01. Network infrastructure: the foundation of visibility

This is the first thing we verify. We ask: does the company have a modern firewall from which logs can be downloaded? Do network devices allow traffic to be viewed and analyzed? Is the network divided into zones, separately for the office, servers, guests, and IoT devices? What does remote access to company resources look like?

What monitoring excludes: cheap consumer routers without management capabilities, no firewall (only a device from the operator), a network without any zoning (in such a network, an attack spreads without any barriers).

02. End devices: computers, servers, phones

The company needs to know what it has on its network. We verify whether all devices are running on supported operating systems, whether there is central management of computers and phones, whether it is known how many and what devices are connected to the network, and what the situation is with employees' private devices.

What monitoring excludes: old operating systems such as Windows 7 or XP, on which a security agent cannot be installed; lack of device inventory (you cannot monitor something you do not know exists), private phones and laptops on the company network without any control.

03. Identity and access: who, when, and where

We check whether each employee has their own individual account, whether administrator accounts are separate from everyday work accounts, whether the company uses two-factor authentication, and whether there is a central directory of users and permissions.

What prevents monitoring: shared accounts, e.g., one “admin” account for several people. As a result, in the event of a security incident, it is impossible to determine who did what. This precludes a reliable analysis after a breach.

04. Cloud and SaaS applications

More and more SMEs are using Microsoft 365, Google Workspace, or online ERP systems. Monitoring must also cover these environments. We ask what cloud tools the company uses, whether the licenses it holds allow access to security logs, and whether employees use unapproved applications.

What limits monitoring: lower M365 plans (such as Business Basic) simply do not provide security logs. Shadow IT, i.e., applications used without the knowledge of the IT department, is completely beyond the scope of monitoring.

01. Lack of network documentation

The company does not know what it has on its network, it does not have a list of devices, it does not have a connection map. You cannot monitor something you do not know exists.

Solution: audit and automatic inventory.

02. Old network equipment

Switches and routers from a decade ago do not produce logs, do not have APIs, and cannot be integrated with any analytical tools.

Solution: a physical ADQ probe plugged directly into the network.

03. Shadow IT

Employees use Google Drive, Dropbox, and dozens of other tools without the IT department's knowledge. Each of these is a potential attack vector, invisible to standard solutions.

04. Private devices on the corporate network

An employee's smartphone without any control on the company network is a black hole. SOC will not see what is happening through it until it is managed.

05. Insufficient cloud licenses

In lower Microsoft 365 plans, security logs are not available. Cloud monitoring is then impossible without changing the subscription.

06. One IT person

Even when logs exist, no one has time to read them. The IT specialist handles the helpdesk, printers, and server at the same time, and no one is responsible for security monitoring. In this situation, our SOC service is the ideal solution.