THE SECURITY SELECTION: IN-HOUSE SOC OR MSSP
Any cyber security service is based on three core pillars of Security Operations which are “People”, “Process” and “Technology”. In order to simplify understanding, this article is written using this as base, comparing each of these elements in both scenarios – in-house Security Operations Centre (SOC) vs Managed Security Services Providers (MSSP)
Implementation and Management
It is a known fact that SIEM is a complex technology and requires skilled resources to implement and manage an SIEM infrastructure. In addition, SIEM loses its value if alerts are not fine-tuned regularly and “noise” aka false positives are not suppressed. The primary reason why most SIEM implementations fail is the lack of effective management and regular monitoring.
For any SIEM to be able to detect the latest threats, requires continuous security use case development by translating latest threats into use-cases which can then be alerted and responded. A lack of regular use case development and implementation also impacts the ROI of an SIEM solution.
In case of MSSPs, all the responsibilities for implementation and management are transferred to service providers, for whom this a prime responsibility. Hence, assurance with regard to effective management of the SIEM infrastructure is very high with the outsourced model.
24 / 7 Monitoring and Response
A SIEM which isn’t regularly monitored will add little or no business value, hence it is important to have 24x7x365 monitoring and analysis to be able to detect attacks, malicious connection or any anomalies. This round the clock cover requires a dedicated Security Operations team of at least 10 members. Also, this team needs to be regularly trained on the latest threats and different technology within the organization’s infrastructure.
If a company is able to hire, train and retain such skills, it may be good consideration to run the SOC in-house, however, considering the dynamics involved, in most cases, it may make business sense to transfer this responsibility to a partner who can demonstrate the right level of capabilities and commitment to provide this as a service.
By engaging an MSSP, businesses also get the advantage of the skills and knowledge the analysts have attained while managing diverse security infrastructure elements and attacks that have targeted other customers.
For effective Security Operations, it is important to adapt an incident lifecycle that is based on the type of incident and its impact. Some guidance around standard lifecycle can be derived from SANS incident handling methodology, however it may need to be tweaked based on type of incident.
Some MSSP service adopt a dynamic incident lifecycle based on the type of incidents by pre-populating tasks which should be completed to effectively manage the incidents. This ensures the consistency and quality of incident handing.
Cost of hardware
While considering an in-house implementation, businesses need to factor cost of hardware required to set up the SIEM infrastructure and the associated annual support contracts which could be somewhere between 15% and 30% of the initial capital. With MSSPs, this cost could be converted into Opex without the need for heavy initial investment.
From a cost perspective, the cost of in-house implementation may start making sense after a period of 4 to 5 years, however, like any other technology, SIEM may also require a revamp thereby adding to this cost again.
SIEM Infrastructure requires regular maintenance and development to be able to detect new attacks. Generally, if security isn’t the prime focus for an organization, there may be lack of emphasis thereby impacting the effectiveness of the solution.
By engaging an MSSP, your organization can get benefits from regular development work, which is generally practiced by most services provides. This is essential as it enables them to detect new attacks which are ever evolving.
Effective Security Operations use both known and unknown threats, and threat intelligence which provides lists of known threats by means of reputation, known bad IPs, malicious hashes etc. Hence, it’s important to have threat intelligence incorporated into security operations. Although there are multiple free and commercial providers of threat feeds, if this information is not effectively filtered, it may not add a lot of value. Some MSSPs are able to qualify and apply threat intelligence relevant to business they are supporting by geography, and business vertical.
Majid Khan, MSS Architect at Help AG