The list of significant cyber-attacks on major companies since the start of May is a stern reminder that organisations must upgrade their defences against increasingly determined and meticulous hackers. In the space of a few weeks, cyber criminals successfully attacked US East Coast's largest pipeline, almost brought the Irish health system to a standstill, and forced the world’s largest meat processing company, to pay an $11 million ransom, writes Martin Riley, Director of Managed Security Services, Bridewell Consulting.
Much of the effort to beef up protection inevitably focuses on prevention technologies and the Security Operations Centre (SOC) – the nerve-centre of an enterprise’s defences. But before organisations invest in new security operations centres or seek to upgrade technologies, they must take time to assess what they need, find out where their gaps are and which is the most effective approach. Because not all SOCs are equal. They fall broadly into three models – the in-house, the out-sourced and the hybrid. Each has its attractions, but in today’s threat landscape it is the hybrid model that offers the right combination of expertise and fast responsiveness, along with flexibility and cost-effectiveness. First of all, however, organisations need to remind themselves of the challenges facing today’s SOC and what it needs to be effective.
Cloud migration and what a SOC needs in 2021
The most fundamental requirement in any SOC is for 24/7 surveillance and responsiveness that includes human beings. While cyber-security solutions are highly advanced, if there are no humans to make decisions or understand the context of an alarm, an organisation will run into unnecessary and costly incidents and may not pick up the one anomaly that indicates malicious behaviour.
This requirement for trained professionals has increased because the migration of data and applications into the cloud has added to the complexity of cyber-security, making the acquisition of skills harder. Lack of secure cloud configuration is the biggest contributor to security breaches after software vulnerabilities.
Even for organisations without data on third-party servers, the adoption of cloud platforms like Office 365, Salesforce or Gmail has extended risk profiles. The problem is that the amounts of money involved in cyber-attacks are leading to talent shortages as organisations with deep resources recruit those with advanced skillsets, leaving a critical shortage for those who cannot compete.
This complex topography means traditional SOCs require at least 40 different tools to cover the cloud and every other possible vulnerability. The range of solutions runs from cloud access security broker solutions (CASB) to endpoint protection, intrusion detection systems (IDS), intrusion prevention systems (IPS), firewalls, active directory, user-management, server-management, configuration and more. Each needs to be expertly configured, supported and importantly monitored effectively 24/7.
Reducing the complications in cyber-security technology
Unfortunately, many organisations have tools that are poorly integrated, have overlaps or dangerous gaps in coverage that could leave them exposed.
A security information and event management system (SIEM) will remove some of the complexity by pulling technologies together to obtain visibility. Modern SIEMs can correlate across a number of data sources using artificial intelligence (AI), through machine learning (ML). But to be fully proactive and cut through the noise, SOCs need extended detection and response (XDR) technology for threat containment.
XDR collects and collates data from multiple technology solutions, from a single vendor, thus consolidating tools to perhaps 20 while providing the necessary context which increases the fidelity of alerts. XDR vendors integrate a SIEM solution with SOAR (security orchestration, automation and response) technology, along with threat detection and response solutions, including those focused on endpoints, email, cloud and identity management. For an effective cyber defence, SOCs need detection and response technology not just to detect, but to contain threats by taking immediate action, such as blocking network access.
The problems of an in-house security operations centre (SOC)
With platforms available for solution consolidation, many organisations will naturally consider creating an in-house SOC to analyse network traffic and gain oversight of the threats across the business. Yet even if they have a SIEM system, in-house staff can spend much time on routine IT matters, with no time to monitor and respond to activities.
There is also another severe problem – the chronic shortage of cyber security skills makes recruitment difficult and inflates costs. A rudimentary five-person 24/7 in-house SOC, for example, could easily cost a minimum of £250,000 per annum and bring with it all the personnel and recruitment headaches, not to mention not fulfilling all the SOC requirements. The skills gap is particularly acute in the use of the latest generation of XDR tools which are now vital for fast detection and response, operating on a zero-trust basis in which no user nor device is automatically trusted whether inside or outside the organisation. Zero-trust makes it harder for hackers to gain initial access and move around inside a diverse, distributed or hybrid IT estate or supply chain, but to be effective it requires the ability to filter out all the false positives.
Out-sourcing – advantages and pitfalls
Out-sourcing seems the obvious alternative and does indeed give organisations access to much greater specialist expertise while liberating them from management overheads.
A managed security services provider (MSSP) delivers end-to-end threat detection and response, helping in-house IT teams understand the risk and mitigation options required. This also helps overcome the skills shortage because cyber security professionals are attracted to the more varied and specialised work of MSSPs.
Using its wide resources, the MSSP will deliver a 24/7 threat detection and response solution that proactively hunts for threats, optimising the technology to respond rapidly and drastically reduce detection, dwell, and response times of an attack.
See also: Hackers are getting esoteric with their C2 channels. Here's what you need to look out for (including the C3 Framework, abuse of the Slack API)
Shared intelligence is also a great benefit. MSSPs have access to a wider range of threat intelligence platforms (TIPs) to aid detection and to access open-source intelligence from the surface, deep and dark web that can feed threat modelling and identify leaked information.
The drawback of the totally out-sourced model is that MSSPs often fail to understand the organisation’s environment and context, and a result, do not deliver the full potential of an effective security operation. Failure to understand a business because of remoteness leads to a cultural misalignment, too many false alarms, friction or indifference. All of this undermines collaboration, typified in the unmotivated MSSP identifying an alert and then simply saying to the customer “you deal with it”.
The benefits of the hybrid SOC
Although the in-house and out-sourced models have their disadvantages, a hybrid SOC model, if set up with the right level of expertise, will synergise their advantages. The hybrid SOC employs the knowledge and skills of in-house engineers and cyber security teams alongside the MSSP to create a single security operation. This still works to defined KPIs and SLAs but generates its real success and transformation from collaboration and flexibility.
Members of the joint team collaborate on where the SOC improvements need to be focused and how it should fine-tune them. They also agree on lines of responsibility so that MSSP could, for instance, handle the first line of defence, with threat intelligence, security engineering or architecture managed from within the business. Experience shows that the most successful hybrid SOCs emphasise flexibility rather than a rigid responsibilities matrix.
Follow The Stack on LinkedIn
A hybrid SOC will free in-house staff to drive projects and internal improvements. The MSSP will own security incidents and lead on high value incidents, but it can also develop the skills of in-house personnel in areas where required. The MSSP will also offer advice on best practice and solution selection. SOAR tools, for example, can be maximised, automating playbooks for investigation and response or interactions with third-party tools to improve performance. Developers can also build bespoke, API-based integrations to enable greater efficiencies beyond the scope of SIEM and SOAR systems.
In a hybrid set-up, MSSPs fill in the gaps in defences while developing in-house expertise in a range of tools and techniques covering everything from EDR to hypothesis or intelligence-based threat-hunting (for indicators, actors and breaches that bypass other mechanisms). Yet for all their undoubted security expertise, probably the most valuable benefit that MSSPs deliver in a hybrid model is continual knowledge transfer that an enterprise can disseminate among its own IT personnel.
Every organisation is different and has its own, unique cyber security needs which the hybrid SOC is best placed to meet without burdening organisations with hefty overheads, recruitment headaches and a constant battle to update skills and remain up-to-speed on technologies and threats. The hybrid SOC’s flexibility means organisations can easily scale provision to meet changing requirements while constantly upgrading in-house skills. It is rare to say that the best of both worlds is available, but in the case of the hybrid SOC, that statement rings true.