Why do large corporations keep getting hacked?
simonj’s first blog, where he talks about the evolution of Security Operations Centres (SOC)’s and how they have evolved
To the layman it is amazing and shocking …banks, IT companies, and government departments all get hacked time and again. It’s one of life’s little mysteries. After all, the man in the pub suggests to his mates, surely Apple would be able to protect itself? And HMRC? and now even an Internet provider Talk Talk. Of-course, if you have been in IT Security for more years than you would care to remember you know better.
Personally, I think that the reason is as much to do with philosophy as with technology, and as we all know philosophy is one thing the man in the pub understands. IT security has been built upon a series of false assumptions, it has evolved much the same way as sandcastles do on the beach. Outwardly impressive to look at but as soon as pressure is applied it collapses.
It all started in the 60s when computing was divided between those in white coats and those in overalls who fed and watered the ‘Big’ computer. These Operators were considered second class and were there only to support the high priests of computing, those bespectacled programmers. They earned less money and were forced to sit through tedious night shifts executing batch processes. Technical demands were low, they were useful so long as they could follow instructions and sit through the night shifts.
As the 70s and 80s passed and computing expanded the operators still sat there on the graveyard shifts executing more and more jobs. If something failed they reran the process or noted the issue for the programmers to sort the next day. If a piece of hardware failed they swapped it. Over time the demands on operations teams grew and vendors developed technologies to help monitor the processes and health of large distributed systems. Slowly systems began to generate security logs –access and authentication logs came first. The task of monitoring security logs was automatically and unthinkingly assigned to the operations team (at least they would do the shift pattern) and the SOC was born.
The first security monitoring solutions came from system monitoring vendors and that set the focus for all that has followed. That is where all today’s problems stem from. Today’s Security Operations Centres have developed out of the system monitoring psychology that evolved in Enterprise computing environments in the late 1980’s and 1990’s.
The psychology is, and always has been, to monitor systems and report on problems. The current generation of tools and SOCs are all about Protective Monitoring. And although Protective Monitoring is important - It is not Cyber Defence. Effective Cyber Defence is all about intelligent decision making by the business risk owner, especially when a cyber breach has or is taking place. Intelligent decisions based on a clear understanding of the threats and risks facing the business. Decisions on what security controls are needed to protect the business services and when an attack is underway informed decisions on how to halt and recover from it.
The single most important task for a Security Operations Centre is to gain a clear understanding of the emerging threats to the business and to efficiently provide the best possible evidence to inform any mitigation plans for those threats. Today’s SOCs are notoriously poor at providing effective decision support to the business. The whole decision support element is being missed and this is why so many large corporations who have spent millions on security controls and protective monitoring solutions are hemorrhaging data.
For a SOC to be effective it needs to be designed for decision support, it needs well organised integrated technology and processes that are designed to enable the decision support process. A central brain if you like. It also needs to be staffed by skilled, respected, and rewarded people who understand their roles as guardians of the company secrets.
In the next set of blog entries I will address each of the key areas of an effective SOC – the People, the processes and finally the technology