24x7 Security Operations Center Services Don’t Have to Cost a Fortune
As folks tend to reevaluate their security budgets around this time of the year, they always turn back to the cost of a Security Operations Center (SOC). It takes 7-12 people to cover a 7-day-a-week 24-hour SOC. At 50-100k per person that sure adds up fast. So, what are the alternatives:
Drop down to 8x5 and try to get by with 1 or 2 people but that leaves two-thirds of a day unmonitored; Ransomware can infect an entire network within a few hours.
Ignore the need for monitoring entirely; Sticking your head in the sand is never an effective security strategy.
Pay product vendors to monitor and send out automated alerts when issues are identified; But, when the issue is identified most organizations using this approach don’t have the in-house expertise to respond.
Hire a SOC that operates as an extension of your internal security team but that’s usually too expensive.
We, at Emagined Security decided, that this problem needs tackling. Why should real SOC service only be affordable to large enterprises? What we have developed is an SMB SaaS Model that I think might interest you. With a heavy focus on the endpoint, we've developed a new security strategy that we feel hammers Endpoint Detection and Response and Security Resiliency home for our customers. Our solution allows for an affordable price, full support when needed, and a technology stack including ransomware rollback to help organizations recover in minutes. If we think about this in terms of a human-born virus, the ability to get sick and quickly recover is what we all strive for. From a computer security perspective, that level of resiliency helps organizations operate under even the most stressful of conditions.
Our managed and monitored SMB SaaS model runs between $14 and $26 per endpoint per month with the first incremental step down in pricing starting at the 50-endpoint mark. We can support as few as one endpoint and well over 50,000, allowing us to scale with the customer and retain flexible pricing. Because our service is monthly and by device, some of our customers have even elected to protect their high valued employee's personal devices as well.
CASE & POINT
Just this month, one of our clients that signed up started slow-rolling the product in; two days after they did, we detected a suspicious pivot event where a user attempted to login to a domain controller directly. The workstation that was used did not belong to the user who tried to access the domain controller, which triggered our alarm bells. We were able to remotely contain the suspicious endpoint and perform full remote analysis of associated machines. Within minutes, we had identified that the attacker had pivoted to 12 other
machines on the network and had created running services on the machines. These services had zero detections in all of the antivirus solutions on Virustotal. We were able to quickly isolate, contain and mitigate the threat for the customer. From start to finish we had contained and booted the attacker in 2 hours, which would be exceptional on its own, but knowing they were using zero-detection toolkits, this proved to the customer that we detect based on Tactics, Techniques, and Procedures (TTP) and not just on Indicators of Compromise (IoCs).
Following up on that event, the malware was identified as Chachi, a tool used by ransomware authors as a pre-stage attack for ransomware operations. Because there were
no detections, we believe this was a targeted attack that was designed to bypass signature-based systems. The threat group in this case generally charges upwards of $250,000 in a double extortion attack.
At that time, our customer was paying about $250 a month to protect their environment. Without a doubt, the service paid for itself at only 0.1% of a loss realization. And, that doesn’t take into account the potential long-term expanded losses that the organization may have realized. These two sample charts depict the potential trailing effects of compromises. You will notice that as the probability of the loss goes down the potential financial losses goes up.
BUYER BEWARE! 24x7 Monitoring & Alerting comes in many levels.
One of our Endpoint Detection & Response (EDR) vendor partners offers a “24x7 EDR Monitoring & Alert” service. It sounds good on the surface since they say 24x7 but is it good enough? Let’s look under the covers. They setup the EDR portal and apply some basic EDR automated response actions to the tool. You may even get an email if the EDR tool fires off a response action (if you lucky you get a phone call). That’s when their service ends. At Emagined Security, that is just the beginning. Here’s chart that depicts the service levels to risk & confidence levels:
In short, this says that monitoring in an Endpoint Detection & Response (EDR) world, requires embracing the “Response” components. For example, the 15 seconds before and after an EDR alert may be more valuable than the actual event identified. We need to understand what happened before and after an alert to see what caused the event and if other inappropriate actions were successful and not caught and blocked. Using available information, we can piece together a fuller picture of the story.
Lateral Movement Detection
Observable Indicators of Compromise
Respond & Rollback
Our SOC then finds that after an alert and automated responses, we may need to perform analysis and clean-up activities. EDR tools are very valuable and can support these activities:
Delete a file
Kill a process
Delete or modify Windows registry key or value
Put a file
If you're interested in hearing more, let me know a few times we might be able to sync up and go over our strategy. Our system works well with other providers, so this doesn't need to be an us-vs-them situation, we can certainly work well in concert with each other.
Protect your future by contacting Emagined Security to discuss your needs.