Weekly Tech Tidbit – While You Were Sleeping – The Importance of a Security Operations Center

October 26th, 2018
Weekly Tech Tidbit – While You Were Sleeping – The Importance of a Security Operations Center

Trend Micro has stated many times that you have approximately 4 minutes between when a threat enters your network and the infection breaks out.

But who can respond that quickly?

I have often said if we leave questions on the computer up to our end users, we have failed. How many times have end users not reported issues and messages on their computers? I once had a school district have an active ransomware attack going on in common teacher folders for two weeks before it was actually reported! Cisco talks about it generally takes 100 days from infection to discover many of the bad things in end-user networks. Just this week Tech Republic had an article stating that even if the staff is trained, 75% will do the wrong thing anyway because our end users just don't get it.

And as the bad guys up their game with more advanced phishing exploits, machine learning, and targeted attacks, it is only getting worse.

Then it is hard to get your limited technical resources to go evaluate the nature of the issue/threat because there are too many important tasks already.

But what if we are all sleeping when the attack comes?

In a traditional security model, we're most likely seriously compromised. By the time we know what happened our systems are compromised and we are digging out of a big hole that may have both legal and functional consequences. Your phone is ringing and the Superintendent is not a happy person.

For a while now we have been talking about the importance of having a 24x7x365 Security Operations Center (SOC) staffed with security professionals constantly watching and intervening to keep you safe.

Here is an example of what happened to me - while I was sleeping.

I routinely leave my workstation on 24x7 as I am remoting into it to get information and gain access to support various networks. I have Paladin CyberSentinel Endpoint Detect & Respond on my workstation. This comes with the 24x7x365 Security Operations Center behind it.

At 12:22 am a file started to be downloaded to my workstation. The CyberSentinel ED&R client saw the activity and killed it. It then automatically reverted my machine to the pre-download state. My machine was safe. Immediately a member of the Security Operations Center was alerted to my suspicious workstation activity. An actual human being was examining my machine real-time. At 12:26 am I received an email from the SOC analyst stating that my security event was a false positive. The Paladin Cloud Backup agent was auto-updating its software. The SOC analyst allowed the upgrade process to proceed. They also whitelisted the transaction so that this process would not be flagged in the future.

Four minutes transpired between the event, the kill, the repair, the live analysis, the adjustments, and the reporting!

All while I was sleeping.

I can think of no more vivid example of why this new level of security is so important.

This is why I have been encouraging you so strongly to explore putting Advanced Endpoint Protection (AEP) clients backed by a Security Operations Center Team on your most important and sensitive servers and workstations that deal with money and personally identifiable information.

This, of course, is only one of the many layers of security you need to have in place to protect against today's increasingly complex threats.

If you'd like to talk about how we can up your game for endpoint and network security, give us a call and we can evaluate your exact situation.