Transferring cybersecurity monitoring functions to a third-party virtual contractor is not a new topic. Security Operations Center (SOC) functions outsourcing has become widespread practice not only for large companies but also for relatively small organizations. Key client questions have also changed. It is not about proving the need for outsourced SOCs per se. Customers are rather concerned about the actual technology stack and security guarantees. How do you select a virtual SOC solution for your business?
Can external security monitoring and rapid response centers be considered an alternative to the in-house Security Operations Center? Does the EPS (Events per Second) value constitute a fair factor in determining the cost of outsourced SOC services? Should you outsource Threat Intelligence? Let us see how outsourced SOCs protect their clients from attacks, what services, in addition to monitoring, they are ready to provide, and what the pricing in this area is based on.
Information security specialists monitor an increase in cyberattacks against clients through the infrastructure of managed security service (MSS) providers. But what are service providers doing to prevent such incidents and build confidence in their services? Does certification against various standards or government licensing provide a guarantee that such providers are safe and secure?
Some MSS companies stick to a quite straightforward SOC hosting policy keeping their whole security operation center in the cloud. They strictly separate data that they visualize and give clients from data processed within the system. Plus, they are constantly working to find vulnerabilities and maintain the security of the product.
Corporate security is a crucial issue when introducing a new SOC service. A wide range of security practices should be applied, in particular, segregation of areas of responsibility, where different people handle incidents, have information about the clients’ infrastructure, and have access to servers located on the clients’ sites. In addition, it is advised to monitor all infrastructure yourself and allocate your SOC to a separate VLAN and a separate domain in the cloud.
Software manufacturers face the added hazard of supply chain attacks. Therefore, over the past year, they have paid increased attention to this problem, introducing an internal SOC that monitors its own infrastructure. Third-party SOCs can protect their clients only when they are also very well protected.
External audits such as certification of the SOC segment according to ISO 27001 and other standards are also an effective method of ensuring a high level of protection. The minimization of external products in the technology stack also helps to reduce the vulnerability of the service provider.
When choosing a SOC service, a mature client should ask the supplier a question: “To what extent are you going to ensure the security of the service you are providing?” When making decisions to outsource SOC functions, the client company should carefully consider all the associated risks. The service provider should not solely control these risks; the client should reserve the ability to monitor the relevant processes.
Most companies believe that only non-hazardous areas can be outsourced. The vast majority are not ready to entrust monitoring of key business processes and systems to third parties.
The maturity of the client’s information security largely determines the demand for certain services.
The information technology infrastructure of the client is also important, for example, the topology of its network. A modern outsourced SOC can provide a vast range of services. Most often, the service provider has different departments responsible for specific services. Typically, cooperation with the SOC begins with establishing a secure channel between the client and the service provider, as well as informing the client about the incidents or malware detected. As the cooperation develops, additional areas of responsibility may be outsourced.
Experts believe this is a shortsighted approach. Processing and interpreting information from SIEM requires skilled professionals and advanced response routines that an outsourced SOC has by default. Using a ready-made SIEM will lead, first of all, to a huge number of false positives that need to be further analyzed.
If the customer begins to think about connecting to a commercial SOC, he already feels the need for such services. Using behavior analytics to boost business cyber-security is an options. At the same time, there is no clear line that determines the need for an external SOC. When choosing a third-party SOC, the organization should, first of all, pay attention to the following:
To a large extent, this component depends on the client and assessment of various risks by the client. It is important, for example, whether the client is ready to work with a data center located abroad. If the client is going to launch an in-house SOC in the future, he will select a provider that uses the same technology stack.
One of the determining factors in setting price rates for external SOC services is the EPS (Events Per Second) value, which characterizes the load on the SIEM system, as well as the labor costs of analysts. It should be noted that, with some SIEMs, the key pricing factor might not be EPS, but the number of hosts supported, or incidents identified. The cost is also influenced by the number of customized, designed specifically for this client, connectors to sources, and response scenarios. If the client’s data is stored in the provider’s cloud, the cost may depend on their storage period.
If the client cannot determine the planned EPS or the number of events per second has increased significantly during operation, the providers try to find a compromise. For example, they try to reduce the EPS value by turning off insignificant points that give the most significant number of false positives.
Most experts believe that the third-party service provider can only be responsible before the client within the scope of its monitoring area.
SOC providers should not be held liable for all missed incidents. At the same time, a third-party SOC should not be exempted from liability completely. The contracts of the external monitoring center usually clearly specify the provider’s area of responsibility and the areas controlled by it.
Within the framework of these provisions, the service provider may bear a certain responsibility on equal terms with the customer, since the detection of an incident depends not only on the competence of the SOC, but also on the infrastructure and actions of the customer. While most providers guarantee the availability of the service within the established SLA, they are not ready to bear unconditional financial responsibility for missing information security events. One of the options for resolving the issue of liability can be insurance of risks; despite increasing the contract cost, this allows both the client and the provider to cooperate on convenient terms.
On the one hand, such a center can be given a chance to rectify the situation. However, past hacking incidents prove a lack of skill and poor procedures.
One option could be a third-party audit performed before contracting or during the operation. Another approach to solving the problem relies on the transparency of the provider’s service and the ability to analyze the accumulated raw data. In some cases, the storage of the operational archive at the client’s facilities can be provided. The client can also independently or by external specialists carry out an attack simulation or a penetration test in order to assess the SOC performance.
What should a client do if he decides to move to another SOC or establish an in-house monitoring center following a period of cooperation with a third-party provider? What happens to the accumulated data? First of all, please note that before deciding to switch to a new provider, you should weigh the pros and cons, as well as negotiate with the old service provider. The costs of arranging interactions with a new team may exceed the benefits of working with them.
As for creating your own SOC, experts recommend using a hybrid model, gradually transferring the monitoring center functions to an in-house team. Thus, it is possible to avoid security control gaps and smoothly build up the necessary competencies.
When opening an in-house SOC, it makes sense to leave the most cumbersome functions to the provider as his team possesses broader expertise in those areas. It would be reasonable to leave the analysis of detected malware, incident investigation, and threat intelligence to an external contractor. One of the most challenging problems that arise during the transition to a new SOC (both in-house and third-party) is the change in incident response processes and work scenarios.
SOC providers are ready to offer their clients a wide range of services ranging from basic monitoring functions to qualified incident response and investigation. The market for such services is already fully developed, and competition is pushing providers to further expand their tools and offer flexible and competitive pricing. The ability of a SOC to work effectively using the outsourcing model largely depends on the client’s maturity, the readiness of the client’s infrastructure, cybersecurity skills, and information security specialists ability to interact with an external team. The availability of an in-house SOC by no means excludes the possibility of cooperation with an external service provider. Many providers are ready to work with clients on a mixed basis.
Author Bio: David Balaban is a computer security researcher with over 18 years of experience in malware analysis and antivirus software evaluation. David runs MacSecurity.net and Privacy-PC.com projects that present expert opinions on contemporary information security matters, including social engineering, malware, penetration testing, threat intelligence, online privacy, and white hat hacking. David has a strong malware troubleshooting background, with a recent focus on ransomware countermeasures.