Outsourcing your SOC operations to a Managed Security Service Provider (MSSP) allows you to sidestep the logistical and financial challenges of maintaining an SOC operation in-house.
But there’s definitely a right way—and a wrong way—to go about selecting which MSSP to hire. In this interview, Nir Rubin, CyberProof’s Head of Global Operations, shares some of his insights into what to look for in a security service provider to ensure your organization is protected effectively.
Question: What kinds of organizations should consider outsourcing their security operations?
Answer: If security and IT aren’t your core business it’s best to focus on what you do best, and let the experts deal with the security. This is an approach that’s not related to the size of your business but the value of your business. Whether you are a bank, a public or private company, or any other kind of organization – it makes business sense to put your time, effort, and resources into areas that are specific to your business, and to outsource security operations – which is a highly specialized.
Question: What are the advantages of outsourcing SOC operations over keeping a SOC that’s fully in-house?
Answer: A security services provider can give you access to a higher level of cyber expertise. If you’re working with the right service provider, it allows you to work with top people in the field, security experts who have extensive experience handling a wide range of security issues – the kind of people it’s unlikely you’ll be able to retain in-house.
But that’s just one part of the equation. There’s also the question of limiting your financial investment in security – and maximizing your savings. It’s very expensive to maintain a 24/7 SOC in-house. By outsourcing, you receive SOC services on demand. You don’t pay for the facilities, you don’t need to hire and retain the people, you don’t need to buy hardware or maintain the technology – it’s all on the cloud, and you get it as a service, as you need it.
There are scenarios where the savings can be particularly notable. If you work for a company that’s part of a larger umbrella organization, for example, you can aggregate your security and IT operations into a single SOC and network operations center (NOC), which is significantly more cost effective than having each company maintain its own SOC and NOC.
There are also logistical questions. If you work for a company that doesn’t have 24/7 support, for example, you might consider working with an MSSP because it’s not easy to retain a SOC team where people are required to work through the night and on weekends.
Another advantage of an MSSP is that it’s not “all or nothing.” Some companies decide to outsource all their security needs, while others maintain an in-house SOC that operates during business hours but outsources the work at night – thereby taking much of the strain off the in-house team. A hybrid MSSP approach helps you keep your in-house team long-term by reducing burn-out and improving retention.
Question: What capabilities should you look for when considering an MSSP?
Answer: To my mind, there are three areas that are crucial to consider:
- Expertise: Check out the quality of the team. Do they have the in-field knowledge and experience? Are they familiar with the necessary processes? There’s a global shortage of experienced security professionals; be aware that some vendors offer a higher level of expertise than others.
- Facilities: Learn about the physical facilities that the MSSP has at its disposal. Physical facilities are needed to support the processes – and this includes 24/7 support. Make sure the vendor has advanced facilities that allow effective, international communication and the ability to handle incident detection and response.
- Methodology: Some vendors take a very superficial approach. They focus on being cost effective and maintain too small a team to support multiple clients. These vendors have standardized processes and their level of knowledge of each customer is basic. In contrast, there are vendors that take the time to learn about each customer intimately and offer a more tailored cyber security strategy – whether it’s in terms of threat intelligence, ChatOps, playbook and operations, or tuning SIEM processes. Effective cyber security protection requires this type of customized, in-depth learning.
Question: If companies have not transitioned to the cloud – or if they maintain a hybrid IT environment – can they still use an MSSP?
Answer: Organizations can work with an MSSP even in IT environments where everything is on-premises, and also where there’s a hybrid IT environment. The on-boarding is a little different – the setup varies from organization to organization – and the start-up process may be more complex.
If everything in your organization is on-prem, you will need to keep a SIEM on-site too. In this situation, it’s even more important to find out exactly what each MSSP is offering because there are different levels of service available. Most services provide you with a digital interface – but you don’t actually meet the people behind the platform. And there’s no support.
Here at CyberProof, our process is unusual in that we work with customers both remotely and on-site. For companies that haven’t fully transitioned to the cloud, this makes all the difference. Our expert team travels and meets with customers in the field. We offer ongoing assistance – managing your SIEM, maintaining regular and ongoing communication with each of our customers several times a week, and initiating a service review every month.
Question: What is a typical timeline for engaging with an MSSP?
Answer: The standard timeline for onboarding is between three weeks and three months. But that’s not the question you should be asking, really.
What’s crucial is this: within a standard time period, what does the MSSP give you? Some places don’t define clear work processes – they take control at a basic level, without gaining an in-depth knowledge of a customer’s business and security needs.
The right MSSP will start with an in-depth assessment on-site, taking the time to understand the company from A to Z. That starts by probing your business processes, identifying your unique cyber security threats and ends by learning about IT and your security ecosystem. It’s based on this kind of a cyber security risk assessment that an effective cyber security strategy can be put into place.
In addition, when it comes to security, speed is always an issue. And that’s where automation comes in. Advanced MSSPs are continually looking for ways to further integrate automation & orchestration to provide a faster, more effective engagement process.
Question: What services are typically provided as part of an Advanced MSSP?
Answer: The basic basket of services usually relies on a group of analysts who monitor the SIEM, review the alerts, and provide a pre-defined response (following a workflow) – without any threat intelligence. The MSSP reports to the customer each problem that comes up, but the customer needs to take it from there.
In some cases, an MSSP will conduct a basic investigation, determining if an alert is a false/positive. But when there’s any serious security issue, it’s usually the customer’s problem.
With this type of service, if there’s a real security issue – you need to look for vendors to handle each aspect of the response: forensics, threat intelligence, computer security incident response, laboratories. You’re working with multiple service providers and there’s no fusion between them.
In contrast, if you hire an advanced MSSP that provides a holistic approach, the provider has its own teams for all these functions – and can integrate all of these resources to provide a real-time response when a threat is detected and rapid response is required.
By taking the time to get to know your organization in-depth ahead of time, i.e., before a crisis occurs, and by working as a cohesive team during an attack, an advanced MSSP like CyberProof can operate from a position of strength – with intimate knowledge of your processes, and insight into the broader threat landscape. This allows faster mean time to detect (MTTD) and mean time to response (MTTR), lower risk levels, and better protection for your business.