The key to SOCcess – 5 things you need to consider for improved threat monitoring and response

Substantially improving the security of your organisation isn’t easy, and – as the person in charge of doing so – it can be daunting to know where to start.

Maybe you’re proactively seeking a way to effectively respond to and mitigate threats. Perhaps you’re unfortunate enough to have suffered a breach and wish to avoid repeating the experience.

Either way, the key to taking your security to the next level lies in getting better visibility.

The advent of cloud technology now means that your data is stored in more places and accessed in more ways than ever before – resulting in an ever-increasing attack surface that you now need to monitor and defend.

As such, you’re probably looking at developing or outsourcing some sort of security operations centre (SOC) or threat monitoring and incident response function.

This decision alone comes with a whole host of considerations that must be answered if your chosen solution is to be effective.

In this blog, we’ll explore the key elements that you need to consider when establishing this capability, and the impact of doing it inhouse or via an outsourced security partner.

Threat detection and remediation: To build or buy?

This is a complex consideration and one that won’t have the same answer for every organisation or industry.

Why? Because the answer to this question will be influenced by several factors; the organisation’s operating model, the organisation’s requirements from a SOC, regulatory compliance, commercial considerations and appetite for risk, to name but a few.

Below, we’ve highlighted five key areas that can act as your starting point toward deciding which option would best suit your needs.

The five areas covered include:

• Control
• Speed
• Scale
• Quality
• Output

So, let’s dive in.

1. Control

Control is often a primary concern. The notion that it’s best to control ALL of your security is common and not necessarily incorrect in specific scenarios.

For some, the thought of ceding some (or all) control of their security to a third-party can be stressful and puts them on the defensive from the start.

As a result, the thought of an internal SOC that they can tailor to their organisation’s requirements while reducing the risk of external data transfers is understandably appealing.

But that approach can come with unforeseen obstacles, namely when it comes to keeping track of budget, managing internal conflicts, and proving ROI.

Outsourcing your security to a managed security service provider (MSSP) might seem risky but – provided you do your homework – it can improve your security AND afford you greater control over the overall success of the project.

Using an MSSP clearly defines where responsibilities lie and consolidates your spending into one service payment rather than aggregating multiple internal budgets where the investment/return calculation is less clear.

Having agreed KPIs and SLAs makes your life much easier when it comes to demonstrating ROI to the board. A decent MSSP should be able to provide you with reports that will help you reassure the board’s and gain continued support and investment in improving your organisation’s security posture.

What you should be considering when thinking about control is not relinquishing control of policy, but the technical mechanisms needed to achieve your goals.

Your organisation’s security practice should always control the organisational security policy because they (i.e. you) will always own the risk on behalf of the organisation.

A successful relationship with your MSSP should work more as a partnership than a provider. A deep understanding of your organisational policies, procedures and posture should be integral to the design of the service they deliver.

The MSSP approach removes much of the heavy lifting of the implementation and day to day running and frees you up to focus on the bigger picture.

2. Speed

Delivery of SOC capabilities via an outsourced partner is by far the quickest route to developing your required capabilities.

To develop a fully functioning SOC inhouse will typically take 15-24 months, during which, demand and scale will change significantly. This adds complexity and cost, not to mention significantly delaying when you’ll start to see the benefits.

Utilising an MSSP allows you much faster access to competent and operational security staff and processes. This means you can have your threat monitoring capability up and running within 90 days vs. two years.

Any MSSP worth its salt should have several service models that meet a variety of needs rather than taking a “one size fits all” approach.

Such service models demonstrate a thoughtful client-centric approach and that the speed of execution can be done at pace and to a defined standard.

3. Scale

As with any modern-day project, scale should be a real consideration.

The data ingested by a SIEM platform is – and should be – extensive. The more useful data it ingests the greater visibility you will get and the better your IT team will be able to respond and mitigate against threats with expert guidance from the SOC.

The problem when delivering inhouse is understanding the long-term scale at the start of the project. Your needs are likely to change as the project – and your environment – expands.

So, whatever route you decide on, it needs to be able to scale up and adjust to your data requirements as they evolve. A process that will typically be slower to enact inhouse whereas an MSSP will be managing multiple clients with different needs so scalability will be built into their service.

A quality MSSP should use their experience to guide clients through a scoping exercise and focus on ensuring data ingestion is appropriate and valuable.

This ensures that you avoid paying for consumption that offers little or no value.

Vendors tend to use one of two distinct models when working out the price of a SIEM/SOAR platform.

Either an EPS (Event Per Second) calculation or a CR (Capacity Reservation = Consumption) calculation.

4. Quality

The most important element within a SOC capability is its people, closely followed by the platform and tools being utilised.

The best technology in the world won’t help you if you don’t have good people in place to analyse and act on the information being surfaced by the SIEM.

People are a real challenge for MSSPs and even more so for organisations aiming to deliver inhouse operations.

Currently, there is a huge skills gap in the market, and it isn’t going to get better anytime soon.

A recent survey suggested that there is zero unemployment in the technical security space with an increased shortfall that has now reached over 4 million vacant positions globally.

The consequences of this are inflated salaries, and challenges with skills retention and maintaining operational effectiveness.

Using an MSSP means that recruitment and all the related training and development headaches are their problem and not yours. It also means that you have access to experienced personnel who are monitoring multiple environments and applying their learnings to yours.

By contrast, an inhouse SOC team are limited in their exposure to modern threats, learning only from first encounters in your environment. Can you afford to take the risk of something slipping through the net simply because your analysts haven’t seen it before?

An MSSP will also be able to better meet a 24/7 monitoring requirement, who realistically has the resources to achieve this inhouse?

Regarding the choice of platform and tools, the primary tool is the SIEM/SOAR platform and, to be honest, they all deliver similar levels of capability.

Some are better for certain scenarios than others, some require much more maintenance and development but have distinct advantages in processing power. Some ingest certain types of log data more intelligently than others.

There are, however, some general considerations that can steer platform choice fairly quickly:

• Is the vendor a major player?
• Is it a strong brand that can offer stability and innovation?
• Does the vendor’s platform have ‘tie-ins’ with other major security and IT vendors?
• Do they have the ability to use log data derived from vendor/partner technologies straight out of the box (pre-existing API’s / Connectors etc)?

Also, consider if the vendor has sufficient capacity and resources to support a comprehensive development roadmap. They might be reluctant to share this information due to commercial and intellectual property concerns, but a good judgment call here will invariably save you having to replace the platform in a few years.

The last couple of years have seen the introduction of solely cloud-based SIEM / SOAR solutions from several vendors and these should be a real consideration.

A truly native cloud-based platform will offer scalability, greater flexibility, efficiency and context for monitoring your cloud-based architecture and on-premises infrastructure compared to purely on-premises SIEM solutions.

Inhouse, you’ll have to figure out whether the data you’re ingesting is appropriate or excessive and – unless you’ve managed to recruit very experienced staff – will often end up as a best guess. A partner MSSP should work with you to rationalise EPS or ingestion rates to only that which truly offers value.

Ultimately, both EPS and CR models operate on a basis of the more that’s consumed the greater the charge, so rationalisation of data is key to controlling cost.

5. Output

Any SOC function should be conscious of the requirements from the wider security practice regardless of whether it’s an inhouse SOC or outsourced.

A good SOC will offer intelligence at the following levels:

Commercial considerations

Normally, price is the first factor most organisations consider due to budget setting typically coming before the project kicks off in earnest.

However, in the matter of inhouse versus outsource deliberations, the commercial context should be second to your operational considerations.

But, naturally, there will be an inescapable economical element to your decision process too.

From an inhouse perspective, there are some fixed elements that will decide the price of delivery but there are also some softer elements that you’ll want to consider to assess the true cost.

To make your decision harder, there’s a wide array of commercial offerings in the MSSP space for threat monitoring and incident response services. Navigating through these options can be challenging when trying to compare ‘apples with apples’.

In my experience, there will always be an internal element that pushes for security monitoring to be handled inhouse on the assumption of greater control/less cost.

Having successfully delivered projects of this nature for the best part of two decades, I know that no one internally has much spare capacity and a dedicated team is needed, supported by the expertise necessary to make it effective.

So, although an important consideration, be careful not to let cost become counter-intuitive to making the right decision.

Conclusion

The truth is there’s no right or wrong approach as long as it meets your requirements.

If your organisational drive is to “tick a box” to meet regulatory compliance, or you want to be seen to be “doing the right thing”, then whether you do it inhouse or via an MSSP make the commercial offering the primary consideration and go for the cheapest option.

However, if you want to implement a solution where you leverage the value that this capability offers then use the operational requirements to guide your choices.

From experience, this isn’t something you can dabble with in your spare time. It’s a bit like Pandora’s box: if you don’t embrace the gift of actionable intelligence this capability can offer it will quickly become a curse.

If you’re claiming to have a threat monitoring and incident response function in place, some very awkward questions will be pointed in your direction in the result of a breach. Both internally and externally from industry regulators.

If you haven’t deployed a competent threat monitoring capability, those questions become embarrassingly difficult to answer.

BUT if you’ve properly invested in a SOC capability, you’ll be well placed to demonstrate how you addressed the breach and the steps taken to mitigate future attacks. You’ll also be able to reassure the board that the organisational brand and personal reputations remain intact and secure.

Key takeaways