Back to BlogDo You Really Need 24/7 Eyes on Glass?
A Smarter Approach to Cybersecurity Monitoring
“24/7 Eyes on Glass” is a cybersecurity concept that emphasizes the need for continuous human monitoring of an organization’s digital environment to identify potential threats. It implies that security analysts (the “eyes”) actively monitor the SIEM dashboard or console (the “glass”) around the clock to promptly identify anomalies, suspicious activity, or security incidents. While this approach may sound ideal, it comes with significant challenges that can hinder security effectiveness and may not be the most efficient way to establish a robust, effective security posture.
The Challenge of Establishing and Running a SOC
The ability to rapidly respond as soon as a breach is identified is critical for containing and limiting potential damage. The longer a hacker inhabits your network without being identified, the more widespread the damage is likely to be. That’s why many organizations now recognize the importance of establishing and running a SOC (Security Operations Center).
A SOC is a team of cybersecurity specialists responsible for continuously monitoring an organization’s digital environment. Their objective is to detect potential breaches by analyzing a wide range of data points from networks, servers, endpoints, databases, applications, websites, and other systems. With the right processes and tools, SOCs can be extremely effective at identifying anomalies that indicate breaches, but they are complex and costly to implement and maintain.
For a SOC to be effective, it requires a tiered structure of security professionals. Tier 1 responders monitor, classify, and prioritize data collected from across the environment. Anomalies are then sent to Tier 2 security investigators for deeper analysis, while Tier 3 advanced analysts uncover sophisticated hidden threats. Managers oversee the SOC, and security engineers ensure the correct SOC architecture and set-up.
The 2022 Managed Security Report by Cybersecurity Insiders found that 56% of organizations have their SOC in-house. Establishing and running a SOC is a daunting venture, especially for organizations that lack the necessary expertise and resources. These are some of the challenges that may be encountered:
Skilled Personnel
The people required to operate a SOC include analysts, administrators, incident responders, and SOC managers. While automation and machine learning can manage a significant part of the workload, human intelligence and intervention is critical for addressing anomalies, analyzing trends, and responding to incidents. Hiring qualified cybersecurity professionals with specialized skills, such as threat hunting, incident response and forensic analysis are essential. However, there is an acute shortage of skilled cybersecurity professionals in the industry. These professionals are in high demand, and the hiring competition can be fierce, making it difficult for organizations to attract and retain exceptional personnel.
Coverage and Operational Model
If an organization does not have a SOC functioning 24/7, it might be unable to address incidents that occur after working hours. Moreover, not all SOCs cover the entire IT ecosystem. A recent industry report found that most enterprises only monitor 5% of their entire ecosystem of networks and devices.
Costs of a SOC
Establishing and running a SOC is expensive, and requires significant investment in personnel, technology and infrastructure. A survey by the Ponemon Institute showed that an average SOC costs around $2.86 million annually. The costs of hiring and training SOC analysts and maintaining SOC infrastructure can quickly reach exorbitant levels. Smaller organizations may struggle to justify the cost, while larger ones may face budget constraints.
SOC Technology
A SOC requires advanced technology to monitor networks, detect and respond to threats in real-time, and analyze security data. The tools required to run a SOC include SIEM, monitoring tools, a threat intelligence platform, intrusion detection and prevention systems, etc. This is expensive, and finding the right technology compatible with existing systems can be tricky—as can onboarding these tools to ensure that they work well together.
SOC Processes
Establishing and running a SOC involves implementing procedures, policies, operational guidelines, and a knowledge base. Developing processes for incident response, threat intelligence, and vulnerability management is crucial for enabling rapid incident management. An incident response playbook, cyber recovery process, and reporting and escalation procedures are essential components of these processes. Regular implementation, testing, and updating of these processes are necessary for a SOC to be effective.
Customizing the SOC to Meet Business Requirements
Simply implementing a general-purpose SOC is not enough to satisfy the unique requirements of a given business. SOCs need to be tailored to each company in order to provide effective services and support strategic requirements. However, very few businesses effectively customize their SOCs.
Time-Consuming
Building and running an in-house SOC is a time-consuming process that can take years. Considering the costs and complexity of the enterprise, the results might not be fiscally justifiable.
Data Overload
A SOC generates a vast amount of security data, and processing and analyzing it can be overwhelming. False positives make up a large part of the data generated. About 40% of the alerts generated by a SOC are false alarms. Without the proper tools, processes and expertise, it is easy to miss actual security events amid the massive volume of other data.
Compliance
Compliance requirements such as FFIEC, HIPAA, and PCI-DSS can be difficult to meet, and failure to do so can result in significant fines and reputational damage. A SOC is often utilized to meet compliance requirements and help mitigate this risk. However, without a governance board that oversees and supports the SOC, the SOC may not be able to help meet these requirements. The governance board must identify the critical systems that need to be continuously monitored to remain compliant.
An Alternative Approach: Blumira’s Holistic Solution
Blumira takes a holistic approach to cybersecurity monitoring that combines advanced technology with targeted human expertise. Our automated SIEM platform provides ultra-vigilant monitoring, detecting threats in an average of 50 seconds and translating raw data into actionable insights. When a critical issue is flagged, our Security Operations team is available 24/7 to guide customers through investigation and resolution.
Managing a SOC can be a challenge for any organization. Without the right documented processes in place, a SOC can end up becoming dependent on the expertise of one or two individual staff members. This can leave the organization exposed if these staff members depart. With in-house SOC teams, all too often, a critical strategic approach is neglected. The Blumira experts are able to more coherently integrate security information in the creation of a comprehensive SOC strategy by focusing on the highest priority threats.
“While not the traditional model, I absolutely think of Blumira as an outsourced SOC because you have a SecOps team available and we’re able to reach out when alerts come in.” – Chris Lewis, Information Security Manager NetSource One
In addition to surpassing the quality of the standard eyes on glass approach, our Incident Detection Engineers continuously sharpen and augment our detection rules to stay ahead of emerging threats. Our Solution Architects vigorously partner with customers to optimize their security posture. This proactive, multi-faceted approach enables us to achieve a 99.7% faster response time than the industry average, taking threats from detection to closed finding in just an average of just six hours.
Real-world Examples of Blumira’s Approach in Action
Blumira’s proactive approach to threat detection and response has been demonstrated in various real-world scenarios. In one instance, Blumira’s SIEM detected password spraying attempts and automatically isolated affected endpoints, while the SecOps team reimaged infected machines to prevent further escalation. In another case, Blumira discovered a foreign attacker targeting a customer’s conferencing server and advised geo-blocking and software vulnerability audits to reduce the attack surface area.
Blumira’s automation also helps identify false alarms, as seen when repeated admin account lockouts were found to be caused by scheduled tasks using outdated login credentials. The team assisted in updating the credentials to resolve the issue.
24/7 SecOps Team Support
Blumira’s platform includes access to a 24/7 SecOps Team for:
- Routine log review and monitoring
- Advanced log parsing and data normalization
- Proactive threat hunting and detection rule creation
- Access to experienced security personnel at all times
With Blumira’s SIEM + XDR platform and the support of the SecOps Team, SMBs get a complete set of threat detection and response tools. The team enhances your IT staff’s capabilities, allowing them to prioritize other critical tasks.
The Takeaway
In today’s ever-evolving cyber-threat landscape, effective security requires more than just constant eyes-on-glass vigilance. By combining advanced SIEM technology with proactive human guidance, Blumira offers a more intelligent approach to data interpretation that surpasses typical eyes on glass standards. In many cases, 24/7 eyes on glass is not the optimal system. At Blumira, we’ve engineered a smarter way to achieve comprehensive security monitoring without the drawbacks of traditional 24/7 eyes on glass. Many organizations are turning to Blumira SIEM + XDR to achieve robust security and compliance, rather than aim to develop an in-house SOC.
Automated Detection and Response
Designed for small and medium-sized businesses, Blumira provides automated detection and response to address key security gaps, eliminating the need for an in-house SOC.
Key features of Blumira
Pre-tuned Detections: Blumira’s pre-tuned detections focus on key findings, using threat intel to reduce false positives and categorize threats by priority.
Manage Your Own Rules: Blumira allows admins to manage their own detection rules, customize them, and create filters to prevent false positives.
Automatically Parse Logs: Blumira automatically parses logs from different data formats, maintaining and updating parsers for all integrations and data sources.
Automated Evidence Gathering: Blumira provides correlated data for investigation, including associated users, IP addresses, domain names, and timestamps, reducing time spent gathering evidence.
24/7 SecOps Team Support
Blumira includes access to a 24/7 SecOps Team for:
- Routine log review and monitoring
- Advanced log parsing and data normalization
- Proactive threat hunting and detection rule creation
- Access to experienced security personnel at all times
With Blumira SIEM + XDR platform and the support of the SecOps Team, SMBs get a complete set of threat detection and response tools. The team enhances your IT staff’s capabilities, allowing them to prioritize other critical tasks.
Understanding the acronyms: Explore the differences between SIEM, SOC, SOAR, XDR, EDR, or listen to Matt Warner, Blumira co-founder and CTO, discuss these terms.
Experience the Blumira automated detection and response solution firsthand. Sign up for our Free Edition today and discover how you can achieve enterprise-level security without the high costs and complexity of a traditional SOC.