Ransomware has become the top security concern for all organizations, regardless of size.

This is because adversaries have a wide range of methods at their disposal to deploy and install ransomware.

In this context, the preventive approach adopted by SMBs consists of a number of best practices such as:

• Educate users about security and phishing;
  
  
• Replace antivirus with EDR (Endpoint Detection & Response) tools;
  
  
• Secure the identities associated with VPN/RDP, administrative access, emails and more broadly for all users;
  
  
• Manage security patches;
  
  
• Implement the principle of least privilege, which states that employees should only be granted the access and permissions required for their job;
  
  
• Segment the network to limit the spread of attacks.

But is it enough?

As cyberattacks and threats become more frequent, sophisticated and high-profile, many SMBs realize they now need real-time, proactive detection, alerting and response defensive capabilities.

SMBs, who are paying an increasingly heavy price to adversaries, are realising that the type of prevention usually implemented is no longer sufficient in the face of current threats.

The risks they are incurring make a defensive posture unsustainable, therefore SMBs have no choice but to combine prevention and defensive capacity in such a way as to improve their response capacity.

According to the Cost of Data Breach Report, it takes an average of 280 days to identify and contain a security incident. Being able to reduce this time also means minimizing risk and costs.

EDR and SOC

For example, in the context of endpoint protection (workstations and servers), as indicated above, the legacy antiviruses of the past are replaced by EDR tools.

But at the same time, to be fully effective, the EDR tool must absolutely be managed by a team of experts and managers overseeing security operations.

This team forms the SOC (Security Operations Center), and in an EDR context, ensures endpoint security through 24/7 monitoring and alert handling.

When the EDR tool is managed by an SOC, it is then referred to as a MDR (Managed Detection and Response) service.

Gartner's Trinity

But of course the SOC service is not limited to EDR tools. We should also mention SIEM (Security information Event Management) and NDR (Network Detection and Response).

Along with the EDR tool, these are the 2 elements of Gartner's SOC visibility trinity.

Used in conjunction with preventative measures, these defensive technologies monitored by the SOC provide robust protection against ransomware attacks.

Managed EDR tools and intrusion prevention systems (IPS) can help detect and block malware infections, while SIEM solutions provide crucial visibility for rapid incident response.

SIEM solutions can be configured to collect data from the firewall, EDR tool, IPS system, operating systems and more broadly any other system or application that has event logs.

That being said, it is therefore a question of making the choice between an internal SOC and a SOC-as-a-service.

Why a SOC-as-a service rather than on-premises

The main reason to choose the SOC-as-a-service option is that it is not necessary to set up a SOC, since it is provided as a service.  This means that you do not have to choose the technology, nor hire a team of specialists that you will first have to find and then manage and train. Additionally you don't have to set up the associated processes.

Conclusion

Generally, companies tend to be more reactive rather than proactive. This creates a vulnerability that adversaries take advantage of.

This is why the SOC, which aims to monitor, detect and analyze security threats in real time, is so important.

SOC as a service is unquestionably the winning option for SMBs.

To learn more about Present’s security solutions, please visit our website.