up here, so if anybody's got any questions, we're happy to answer. But if not, then what I would encourage you guys to do is shoot over an email to firstname.lastname@example.org you can direct, know, subject line, put it was you're on this? Know you've got a question for me or for John DePerro? And we can certainly help you with that, or you can give us a holler and talk to us, but we're happy to talk about that. And then you can also see we've got multiple different webinars. When we do these, we put recordings, so we'll put this recording back up so you can go to vectorchoice.com webinars to see upcoming webinars and ones in the past and everything else.
Mike Bazar: So, yeah, with that, happy to have all you guys on here and thank you for all being on and yeah, let me know if you guys have any questions.
Jon DePerro: Hey, bye, everybody.
Mike Bazar: All right, appreciate everybody. Bye.