Organisations need extensive, continuous protection to combat increasingly sophisticated cyber threats. But creating a security operations centre (SOC) to monitor, analyse and maintain security posture proactively is not simple. The question asked by many CISOs is how you can get the most out of your fully managed or hybrid SOC and enhance its performance.
With the average data breach cost now running at a record high of $4.35 million, according to the Ponemon Institute, shoring up defences has never been more critical. A dedicated SOC provides several benefits, including continuous network monitoring and centralised visibility, quick and effective response, and enhanced threat prevention.
Many enterprises can’t justify the costs and resourcing associated with a dedicated SOC and don’t have the in-house resources to run it. In cases such as these, CISOs and Heads of Information Security are finding it difficult to identify SOC providers that could provide services more effectively and within budget – fully managed or hybrid. The latter leverages the in-house skills of security engineers with those of a Managed Security Service Provider (MSSP).
Common SOC issues
In a recent forum, members of ClubCISO, a global private members forum driven by Telstra Purple, expressed challenges over choosing the correct SOC set-up for their organisation. Some have previously encountered difficulties with SOC providers, who lack in-depth knowledge of their business and the risks they face. Unless an MSSP has relevant industry experience, many felt they were not getting the most out of their investment.
In addition, some felt that many Security Information and Event Management (SIEM) solutions that recognise potential security threats and vulnerabilities were processing too many logs, making the process very expensive.
All these issues have triggered some members to lose trust in MSSPs. However, many of these can be easily overcome by asking the right questions from the start. These are some of the suggestions put forward by ClubCISO members for getting the best results from your SOC investment.
Pros and cons of managed versus hybrid SOC
By opting for a managed SOC, organisations offload the burden of running a SOC while putting managed cyber detection and response in the hands of security experts. The latter is extremely important as the ongoing talent shortage is a barrier to many looking to set up in-house SOCs. To put this in perspective, the UK Government estimates that with the growth in demand for cyber skills, there is an annual shortfall of cybersecurity personnel of over 14,000. Thus, organisations should see an MSSP as an added value to in-house cybersecurity efforts.
With a managed SOC, enterprises need to work with a trusted the MSSP. This MSSP could be identified through a historic relationship with your organisation, a recommendation or through an RFP process, however they’re identified it’s essential that both you and your new partner upskill each other.
Some ClubCISO members felt a hybrid model provided the right balance of SOC services. A hybrid SOC model distributes in-house skills alongside those of an MSSP to create a single SOC. This enables organisations to build on their own teams’ strengths while leveraging the skills and experience of an MSSP. However, the organisation must have strong in-house security capabilities to make it work effectively.
Here are 7 tips for getting the most out of our MSSP and hybrid SOC:
Consider building a target operating model for your SOC
A target operating model enables an enterprise to describe the desired state of its SOC from which to build a strategy without putting the current work environment at risk.
Set clear SLAs
Ensure that Service Level Agreements (SLAs) are negotiated to reflect your business requirements and risk appetite. Understand that a meaningful discussion about SLAs can only occur when the MSSP understands your security operations and posture.
Help your news MSSP to get intimate with the business
An MSSP must understand the unique security requirements of the business to develop an appropriate security strategy. An MSSP can drop an expert into the organisation to get an in-depth view of how it runs. Alternatively, a SOC analyst s moving from the MSSP to the organisation’s team, and vice versa, can provide a valuable knowledge swap.
Look at getting an analyst-as-a-service as part of the SOC offering
Training and retaining SOC experts is a challenge in the current skills drought, particularly if certain levels of security clearance are required. An MSSP can fulfil these requirements with the outlined brief and geographic needs.
Look beyond SIEM
Every SOC needs SIEM tools to detect and manage security events. But a SOC is more than SIEM. It embraces forensics, Endpoint Detection and Response (EDR), and Incident Response (IR). An MSSP must be able to support you through all levels of a breach if it happens.
Consider your future security needs and SOC requirements
SOC teams must be able to identify and respond to new, more sophisticated attacks with the right tools and skills. Security Orchestration and Automated Response (SOAR) can provide an automated Phishing workflow, for example.
Make sure the service being offered fits your business requirements
The size of a business and its requirements will dictate how often your internal teams will be sent critical alerts.
Work with an MSSP you click with and trust
It is essential that an enterprise trusts its MSSP and can have open and transparent communications to create a strong and meaningful relationship.