The Cost of Reaction: Why Your Security Operations Center Needs a Prevention Overhaul

November 17, 2023

As cybersecurity professionals, we know that security operations centers (SOCs) are invaluable, working to help detect a complex array of attacks and to enable effective and timely response efforts. Reacting to cyberattacks is expensive and time-consuming. Industry studies show the average cost of a data breach is approximately $4 million, and it can take months — or even years — for an organization to fully recover from a cyberattack.

 

Overall, the average cost of operating an SOC can range from $2 million to $7 million per year, with costs ranging much higher for larger and more complex organizations. A recent Devo SOC performance study adds another layer to this cost: analyst burnout. With SOC professionals citing their “pain level” as a six on a scale of 10, it's evident that burnout is a critical operational risk. Given these challenges, it’s clear we must focus not only on detection, but also on the maturity of our prevention and attack surface reduction strategy to help address the growing operational issues and costs.

 

 

A proactive approach creates more resilience and efficiency — and reduces costs

With a well-calibrated, prevention-focused approach, you can achieve a balanced and effective SOC operation. This approach enhances SOC resilience and efficiency, reducing both operational strain and financial costs.

 

You’ve probably heard this saying: “An ounce of prevention is worth a pound of detection and response.” This wisdom holds true: A proactive, preventative approach can significantly contribute to creating and maintaining a healthy SOC. Without tuned prevention, more cyberattacks get through, and when attacks get through, there’s a greater burden on the SOC. Incident response is expensive, and optimized prevention reduces cost.

 

 

Real-world threats are becoming more complex

Today, we are at an inflection point, with the complexity and frequency of cyberattacks escalating, resulting in increased strain on SOCs to respond rapidly and effectively. Real-world threat campaigns are more than just one malicious file or a malicious website generating a drive-by download. They are a combination of multiple threat vectors and techniques.

 

Image
Symantec_The_Cost_of_Reaction_img1.png

 

For example, let’s look at a typical Emotet attack, illustrated in the image above: The attack starts with a phishing email which tricks the user into downloading a weaponized Word document and running a macro. The Word document launches a PowerShell script to download Emotet, a well-known trojanIn turn, Emotet downloads additional payloads like Trickbot, which is designed for various other tasks including harvesting data and stealing credentials, setting the stage for lateral movement. Finally, Trickbot joins the victim’s endpoint to a botnet and downloads other payloads, such as a ransomware called Ryuk.

 

The recombination of techniques and scenarios is endless. It’s important to realize that there are many attack surfaces where prevention technologies and tactics can be used to disrupt or stop attacks, including:

 

  • Email messages

  • Users

  • Network traffic

  • Internet content

  • File systems

  • Applications

  • Operating system tools

  • Running scripts (like PowerShell)

  • Execution of files and processes

  • In-memory malware

 

Despite defenses across all these areas, it's unfortunate that attacks still manage to penetrate and succeed.

 

Does this mean that prevention is broken or ineffective? Or is it possible that organizations aren’t using all the prevention tools at their disposal, or they haven’t tuned their prevention stacks well? The two questions an organization should answer are:

 

  1. Do we leverage protection in each of these areas? Many times, clients have entitlements they aren’t aware of or haven’t turned on.

  2. Are these technologies configured correctly? Many incidents have been caused by incorrectly configured security controls, which contribute to a false sense of security. Additionally, clients are frequently not aware of powerful tuning controls and “levers” at their disposal.

 

 

Leverage layers of prevention for better outcomes

In this blog post, we won't cover every control and lever available to you. Instead, we'll focus on highlighting specific control types within an attack chain and discuss how to strategically layer these preventive measures for improved security outcomes, as demonstrated in the following graphic.

 

Image
Symantec_The_Cost_of_Reaction_img2.png

 

The graphic highlights a few different control types across an attack chain. At the top is the MITRE ATT&ACK adversary tactics, which are broad categories of techniques attackers typically use (starting left to right) to attempt to compromise your networks and data.

 

At the bottom of the graphic (in the boxes) are various control categories that function best in defending against those specific tactics:

 

  • attack surface reduction

  • breach prevention

  • attack prevention

  • detection and response

 

The last category (detection and response) is your SOC. Any events that make it to this category create work for your analysts.

 

 

Solutions for your SOC prevention overhaul

Various effective controls and strategies can be implemented to tackle operational challenges, alleviate analyst fatigue and reduce overall costs. Elements like host intrusion prevention, endpoint security, host firewalls and network integrity are vital. Additionally, methods for countering zero-day threats, file reputation analysis, behavioral monitoring, emulators, advanced machine learning and endpoint file inspection technologies all contribute to a comprehensive prevention strategy.

 

Many clients are unaware that disabling or misconfiguring these engines can significantly compromise their threat defense capabilities. I recommend that clients engage with a cybersecurity provider for a periodic “health check” to help you understand your current security posture, the capabilities of various controls and how they interoperate. Utilizing the “monitoring mode” available in many security controls can help maximize several benefits:

 

  • assess the impact to end users before enabling protective measures

  • fine tune your policies

  • enables valuable insights and threat hunting for the SOC

 

It’s time to revisit prevention methods and strategies for reducing the attack surface. By doing so, you can address operational challenges, mitigate the financial risks of cybersecurity incidents and optimize overall SOC costs. Together, we can achieve a more balanced and effective SOC operation, one that is more resilient and efficient, reducing both operational strain and financial costs.

Tom Blauvelt
Cybersecurity Architect, Symantec by Broadcom
Tom is a thought leader with over 28 years of experience, currently serving as a cybersecurity architect at Symantec, a division of Broadcom. With a unique blend of technical acumen and strategic foresight, he specializes in strategy, security operations, and innovative problem-solving.

Optiv Security: Secure greatness.®

Optiv is the cyber advisory and solutions leader, delivering strategic and technical expertise to nearly 6,000 companies across every major industry. We partner with organizations to advise, deploy and operate complete cybersecurity programs from strategy and managed security services to risk, integration and technology solutions. With clients at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can. At Optiv, we manage cyber risk so you can secure your full potential. For more information, visit www.optiv.com.