Prioritizing Protection: Integrating GSOCs with Organizational Security

0:28

Manish:
Mike Gilbert has over 20 years of experience in designing and launching products for startups and established technology companies selling into global markets. For the past five years, Mike has been working with global organizations to craft security solutions that increase situational awareness, streamline notifications to impacted assets, track and manage threat actors, and standardize the reporting and resolution process for incidents, investigations, cases, and crises. This led him to his current position as Vice President of Client Advocacy here at Ant. Mike, welcome to our show. Welcome to our Connected Intelligence Podcast.

Mike:
Thanks for having me.

01:13

Manish:
Great. Well, why don’t we get started for our audience? We’d love to learn a little bit more about your background. What led you to the current role, the current position that you have? And how did you become involved in GSOC operations?

Mike:
Yeah. So I’ll go back to about 2009. I started working for a company that was in the governance, risk and compliance space, working in product management for that company. It was a startup at the time. And I was really exposed to what the GRC business was really all about, which was incident management. It was enterprise risk management, regulatory change management. So I spent about a decade in that space, really understanding customer needs, but with a really big focus on incident management. And then in 2020, when the pandemic hit, I had a great opportunity to switch into the security space, still within product management, but I got exposed to working at a startup at the time that was really helping companies bring all of their intel together in a geospatial way. And I got exposed to our buyers at that time, which were primarily GSOCs. So I spent a lot of time. in and out of GSOCs, understanding their requirements, their needs, how they operate. We were able to do a great job selling that product into those GSOCs and really helping them with security. And so during that time period, we really saw a need or I really saw a need for a single unified platform that could bring together all of those different functions. So while I was selling to a specific buyer for a specific need, I did see a need for lots of those different things that they were doing to be connected and brought into one platform, which led me to my current role at Ontic, which is what we’re trying to build here at Ontic today.

03:10

Manish:
That’s terrific, Mike. And we’re certainly going to dive into the needs of a GSoC. But for our audience, especially given your background, we certainly want to understand how GSoCs fit into the organizational structure. Before we do that, though, can you talk a little bit about a GSoC itself? What does that typically consist of? And then love to understand how that GSoC function then might integrate with other functions within corporate organizations.

Mike:
Yeah, it’s a great question. So I really look at a GSOC and especially in most organizations today is kind of that central nervous system. really the hub of all the security operations that are happening within a given organization. So a lot of that, most of that flows to the GSOC to the point that you’ll find a lot of executives and senior leadership present in that GSOC from time to time as events unfold, as a crisis may hit, you will see a lot of activity. So it is really that central nervous system. And by nature, they really do need to collaborate and have cross functional responsibilities with all areas of the business. Because if you think about certain events that will happen, um, and let’s just take an example. Let’s take again, like maybe a hurricane that affects maybe some assets, maybe some facilities or even some travelers that could affect human resources. It could affect your finance team, obviously gonna affect operations. So again, it’s gonna a lot of these events are going to impact multiple departments in an organization. So that GSOC is the hub and needs to effectively communicate and really be in constant communication with those other departments.

04:56

Manish:
Makes complete sense. And you mentioned the hurricane really brings GSOC and that nervous system to life. And maybe talk a little bit more about the challenges with collaboration. So you can imagine a hurricane barreling down and that GSOC, as you mentioned, and executives wanting to know how to keep people safe and maintain business continuity. I’m just curious, in your experience, what are the challenges that a GSOC would encounter, especially with that cross-functional collaboration?

Mike:
Yeah, and there are a lot, even if you look at, you know, early on with an event like that, just understanding where that hurricane is going to hit, right? So as that storm becomes named, for example, You have a lot of tracking that goes on, which is sometimes difficult to do. And you obviously have updates from different agencies giving you information about that hurricane. But then, yes, some of the challenges you have then, especially as that hurricane begins to unfold and hit, is executing your standard operating procedures, making sure that When those standard operating procedures involve other departments, they’re aware of the things they need to be doing, making sure that the GSOC gets feedback back from those organizations as to when things are being done and completed so that they’re in constant awareness of what’s going on. The communication can be difficult too. So when you do have a natural disaster like that, communications can be a problem. So having backup, having multiple modalities of communication is a challenge for a lot of organizations as well. And then afterward, the business continuity, making sure that business continuity plan gets executed and operations can be restored. And then I think at the back end too, then understanding lessons learned. A lot of organizations probably don’t do enough with learning from those events and making sure they can improve their processes. So there’s lots of things that can go wrong. Obviously, these types of crises are very difficult to deal with for most organizations.

06:52

Manish:
That’s very helpful. And as you think about natural disasters, they’ve been going on for a long, long time, accelerating for sure. So if you think about technologies that existed decades ago in a GSOC, maybe just touch on that, and then the evolution of those technologies to our most present day. And then lastly, and I think this would be helpful for our listeners, is we’ve been focusing this conversation on natural disasters. Maybe touch a little bit on other types of events that a GSOC might deal with, and then the technologies that they’d need.

Mike:
Yeah, so if we go back in time, if you look at most GSOCs and the evolution of GSOCs, it was primarily dealing with that physical security. So video management systems, being able to pull up cameras within a facility, for example. alarms and access control, understanding who was coming into a facility, who was leaving, maybe if there were certain events happening, like maybe a door forced open or a smoke alarm that went off. I think what we’ve started to see, though, is the evolution of those tools, especially in the realm of being able to understand with respect to your duty of care, what are the events that are impacting that duty of care? What are the tools and technologies that can really give me that situational awareness? how we started to see the evolution of a lot of the both curated and open source intelligence tools on the market that are available to give you better situational awareness of that. And likewise, other types of technologies have evolved too around incident management and case management and investigations, being able to track all that because it’s critical for a GSOC to be able to track all of those incidents that may occur and bring those to resolution. So obviously a big piece of that is the workflow that an incident might follow. But then also identifying threat actors, being able to identify people or groups that may cause harm to an organization or certain people within an organization, both inside and out of that organization. and being able to track those people and monitor those people as well. So I think what we’re starting to see is those tools are getting better and better. There’s more tools being introduced over the typical guards, guns, and gates to be able to monitor and really deal with some of these emerging threats that are bigger than natural disasters. Those are obviously something that’s important, but we’re seeing violent protest, active shooters, obviously a big one. around the world as well. But we’re starting to see more of those geopolitical type events happen and dealing with those. And then another great example is just what happened just about a month ago with what happened with CrowdStrike and how that disrupted operations. More of a cyber type of threat, but nonetheless was a crisis that impacted a lot of businesses in a negative way.

09:34

Manish:
That is a wide range of threats for sure. And I can only imagine the complexity and the tools and technologies and procedures. Maybe talk a little bit before we dive deeper into the technology stacks of these GSOCs. Maybe describe these GSOCs a bit for our audience. There are physical GSOCs, some are virtual. Even some components of the room itself are responsible for different types of threats, and they all have different tools. Maybe just touch on that for a moment.

Mike:
Yeah, I think it’s a great question. And let’s start with the people, right? So I think one of the most critical aspects of a GSOC is the people that you have in that GSOC and the people that are looking at these threats. And what you’re going to find is that what I see is a lot of organizations do really tend to hire people that have a good background, mostly from the public sector, law enforcement, military backgrounds that understand what it is to take a piece of intel, action that intel, assess that intel, and make decisions about what they’re seeing. So I think everything with a GSoC probably starts with a person. But what we’re also starting to see too is that GSoCs are starting to go potentially more outsourced, right? Where we have an organization that could potentially completely outsource that function to another group and then obviously get feedback from that group, but we’ve also seen some hybrid too, where we’ve got some sort of a virtual SOC. And then the typical follow the sun model, where you’ve got SOCs located in different regions around the globe, and you’ve got global coverage, because as one region sleeps, the other one’s available to handle anything that would happen in the other region. So those are some of the models that we’ve seen. And like I said before, too, in terms of what the responsibilities are, we see a clear delineation around physical security in these SOCs. So we have certain people that are responsible for those alarms that might go off in a manufacturing site or a building. We’re going to have those people potentially responsible for all the video analytics that go on as well. So being able to pull up the right camera, look for things visually. And then the other piece of a GSOC is around that situational awareness. So we see analysts that are looking at those threats that are coming in, and those could be weather related, those could be geopolitical in nature, but they’re monitoring and seeing as events unfold, how that’s going to affect their duty of care. And that duty of care could be pretty broad. So I think that’s changing as well in a lot of GSOCs where before it might have just been maybe your executives or maybe just your travelers. Now it’s work from home employees. It’s employees inside of buildings. It’s your buildings. And those buildings can vary from a distribution center to a manufacturing site to just an office that may be in a high rise somewhere. Could also include your supply chain, which is very critical to a lot of organizations as well. And a lot of a lot at risk there in a supply chain from a business continuity standpoint as well. So we’re starting to see that duty of care evolve a little bit too, and those GSOCs obviously have a greater responsibility with taking on more of those assets to monitor.

Manish:
Those are extraordinary set of responsibilities. And I recall my time visiting GSOCs, as you have in your career, and you often see the large screens displayed. Can you talk a little bit about those screens and how much of what the analysts or the operators in a GSOC do rely on those screens, what I’ll call eyes up versus eyes down, which are down to their monitors and their screens actively managing threats. If you can give a little color on that.

Mike:
Yeah. And in the times I’ve spent in these GSOCs, what you are going to find is exactly what you described. You’re going to see a wall of monitors that has lots of different information being displayed. It’s going to most likely have several different news channels going, most likely something with weather. If that organization or that GSOC happens to have some sort of a geospatial tool like an ESRI or some sort of a common operating picture, you’re going to see that as well. You’re going to see potentially all of those cameras as well, and on one of those monitors and alarms, that they’re monitoring as well. So it’s going to be a wide array of different things up on those big screens. But what you’re going to find that is a lot of the analysts are going to just use those screens for reference. They’re really working on a specific responsibility that they have at their workstation. So while it’s great to look at those big screens and understand what’s going on at a macro level, Most of those analysts and those operators are really eyes down, focusing on what their particular responsibility may be. And as I said before, that’s highly segmented as well. Most likely it’s going to be someone is responsible for their alarms that are going off or the badging anomalies that happen. Another person is going to be responsible for maybe situational awareness. Maybe a third person is going to be responsible for just their supply chain and events that are happening within the supply chain.

15:20

Manish:
I had a, no, that’s very insightful, Mike. I had a misconception of GSOCs that they were entirely reactive and that the sophistication level of the analysts didn’t have to be that advanced in terms of skillset. A lot of it was triage and dispositioning of alarms, etc. But I have a sense that GSOCs are starting to become more proactive, more strategic, are dealing with requests that are coming from business stakeholders that are much more advanced in nature that require deeper analysis. For example, geopolitical events or issues or impacts the supply chains. Maybe touch on your experience and what you’ve seen with many large companies and the sophistication range of GSOCs themselves. Are they, in your experience, mostly reactive or are they starting to transition?

Mike:
I think it’s the latter, Manish. I think what we’re starting to see is that organizations are transitioning into more of a proactive role and mode, which is great to see, honestly. So what I’ve seen in my experience is that there are specific hires that are being made within that GSOC to just be focused on proactive. And I’ll give you an example. A good example is looking at historical, either weather events or crime data is another good example, to look at where should we be focused? What should we really be worried about proactively? And that may be as simple as looking at potential, the projections around hurricanes that are going to happen, or looking at the crime and how the crime is changing around assets that you typically have. So I think that’s where, those are two examples where I see GSOCs and the people in those GSOCs becoming more proactive around being able to look for these issues that might occur. And that could manifest itself as, hey, we’ve got some travelers that are going to a certain area. We happen to know that the crime rate has spiked in that area. It might be a certain section of a city. It might be a whole region in general. But then what they can do with that information is obviously arm that traveler, which with much more information, potentially even change their travel plans too, all together. But with that information, they can definitely make sure, for example, those travelers are a lot safer when they do go abroad.

17:49

Manish:
GSOCs are becoming trusted advisors. Back to your point on being that central nervous system, whether it’s executives that are traveling or employees or duty of care, to your point, everything from cyber risk and anomalies to crime, to weather events, to active events that might be occurring, to medical events. That’s a lot for a GSAP to take on. How do they prioritize what to go focus on? And how does that relate to some of the evolution of technology that’s happened in the last three to five years?

Mike:
Yeah, that’s a great point too, because what I’ve seen is that For one, GSOCs now, with the advent of a lot of these great tools that are available on the market to feed Intel into a GSOC, the effect that that has on that GSOC is to really overwhelm operators with a lot of information. And they do need to prioritize what they’re focused on. So what I’ve seen in my experience is that really, really well-run GSOCs really understand the attributes of those threats to help them determine the priority and what should be focused on. And by that, I mean, they look at things like proximity, they look at severity, they look at the categories, and what they can do is create a matrix that looks at all those attributes together to determine how they prioritize researching those events and actually handling those events. So for example, we might see proximity being one of the most important factors. So let’s take an event like an earthquake, another natural disaster, right? They may look at that and say, well, our proximity there might be 100 miles or 500 kilometers to an asset that we need to look at. And then we look at severity. Is it a 5 to a 7? Is it a 7 to an 8 in terms of magnitude? So what they can do is start to build that matrix so that when that event does occur, they know exactly what to prioritize because they can see that this is the proximity to the asset, this is the magnitude, this is the category. Yes, I should be focused on this first because of those three attributes. So again, I’ve seen a lot of really well-run GSOCs where they’ve got a definite matrix set out based on some of that criteria to help them prioritize all the information that’s flowing into a GSOC and make sure they’re focused on the things that are most important.

20:09

Manish:
Focusing on the things that are most important. How critical. Mike, let’s talk a little bit about technology stacks that exist in GSOCs. What are the most foundational, critical, and important ones today? And what’s evolving? What’s changing with the technology stacks themselves?

Mike:
Yeah, that’s a great question too. And I’ll preface this with saying that to different organization, different technology is more important than others. And I’ll give you an example. I work with a large retail client that had lots of large-scale retail facilities around the world, and they were facing a problem with a lot of crime and specifically gunshots. So to them, gunshot technology, very, very critical technology, again, specific to retail. So I will say that it’s, again, specific to the different type of organization and what they’re dealing with. But as a whole, I think what I’ve seen in terms of technology stack, I think the things that are most critical to most GSOCs are incident management, right? First and foremost, being able to handle events and be able to manage those events, track them, detail them, put them through some sort of a workflow so that you can go from an open state to a closed state and whatever’s in between to be able to manage those incidents. I think that’s one of the most important things. And then I think what’s really evolving and more around the technology is again, that situational awareness and first and foremost, getting good Intel. into that GSOC. And that Intel can take a lot of different forms. It’s going to be weather, very critical, but it’s also any type of open source Intel that’s available, but also potentially curated as well. Curated Intel is great because you know that an analyst has seen that, has vetted it, it’s real, and it’s something that potentially should be acted on. So I think that’s another critical piece of technology to have inside of a GSoC is some way to get Intel, and then specifically related to your assets, right? That Intel is meaningless unless you know what it affects. So again, Intel that’s related to your assets, so you know how to action it, I think is critical. And then I think some way to make sure that you’re monitoring threat actors. Threat actors are becoming more and more of a problem, I think, especially when you look at, again, some of the threats that we’ve seen to organizations around maybe an organization stance with regards to political events that are going on. in certain regions, for example. So understanding who those threat actors are, they could be groups, they could be individuals, but identifying who they are and then keeping tabs on what they’re doing and making sure that if you do identify one of those threat actors and they happen to be close to an executive or maybe driving around your campus, you understand that they’re there and can take appropriate action. So I think those are the main technology tools, again, being able to understand your incidents, being able to also ingest situational awareness, intelligence, and then also monitoring threat actors, I think are critical pieces of technology that a GSOC has to have, in addition to what they’ve traditionally had, which is all that physical security technology as well.

23:27

Manish:
No, that’s great. And I do think you emphasize this point a few times, taking action, right? And the action could be dispatching a guard. The action could be making sure the appropriate medical emergency is addressed, or the incident is logged, or even a long-form situation analysis or report. So that’s terrific. Let’s close with just a couple more questions. One more is around emerging threats. What are the new emerging threats that GSOCs maybe didn’t have to deal with as much five years ago, 10 years ago, but are coming in waves now? And where might that evolve to over time?

Mike:
Yeah, I think that’s a great question because we are seeing the threats start to evolve and they seem to evolve more quickly as we get deeper and deeper into the security landscape. But what I’ve kind of see as a big emerging threat is if you look at the political environment, not just in the United States, but around the world, become more charged. What you’re starting to see is more and more groups that are potentially threats and can cause problems for certain organizations. Whether those are as simple as a protest or it could be a more targeted campaign against an organization, I think that’s an emerging threat as well. And if you look at some of the demonstrations that have gone on around the globe here, again, with regard to what’s happening in the Middle East, you’re going to start to see that. But then also, I think that the cyber can’t be underestimated. The cyber threats that are happening Again, going back to that CrowdStrike example, can’t be underestimated the damage that it did to certain organizations. So I think that’s still an emerging threat that changes, right? This one wasn’t a cyber attack. It was just some sort of an event that happened where obviously some bad code got out there, took down some systems. You have something that’s that caused your business potentially to go down. So that can take a number of forms to in terms of the cyber threats that are out there. But I think those are still we haven’t seen the last of those cyber threats. They seem to evolve probably more so than most of the other threats that we’ve seen.

Manish:
And to your point, I think those will continue to accelerate as well. And you might need new SOPs, new playbooks to manage those new events in the future. I think that’s great. My final question, Mike, and then I’ll close by asking you if we left anything out on GSoCs is, what are some best practices? As you have visited a number of these GSoCs, you’ve helped provide technology for them. What are the best practices to maintain, both to set up and maintain an effective GSOC?

Mike:
Yeah, I think it’s a great question. I think we hit on a couple of them, but let’s talk about some of them. I think if I’m looking at a best practice and starting a GSOC essentially from scratch, I think I go back to making sure that I hire the best possible people with the best backgrounds, I think, is probably the first thing I would make sure that I do. So bringing in the right people with the right experience and the right background to make sure that we understand our charter and our duty of care and protecting that. I think next, if I look at best practices, making sure those SOPs are in place, making sure that you’ve got good SOPs that again, deal with all the different types of events and threats that you might face is important as well. And then maintaining those over time, that a lot of times gets overlooked in terms of the maintenance of those. And a lot of that maintenance will come from lookbacks to events that have occurred. Great example, again, going back to CrowdStrike, looking at how that impacted your business and updating your SOPs from there. So I think that’s a best practice for sure, is having very good SOPs that can be executed to mitigate the risk. And then I think that the next best practice is determining what model works best for you and your GSOC, right? You might be a multinational organization. Follow the sun might be the best approach for you. Maybe you’re a smaller type of organization, and maybe a virtual SOC works best for you. So I think determining the best model is also a best practice to make sure that’s going to work for you. And that may change over time as well. So as your organization grows, your model may not work so well for you, and you may have to make that change. And then I think the last best practice is making sure that you have the right investment for your tools. I think tools are becoming critical to making sure that a GSOC is effective and efficient, and that can obviously lower costs. So I think making sure that you select the right tools, understand what tools you need, and then the priority that you implement those tools, I think are some of the best practices too. And I think that, again, goes back to what that GSOC is responsible for and its primary focus. So again, aligning what tools you purchase with your charter.

Manish:
Excellent insight and advice for our audience, Mike. That was terrific. Do you have anything else to add, anything else that we missed related to GSOCs?

Mike:
Yeah, great question. I think we covered a lot of ground in terms of talking about some of the things that we’ve seen. I think we’ve covered a lot of really what I’ve seen in GSOCs and what is some of the emerging threats. But I think I’ll leave with this, which is that I’m happy to see that I see GSOCs taking on more and more responsibility around their duty of care. And I think what’s great, too, about a lot of GSOCs in bigger organizations, they’re pushing the envelope of what they want. So they’re pushing a lot of technology companies to solve problems that they have, which I think is great because that’s going to enhance the security overall. And again, I think by pushing those technology vendors, it’s going to make the world a safer place overall, which is great. So I think the trends are positive around what I’m seeing in terms of how organizations are dealing with security.

Manish:
Our guest today was Mike Gilbert. Mike, thank you again for joining our podcast today. Excellent job. Happy to be here.