Font Size: A A A


A hybrid approach to SOCs

Organisations should adopt a hybrid SOC (security operations centre) model to maximise ROI (return on investment), says Martin Riley, pictured, Director of Managed Security Services at the cyber consultancy, Bridewell Consulting.

The European Commission’s recent announcement that it is building a ‘Joint Cyber Unit’ to tackle large scale cyber-attacks should act as a warning siren to organisations of the risks they face. You only have to read the recent headlines to see the dangers – T-Mobile, the National Lottery and the Covid Passport scheme have all fallen victim to data breaches, with the former only discovered after customer data was posted on a forum.

With threats evolving daily, enterprises simply cannot afford to be complacent. Traditional security monitoring and notification approaches are no longer effective and organisations need to focus security strategies instead on threat detection and response.

The nerve centre of this strategy is investment in a Security Operations Centre (SOC). However, gleaning true value from a SOC can be a complex undertaking. Different organisations opt for different approaches, with in-house, fully outsourced and hybrid options on the table. Each has benefits, but in today’s threat landscape it is only the hybrid model that can offer the right combination of expertise, responsiveness, flexibility and cost-effectiveness.

Building best-in class

The most critical requirement in any SOC is for 24/7 surveillance and responsiveness, including input from human beings. While technology can do a lot of the leg work in identifying threats, if there are no humans to make decisions or understand context, organisations can easily run into unnecessary and costly incidents or miss important risks.

Another requirement is modern technology. Solutions such as Security Information and Event Management (SIEM) and Security Orchestration and Response (SOAR) technologies can help collect and analyse aggregated data and respond to security events, automating time-consuming, manual tasks and freeing up the SOC team to focus on what’s most important. However, to be fully proactive and cut through the noise, modern SOCs also need extended detection and response (XDR) technology for threat containment.

XDR collects and collates data from multiple technology solutions from a single vendor, providing greater visibility, coverage and performance. XDR vendors integrate a SIEM solution with SOAR technology, along with threat detection and response solutions, including those focused on endpoints, email, cloud and identity management.

The drawbacks of an in-house SOC

With technologies like the above enabling the consolidation of solutions, many organisations are quick to turn to an in-house SOC to gain central control and security oversight. But three main issues arise from this approach. Firstly, often in-house staff can lack the skills and resource to respond effectively to cyber threats, particularly as technology and threats evolve and organisations increasingly shift to the cloud.

Secondly, as IT estates spread and perimeters expand, so too does the number of tools needed to cover the cloud and possible vulnerabilities, each of which needs to be expertly configured, supported and, importantly, monitored effectively 24/7. To make matters worse, many organisations have tools that are poorly integrated, have overlaps or dangerous gaps in coverage that could leave them exposed.

Finally, an in-house SOC can be a costly venture – a five-person in-house SOC can cost at least £250,000 per year. A luxury that many organisations simply cannot afford.

Is fully outsourcing the answer?

Alternatively, organisations can look to fully outsource the whole SOC operation, leaning on a managed security services provider (MSSP) to deliver end-to-end threat detection and response and reduce management overheads. The provider will proactively hunt for threats, optimising the technology to respond rapidly and drastically reduce detection, dwell and response times of an attack.

An MSSP will also have access to a wider range of threat intelligence platforms to aid detection and access open-source intelligence from the surface, deep and dark web that can feed threat modelling and identify leaked information. But while they may have the expertise, skills and resources that in-house teams lack, without a true understanding of the organisation’s environment and context, cultural misalignment or false alarms can be commonplace.

Gaining best of both worlds

A hybrid SOC model leverages the cyber skills of in-house engineers, cyber security teams and an MSSP to create a single security operations centre. Activities are distributed across the in-house team and MSSP, so organisations can build teams with good context of their business, whilst leveraging the skills, experience and resources available within the MSSP to improve threat visibility and meet security goals.

The MSSP serves as a natural extension to the internal team, agreeing lines of responsibility but with the flexibility to adjust based on need. They will own security incidents and lead on high value incidents and provide continual knowledge transfer to strengthen defences.

Another benefit of a hybrid set-up is that MSSPs can fill in the gaps in defences while developing in-house expertise. This helps teams stay on top of changing threats and technologies and can include tools and techniques from EDR to hypothesis or intelligence-based threat-hunting (for indicators, actors and breaches that bypass other mechanisms).

Prevention is ideal, detection is a must

Today, there’s no denying the importance of a SOC. Any organisation without one is playing a dangerous game and runs the risk of a cyber-attack with substantial consequences. By adopting a hybrid SOC approach, organisations can gain value in more ways than one, achieving a best of both worlds scenario that is usually rarely attainable.



Related News