I recently spoke at a conference for IT leaders in investment companies.  These organizations are the top brands in their industry and are firmly in the small to mid-sized enterprise space from a headcount perspective.  They are very visible businesses with very visible investors.  The conference was a great opportunity to hear directly from this group about the cybersecurity issues that keep them up at night.

Many of their challenges are common for organizations operating in the small to mid-sized enterprise space.  They face an ever-growing IT infrastructure workload with limited resources.  Many are embracing the cloud services model, certainly for services like Exchange, and all are faced with the acute challenge of not having enough in-house expertise when it comes to cybersecurity.

As with many other responsibilities, cybersecurity is increasingly being handled through partnering.  There is a diverse perspective on what partnering for cybersecurity means.  It can range from VAR-like deployment and management of endpoint malware solutions and firewall management to SIEM-like log management and to full-blown continuous monitoring and hunting.

During one of the dinner sessions, a discussion started among some of the attendees at my table about their (well-known) cybersecurity partner.  “I never hear from their SOC (Security Operations Center),” was the first comment.  Others using the same vendor agreed: “Yeah, me neither.  I’d like to feel good about that, but I don’t think my network is that clean.”

 “I never hear from their SOC (Security Operations Center),” was the first comment.  Others using the same vendor agreed: “Yeah, me neither.  I’d like to feel good about that, but I don’t think my network is that clean.”

The discussion continued, centering on how most were sending their logs to the vendor and in return, got pretty reports, but no real-time alerting or urgent communications from the SOC.  This should definitely be setting off alarm bells - what, exactly did they pay for?

 

The Best Defence for Cybersecurity

I’ve written before about the challenges of hunting for threats when all you have access to is log data.  Certainly there are useful things in the data, like password grinding, privileged account creation etc.  But those events do not represent the whole picture.  Frankly, it’s a tiny sliver of the threats we see in our SOC every day.

Further, the economics of hunting do not lend themselves to the pricing models deployed by some vendors in this space.  When a vendor is proud to state that “99% of events are automatically processed without human intervention”, the bias is clearly to not have SOC analysts investigate anomalies.  That can be margin-destroying for companies who don’t have the right tools, and don’t have access to the important data (like full packet capture archives).

So, it should come as no surprise that even when the vendor in question receives thousands of events from your next gen firewall about the attacks it’s blocked, it still won’t result in a call from their SOC.  But if it did, what would that call sound like? Maybe, “Hi, your PAN Firewall blocked a ZeuS botnet download.  Just thought you should know. Bye!” 

That kind of call isn’t terribly useful, and certainly not something you’d pay for.  So it’s probably best to not call at all.  And that, I believe, is why it’s common to hear nothing from those type of SOCs. Also sitting at our table during this “SOC silence” discussion was one of our clients.  He was quietly listening to the discussion, and then said “I’m an eSentire client, and I kind of have the opposite problem.”

He then described a typical day with the eSentire SOC.  “I get a few alerts a day from their SOC, and they’re all very clear alerts about what they saw, what they did, and what follow-up actions are required.  When it’s a serious issue, they require acknowledgement of the alert, and if I don’t respond quickly enough, they start calling me.”

“I get a few alerts a day from their SOC, and they’re all very clear alerts about what they saw, what they did, and what follow-up actions are required.  When it’s a serious issue, they require acknowledgement of the alert, and if I don’t respond quickly enough, they start calling me.”

 

Great Cybersecurity Needs a Human Touch

The “other SOC” users at the table asked our client some questions about the type of alerts he gets, and what he does with them.  He said: “Our response to each alert is automatically integrated with our ticketing system, so if a device requires remediation, it’s immediately actioned.”

I was smiling inside and trying to remain calm while this discussion continued.  But I couldn’t help myself when our client stated, “and when I’m speaking to someone at the eSentire SOC, I feel like I’m talking to someone who knows me, and my business.  There’s a level of familiarity that is real.”  My inside smile burst through to the outside.

 “Our response to each alert is automatically integrated with our ticketing system, so if a device requires remediation, it’s immediately actioned… and when I’m speaking to someone at the eSentire SOC, I feel like I’m talking to someone who knows me, and my business.  There’s a level of familiarity that is real.”

 

The eSentire Difference

That familiarity is indeed real.  We have quarterly service reviews with our clients to look back on the attacks we’ve seen and discuss potential responses.  We help them identify where their infrastructure is deficient and in need of upgrade and help them get CFO approval by making it a data-driven discussion.  We also review the policies and tune it as their business evolves.  If other security vendors aren’t having these discussions with their clients, they’re only pretending to manage their clients’ security.

At eSentire we operate by a distinct set of core values, the top two of which affirm our promise to always have our clients’ back and to make every client a reference client. I think every successful company needs to have those core values.

I’m glad they’re part of eSentire’s DNA.

eSentire Media Contacts

Mandy Bachus | eSentire | [email protected] | +1 519.651.2200 x5226 | @MandyBachus

Angela Tuzzo | MRB Public Relations | [email protected] | +1 732.758.1100 x105 | @MRB_PR

Ready to start the conversation about cybersecurity?
Talk to us today.
Let's Talk