This is a continuation from my last article where I will explain the main considerations for an External SOC delivery method.
Realizing Cost Savings with an External SOC
Contracting an external party to deliver Security Operations Center (SOC) services can lead to significant cost savings. External SOCs have the advantage of minimal initial costs and reduced running expenses due to outsourcing’s economies of scale.
Proper Management of Vendor Relationship
To reap the benefits of an external SOC, organizations must manage the vendor relationship effectively. However, it’s important to recognize that the responsibility for the SOC remains in-house. Therefore, organizations need to maintain SOC governance internally. To ensure the external provider meets expectations, an internal resource (or a small team) should be appointed to oversee the external SOC.
Involvement of Internal Employees
Internal employees’ involvement in an external SOC should primarily be supervisory. They ensure that the external party performs SOC services appropriately and meets the standards outlined in the service level agreement. This includes tasks like tuning, raising incident tickets promptly for remediation by internal teams, and providing feedback and metrics.
Ensure there is someone internal to manage the relationship with the MSSP, otherwise the outsourced SOC may be looking at infrastructure that no longer exists (e.g. servers reconfigured with different IP addresses) and consequently looking at a reduced sub-section of the estate rather than core components.
Multi-Tenanted Arrangement vs. Dedicated Service
The level of familiarity with an organization’s business depends on whether the external SOC is managed as part of a multi-tenanted arrangement or a dedicated service. Multi-tenanted arrangements involve the provider delivering SOC services to multiple customers using the same equipment, facilities, technology, and staff. This maximizes economies of scale and allows threat intelligence to be shared between customers to identify common malicious activity.
Risks of Data Handling
Allowing an external party to handle sensitive data carries the risk of unauthorized disclosure to third parties. Proper assurances regarding confidentiality and data sharing must be sought from the Managed Security Service Provider (MSSP) and clearly outlined in the service level agreement.
Dedicated SOC Services
Some security providers offer SOC services dedicated to a single customer, but they come at a higher cost. These services might use the customer’s existing technology while leveraging shared resources and capabilities of the provider, potentially leading to a hybrid SOC.
Establishing an external SOC traditionally involves contracting the services of a MSSP, however, Managed Detection and Response (MDR) services are also gaining prominence as an alternative or complementary service. The overlap between MSSP and MDR services is growing, but there remain key distinctions. For example, a MDR service needs to detect threats missed by existing security controls, and covers the entire IR life cycle from (validation, investigation, containment & remediation). Premium MDR vendors also uses a proprietary XDR tech stack and do not rely on logs for threat detection. Most MSSP services lack these capabilities. Be aware of MSSPs that have simply rebranded to MDR and still rely on logs or a SIEM for threat detection & response.
Selecting a Service Provider
Regardless of the chosen option for implementing an external SOC, exercising due diligence in selecting a service provider is crucial. Establish criteria for evaluation, verify reputation and financial stability, conduct site visits, interview existing customers, and request proof of certification. Ensure that the service level agreement includes clear exit plans.
The benefits and limitations that associate with an external SOC are summarised below.
Summary of Benefits and Limitations of External SOC
The benefits and limitations associated with an external SOC, as identified by ISF Members, are summarized below: (Provide a summary of the benefits and limitations.)
Pick a vendor that you feel will be a partner organisation rather than just a vendor. Look for similarities in company ethos and a vendor with customers in your industry since they will be able to understand your business more quickly as well as identify industry specific threats. Ideally, the vendor’s customer base should also include other industries since they will be able to see the wider picture.