Netenrich recently added some non-traditional capabilities to our Security Operations Center (SOC) offering, and we’re migrating customers from a traditional shared services approach to a true “as a service” model – an AIOps-driven platform based on desired outcomes and powered by proven expertise. With the launch of our Intelligent SOC offering, we asked ourselves, “are we even still a master managed security services provider (MSSP) or what?” It seemed to be a gray area, so we asked other security experts like industry analysts, partners, and customers.
It quickly became clear is that things are not too clear. That the lines between what constitutes MSSP, SOC-as-a-Service, managed detection and response (MDR), and SOAR can blur a little, or lot, depending on who’s putting the stake in the ground. Experts, for the most part agree.Can SOC-as-a-Service Maximize the Value of Your SIEM?
So, what does this mean for enterprises looking for help with security? At the end of the day, we concluded that the debate boils down to two core issues: 1) how much of the prospective offering is “machine,” and how much is “human”? And, 2) how flexible is it?
Regarding the first point, the term MSSP seems to connate a higher degree of expert support than SOAR for example. MDR seems to connote lower cost and lean heavily on automation with value-added professional services – expert help – available at a premium cost if at all.
The wildcard for the moment seems to be “SOC-as-a-Service.” This term seems to most closely characterize Intelligent SOC, so we decided to describe what sets it apart from other approaches and how you should expect to benefit.
As an enterprise’s cybersecurity strategy matures to the point of formalizing security operations within a dedicated SOC, the “buy vs. build” dilemma arises, fraught with complicated pros and cons. Large companies that can afford to allocate space and invest in equipment, staff, and training often bite the bullet on deployment costs – typically around $3M with a two-year rollout—while those who aren’t as evolved or well-funded, or that need to move faster, skip the capital outlay and engage providers.
Once the SOC is in place, the degree to which running and operating it might save company money depends on a few things, including the prospective provider’s approach. If the price is fair and works as advertised, it might very well cost less to consume services than to recruit, train, and retain skilled analysts to run the SOC 24/7. If you overpay or the provider consistently misses SLAs, the perceived value of your managed SOC investment suffers.
Hidden within this dilemma are other variables, like whether pricing is based on transaction volumes, the number of devices being managed, complexity, bodies, or a mix. Are you locked into a fixed set of terms and capabilities, and if so, for how long? How skilled are the people on the other end of the firewall logs?
Last but not least, what happens when something changes? As you discover a new need, or a new security technique emerges? Or everyone suddenly starts working from home?
Netenrich believes a defining element of SOC-as-a-Service should be “right-sizing” consumption, based on your target outcomes, changing needs, and overall satisfaction. Whether you’re looking for managed SIEM, faster detection, noise reduction, better threat intelligence and risk perspective, remediation, or something else, you should be able to interact with the platform to purchase the outcomes you need at any time. That means being able to turn capabilities on and off—and stop paying for them—as you need or want to try them out.
For example, maybe you invested in BitSight or Security Scorecard to get a third-party security rating. You worked on the problems they brought to the surface and got your rating up (and presumably became safer), and now you’d like to take the next step. Perhaps get a slightly different view from Red Teaming or attack surface management (ASM). Only you can’t afford both, so ASM has to wait.
If possible, you should be able to try the whole thing out before you turn over the keys. A consumption-based pricing model distinguishes SOC-as-a-Service from most traditional offerings and actually enables MSSPs to easily expand their own portfolios without investing heavily in new technologies, recruiting and training, or sales and marketing.Is Your SOC Intelligent?
The one constant in cybersecurity, as elsewhere, is change, but here the pace is frenetic. Within just two years, we’ve seen major milestones in just about every area – new standards like GDPR, ransomware attacks like WannaCry, perimeter security and compliance blurred by the cloud, the explosion of AI, and the Work from Home 2020 campaign, etc.
So, how do you know what you’ll need a year from now much less three? You don’t, and engaging a provider shouldn’t mean painting yourself into a corner. Here, the expectation should be that the SOC-as-a-Service approach is more forward-looking and will continue to add capabilities to keep pace with cybersecurity innovations as your needs and cyber-strategy evolve.
For example, IT and Security teams know they need to become more proactive but dealing with digital reams of alerts and incidents precludes them from doing so. An Intelligent SOC approach should make it easy to implement better threat intelligence, attack simulations, ongoing vulnerability assessments, and ASM to complement pen tests and Red Team exercises. Or even spin up a virtual war room quickly to triage threats as you find them.
Long-term value and perceived return on investments in security benefit greatly from continued innovation and the ability to scale vertically and horizontally – more volumes, more expertise, and more capabilities – as needed and at scale.Download eBook: Smarter Operations For Smarter Security
Dynamic blend of “human and machine”
We talk a lot about AI, the shortage of cybersecurity skills, and lately about striking the balance between machine and human intervention and resolution. We know the cost to recruit and train new analysts for up to a year, only to have many “upskill” themselves and move on within 18 to 24 months.
We hear less about its impact on operations when expertise and “tribal knowledge” walk out the door, whether the expertise is resident within the enterprise or lives on the MSSP side. Service providers can offer more in terms of career path, retain or progress analysts longer than enterprises, but only makes the tribal knowledge unique to an individual more valuable.
The ideal “machine + human” equation should be a dynamic, outcome-driven mix of three things:
- Having a platform that gets smarter with each transaction such that machines can resolve a higher percentage of incidents without intervention from the team over time
- The ability to codify tribal knowledge – people, process, historical, and product context – into the platform such that resolution occurs more quickly no matter who does it
- Being able to scale and quickly engage or relinquish expert support as needs fluctuate, without having to recruit, train, and wait
So How Much Does All This Matter and Why?
If you remember back to when phones came with cords instead of computers, you may recall the quip, “Call me anything except late for dinner.” (Words to live by!)
A similar question can be asked by CISOs and those tasked with filling out RFPs or defining the scope of cybersecurity services. Who cares what they call it as long as it does what you need and fits your budget, with no deadly fine-print or strangleholds?
Our advice? Start with a list of what you’d like to accomplish, and if you don’t know what you need, engage a consultant or friendly expert to help figure it out. Consulting time costs money, but it may pale compared to investing in the wrong technologies or betting on the provider.
At the end of the day, lackluster results in cybersecurity can often be traced to setting the right expectations. How much is enough? What constitutes “good” or “bad” results? Are you safer today than you were yesterday? How do you know (unless you got breached yesterday)?Resolution Intelligence For Security
Try Intelligent SOC Free to Find Out
Netenrich’s Intelligent SOC-as-a-Service overcomes many of the issues discussed here – pay-as-you-go consumption, a non-traditional portfolio, and the experts you need when you need them. But don’t take our word for it. Try Intelligent SOC now and receive a free trial of Netenrich Attack Surface Intelligence (ASI) to reduce external risk from digital brand exposure.*
*Three-month ASI trials will be provided to qualifying customers with one-year Intelligent SOC engagements.
Subscribe To Our Newsletter!
The best source of information for Security, Networks, Cloud, and ITOps best practices. Join us.
Thank you for subscribing!