When it comes to managing their security operations center (SOC), organizations struggle with some common challenges: there are too many tools and too few people, the tools available are expensive to purchase and manage, and teams grapple with alert overload.
Running a SOC to focus on prevention, protection, monitoring, detection and remediation 24/7 is expensive and requires a significant amount of expertise that most organizations don’t have. Security professionals must monitor events around the clock, fine-tune technologies to identify genuine threats and reduce false positives, respond quickly to incidents – it’s difficult, even for a larger security team.
For some organizations, the key to these challenges may lie in the hybrid SOC.
Examining the complicating factors
Organizations know they have a problem, but they struggle to fix it. One of the major factors that hinders attempts to remedy the situation is a lack of resources. This includes time and money but also skilled staff. The ISC(2)’s latest cybersecurity skills gap report found there’s currently a shortage of 2.7 million skilled cybersecurity professionals worldwide.
Other factors that hinder staff are overwhelm and alert fatigue. The average SOC analyst receives as many as 10,000 to 11,000 alerts per day and they grapple with having to monitor multiple dashboards. That’s on top of needing to deal with a huge number of technologies, an overarching lack of integrations and, often, a dearth of more advanced capabilities like artificial intelligence and machine learning.
In addition, many modern organizations tend to focus on prevention, but that’s not enough. There needs to be a more balanced focus on prevention, detection and protection together. For most organizations today, the reality is that a breach or a cyber-attack is a when, not an if. You must continuously tune your tools; you can’t just set them and forget them. You also need to have a response plan for when things go sideways.
There’s no one magic bullet in cybersecurity. All these disparate solutions and tools purport to be the answer, but they also tend to not play nice together.
The role of the hybrid SOC
The hybrid SOC approach can be very effective for organizations that grapple with all the above challenges. It can be implemented in several different ways: either as a hybrid environment with a mix of on-premises and cloud resources; as a co-managed SOC, in which you work with a partner – or a combination of both.
In the latter case, it’s essentially a co-monitoring of your SOC – but it’s not a “do it once and walk away” scenario; it’s an ongoing partner relationship. You want flexibility in terms of how much your own team will monitor/manage and how much the partner will monitor/manage.
For example, maybe you want 24/7/365 coverage, but you don’t need the partner to handle all of it; maybe you just want them to cover holidays and weekends or off-hours. It’s really about the combination of “us and them” – look at what pieces you want to handle and which ones you want them to. The routine maintenance and monitoring is something an external provider can offer – and that’s a really important piece of the whole.
Choosing a partner
A service provider can supplement your existing resources, but how do you pick the right one for your needs? To start, ensure they have the right amount of bandwidth. They aren’t immune to alert fatigue either, so it’s important to ensure they’ve got the right number of staff.
Ensure that they integrate a broad set of technologies, so that you don’t have to. Find out if they use the latest tools to increase integration and reduce overwhelm. The answers to these questions will help make sure you get more bang for your buck.
When you’ve embarked on the evaluation process and are trying to decide which partner to go with, the next step is to make your short list – whittle it down to perhaps three choices of partners who you feel gave you the right information and did not just tell you what you want to hear. See if you can talk to some of their customers.
You’ll also want to look for third-party validation, as well as evidence that your potential
partner provides a business outcome-based approach. You need someone who understands your business. When you’re in the crosshairs, you need them to truly understand what you can and can’t do. For instance, if you’re a medical organization, downtime may not be an option in the midst of an attack.
Finally, you want a breadth of solutions – the option to work with different vendors and technologies rather than being locked into one. You want the option to have the best of every solution, and you want an offering that is flexible. And, it’s important to use the tools you already have in place instead of being required to rip and replace them.
Once you’ve made your choice, it’s important to have clearly delineated roles and responsibilities. You need:
- Communication that goes both ways
- Clear service level agreements (SLAs) and key performance indicators (KPIs)
- A designated liaison or owner within your organization to oversee the relationship
- Metrics – you want a customizable, flexible portal that gives the right visibility and metrics for your needs and your executives’
Partnering for the best SOC
Due to the increased volume of cyberattacks and technologies needed to defend against them, in tandem with a widening cyber-skills gap, organizations are looking for a manageable SOC framework. Partnering with a managed security service provider (MSSP) has never been as crucial to organizations that struggle to maintain coverage. Find a trusted MSSP to ensure your business has the personnel and technology available to defend itself. Use the guidelines above to vet potential partners and increase your security posture.