Building a SOC and choosing an MSSP

Questions to consider

Organizations of different sizes have different ways of dealing with cyber security challenges. Depending on external factors, the environment they operate in, or internal factors such as budgetary constraints, they might choose to manage their security with an in-house team, or outsource it to a dedicated firm. Either way presents its own challenges, and each has something to recommend it. This post aims to explore some of the advantages and drawbacks of either route.

When considering the question of whether it is better for a company to outsource security solutions or to maintain their in-house security team, there are no easy answers. There are countless questions to be answered on the road towards resolution, and the outcome is more reliable the more it is considered. However, there are some handholds along the way, perspectives that reliably illuminate the issue at hand. For example: what is the need that either a SOC or an MSSP seeks to fulfill? 

It’s the company’s need to secure changing environments.

What is involved in the process? What big-picture questions should be considered?

Systems engineers, network architects, database administrators, the security team—everybody who is familiar with the existing environment will begin learning about new technologies as and when the company’s needs make it necessary. They will have to gather experience starting at that point. 

Does the company want that? —or do they replace their workforce based on relevant experience? —or do they outsource operations to an MSSP?

Then there are more practical questions as we move from the big picture to the nitty gritty. Just a few examples: Do we migrate this on-prem data center to a cloud environment? When in the cloud, do we want a serverless architecture or not? What about legacy web applications? 

As we move towards the smaller details, the more the answer depends on a host of factors. So instead, let’s consider the big picture.

Creating an internal Security Operations Center (SOC)

A SOC is a centralized entity within an organization that deals with cyber security strategies, their implementation, and manages incidents. At an organization conscious of their security posture, the SOC is involved with most projects from the planning phase on. This usually requires a variety of resources and talent, because an incomplete security coverage can open up organizations to potentially devastating consequences.

People, processes, and technology are the high-level building blocks of a SOC. Understanding the needs and requirements of each is essential when setting up the department. 

The first building block are people; the professionals hired to deal with security, such as SOC analysts and incident responders. IT professionals are in high demand, and those specializing in cyber security, even more so. Hiring and holding on to motivated and knowledgeable individuals is a major challenge, but once overcome, the resulting team can be highly versatile and always available to deal with the specialized demands of the organization.

Processes are what guide employees when they are investigating or managing an incident, set up to clarify what needs to be done and how to assess what has been accomplished. 

The third building block, technology is made up of all the tools used to identify issues or detect bad actors. Technology helps you develop network awareness and assess threat levels.

Cost is perhaps the single biggest factor that guides decisions in the early stages of SOC development. The company has to set aside a budget, and have a clear idea of what that budget will allow them to achieve. A good rule of thumb would be 5% of the global budget going towards IT—at minimum. Once the budget is set, a clear timeline is established, but that timeline need not be detailed at this point. Think in terms of quarterly expectations, organized phases, milestones to be reached; this will help individuals involved in setting up the SOC make better detailed plans and break down larger tasks to smaller, more manageable projects. It will also help to establish priorities and lay out the most important items to execute. The aim of a roadmap like this is to develop accountability, but, even more importantly, to help mature SOC teams as they specialize into prevention, threat assessment, or monitoring. 

With a SOC, companies can choose and customize software to suit their needs. A Security Information and Event Management (SIEM) program will put the data gathered from multiple cyber security tools into perspective and will be the foundation of the SOC. 

One major benefit of an in-house security team is that all your data and logs are held locally, and are processed by the organization’s dedicated staff, which minimizes outside access. Everyone responsible for the security of the network will be under the direct supervision of the organization. 

If the SOC receives adequate budget, is staffed by competent professionals, if its setup is properly planned, and the plans are well implemented, it can provide robust protection from cyber attacks. Once all these factors come together, a SOC can solve problems quickly and efficiently, but that takes well-trained and experienced professionals such as SOC analysts and Incident Responders, as well as some time before the processes settle. Over time however, fewer and fewer changes will be necessary, and efficiency will improve.

Choosing a Managed Security Services Provider

For the reasons detailed above, especially the cost, time, and resources involved in setting up a SOC, most companies benefit from outsourcing some of their cybersecurity to third parties specializing in the field. While working with an MSSP removes some of the issues that setting up a SOC presents, it is nonetheless a tough choice for any organization. What’s more, an MSSP should never completely replace internal security operations. Before choosing an MSSP, you should have a clear understanding of your company’s needs. Those needs will guide your choice, but they will also help potential vendors offer you the solutions you need. 

Third party consultants regularly advise companies on a huge variety of matters, auditors review processes and make recommendations for adjustments. An MSSP has to provide this service as well, but continually, because the technology and the security landscape changes so fast that regular review is insufficient.

There can be any number of reasons why an organization would employ the services of an MSSP. The most common of these, other than the budgetary and resource constraints hinted at before, are (1) the organization’s needs overwhelm the support the SOC can provide, (2) the SOC cannot provide of the level of compliance necessary, or (3) having an internal team has become too much of a security risk.

The level of service from an MSSP can vary greatly with the organization’s needs, but can also change over time. Balázs Nagy, President at NewPush, advocates for a crawl-walk-run approach. As an organization is in the process of choosing an MSSP, they might start with monitoring-only services, or dedicated and limited projects, before expanding the scope of managed services.

<embed src="https://youtu.be/BpaCjH5Vzdo" />

There are several advantages to employing the services of an MSSP. First, it is becoming increasingly difficult and costly to find high quality SOC analysts, as demand for talent increases. This is especially true for experienced and motivated individuals. Second is the cost, because moving towards an MSSP from an in-house team can be a gradual process with discrete periods of limited-budget projects, which not only helps to assess the capabilities of the potential partner but also to manage expenses. Further, it may be possible for your extant in-house team to move to the MSSP ensuring their continued employment, and that institutional knowledge is not lost.

Conclusion

The point is that there are hosts of questions to consider, a lot of decisions to be made, and the answers have actionable consequences, each with their own budgetary and manpower requirements. A company who keeps their security in-house will have to make decisions, commit to their choices, and bear the cost of their implementation. 

Whereas an internal team might be reluctant to change a system that is working right now—as they say, if it ain’t broke, why fix it?—an MSSP is expected to understand these questions, know what is involved in making these decisions, and have a reasonably reliable picture of where the technology is going to be a few years from now. 

Usually the answer is that new technology is more secure, more efficient for operations; usually the updates represent a significant improvement over existing technology. What’s more, an MSSP is expected to know and understand whether an update is in fact an improvement.

Once the company sets the goals, makes decisions on the what, the question of how is for the MSSP to sort out.

Challenges abound whether a company decides to build their own internal SOC, employ the services of an MSSP, or work with a mixture of the two. Before making a decision, a multitude of factors are to be considered, but even the process of exploring the needs and capabilities of your organization is a step in the right direction.

The Connective Platform™ integrates a host of cybersecurity tools into one system faster than any of our competitors, but that alone wouldn't give our partners the edge over cybercriminals. Simply gathering all the data from a number of connected elements would still require an army of experts to make sense of it; it's analogous to how gathering stock prices from markets all around the world doesn't tell you where to invest your money next. Our platform goes on to analyse that massive amount of data to give our partners the information they need: where the weak points of their cyber defence are, and how to address them.