The “Factory” Approach to Seamless Cloud Migration
In today's fast-paced business world, the ability to quickly adapt to changes is crucial for success. Cloud migration is a change that businesses are rapidly adopting to stay competitive.
Sergey Stromilo, GDC Services: MDR - Key Ways to end up with the right services
07/06/2023
Companies from all over the world are increasingly opening their own Security Operations Centres (SOC) or Managed Detection and Response (MDR). But this new unit does not always meet their expectations. Why this is happening and when is outsourcing a more cost-effective option is explained in an interview by Sergey Stromilo, Head of Infrastructure and Applications Management, GDC Services.
The global SOC Service market is growing. What are the main reasons for this in your opinion?
Sergey Stromilo: According to a recent study “Future Market Insights” (FMI), the total SOC market income will reach USD 11,844.1 million, with the average growth rate of 24.3% by 2032.
The increasing frequency of data leaks and cyberattacks in small, medium, and large companies in the world increases the demand for efficient SOC-as-a-service (SOCaaS) solutions. Due to Coronavirus and its consequences, there has been an increase in the culture of remote working resulting in higher risks of cybercrime and phishing. To counter this, SOC implementation is increasing, especially in the USA, UK, Germany, China, and India.
Cyber threats reduce business productivity and threaten critically important IT infrastructure and confidential information. SOC implementation improves an organisation’s security and consumers’ trust.
Sergey Stromilo: The main thing is that the business has become more serious regarding the protection of information systems and establishment of SOCs. SOC establishment may involve either hiring external organisations or building it on your own. Taking into account the increased number of cyberthreats and attacks on information resources, the number of companies which are ready to invest in information security is significantly larger.
What experts are required for SOC building? And what are their requirements?
Sergey Stromilo: Primarily, these are engineers and analysts who have skills and practical experience in information security incident identification and investigation, and they are particularly able to efficiently use modern information security solutions for this purpose. Practical skills confirmed by certificates (CEH, OSCP, CompTIA, etc.) is an ideal combination.
Engineers configure and integrate software and connect new technical solutions to the company’s infrastructure. Analysts work with event monitoring systems, analyse data, identify incidents, and propose response strategies.
Requirements for experts are presented subject to their profile. This may be analysts specialised in forensic investigation or whose task is to look for proactive threats (threat hunting). Expectations related to their practical skills will naturally be different.
Another very important associate, without whom SOC operation is unimaginable, is the manager. The manager competently sets tasks for the team, organises processes, and controls the quality of work.
And what about software products?
Sergey Stromilo: Traditionally, the SOC’s core is SIEM systems (Security Information and Event Management Systems), which, in the last few years, have been supplemented by solutions such as EDR\NDR to improve the efficiency of identification and response to threats on end devices and the network.
Traditional security tools such as vulnerability scanners, antivirus systems, traffic analysis systems, sandboxes, firewalls remain in the SOC perimeter as sources of events together with other infrastructure components (servers, applications, databases, etc.). In addition, IRP and SOAR systems are used for efficient organisation of SOC processes.
What risks and difficulties may arise for the company which decided to build its own SOC?
Sergey Stromilo: The first difficulty is gathering personnel with required practical skills. This should be both SOC engineers and analysts. The problem lies in the availability and retention of qualified experts. If large companies can keep them with high salaries and attractive work conditions, then small and medium enterprises find it much harder to do so.
Another difficulty is the fact that the threat response centre needs to work 24/7, without days off and holidays. Therefore, according to our estimates, SOC should be comprised of at least seven IT employees. These are first-line engineers, analysts, and the manager. Not all companies can afford such a luxury to allocate these personnel.
Additionally, there is the complexity of the building process. It is not enough to just set up the integration with SIEM and start monitoring events from various source systems. The out of the box solution rules are usually not sufficient. They will likely not be applicable to the company’s business applications, critical servers, specific records, etc. In such cases, you have to set atypical response scenarios and correlation rules. Fine tuning is also required to eliminate many system false positives. All this requires time and additional competencies.
Finally, there is the challenge of managing the updates which remediate the vulnerabilities known by the supplier. New vulnerabilities are identified every day and related information should be always up to date. Therefore, it is not enough to simply implement and configure SIEM. Even if the system is up to date at that moment, it will not cover a range of possible threats over time. They should be updated and adequate competencies should be maintained in the organisation, which is not easy at all.
SOC-as-a-service may be a good alternative to your own SOC, considering the lack of qualified personnel on the market and difficulties with one-off large investments. This service may contribute to balancing capital (CAPEX) and operating (OPEX) expenditures – system ownership remains in the organisation and the supplier provides qualified personnel and processes for a monthly remuneration or fully transforms CAPEX into OPEX – in this case, the supplier can provide monthly payments to competent experts, already established processes, and a custom system with the required detection and response levels.
If the company has sufficient funds, then, both solution and expert investments are possible. In this case, it makes sense to include external suppliers to give advice on SOC process building, IT solution set-up, or external activities which are less related to other processes, such as forensics.
It is important to select the right option which suits your company. The main thing is that you do not stop after buying the solution. Unfortunately, this is still often happening.
What are the challenges faced by a company that has opted for interaction with external centres?
Sergey Stromilo: Perhaps, the main difficulty is the wide selection of these centres. It is difficult to make a decision as all of them declare their competencies, including a similar range of services. This difficulty is solved by using the piloting option, as well as clarifying the information about reports, metrics, and rules of interaction which will contribute to understanding of the internal SOC organisation.
Another difficulty is the price of monitoring and response services. Considering the high demand, this may be significant. However, as specified above, in-house SOC organisation will not save money either, quite the contrary. At the same time, an experienced provider, who understands your goals, will be able to select an optimal set of services to make the “entering” process financially more comfortable.
In addition, companies find it difficult to build common processes. Establishing the readiness of partners for collaboration, how much they are busy with other projects, etc. in advance is important. However, the solution to this is simple – to match the expectations with reality, you need to define the collaboration by using SLAs and various metrics in SOC services. For example, response time and incident resolution time in IS, number of events in IS, and other indicators.
Generally speaking, global companies are already used to outsourcing that they do not have trust issues and know how to manage the relationship with service providers. They care about clear indicators, processes, and regular metrics and their alignment to the company’s stated goals. There is a structured governance in place to assess and discuss whether the collaboration is going the right way or not.
In which case is the SOC efficiency higher: if it is in-house or outsourced?
Sergey Stromilo: I believe that external SOC is often more motivated to achieve results. A service provider as a contractor has obligations and in case of a breach may have to pay considerable damages or lose the contract, and these are important risks for overall business.
An in-house SOC requires major investments from the very beginning. Otherwise, it will be very difficult to ensure control and regulation of processes at the same level as an outsourced centre. Only large companies can invest to such an extent, but they also have difficulties which may be solved through outsourcing – the lack of personnel and management resources for organisation and control of new processes.
Another issue is that the combating ability of the SOC unit may be lower just because employees rarely face incidents. Even if the company regularly trains experts and develops the system, they may be lost in emergency cases. The lack of experience will affect the response time and the business will face financial and reputational risks.
What would you advise to companies choosing a SOC service provider?
Sergey Stromilo: Choosing to use a SOC service provider is an important business decision. You want to have a strong, trusted partner, so look for key business features, such as evidence that the provider is financially stable and has a strong customer-retention rate. The SOC provider should offer guaranteed performance-based service-level agreements that include the ability to terminate service in the case of poor performance. Naturally, the provider should have proven experience and expertise in your specific industry. Also, you should be able to reasonably customize provided SOC services; your organization shouldn't have to force itself into a one-size-fits-all service.
You should insist on international certificates of engineers and analysts confirming their competencies.
Moreover, how much a provider is ready for a personalised approach to the client is important. This is easy to understand from the first communication. Most probably, a provider deserves your trust if they are actively and deeply interested in details – infrastructure, business specificities and processes, and if they explain the presence of priorities for threats in the company, response scenarios, etc.
A lot can be learned during the pilot period which is offered by some service providers. Here, I would not recommend making a decision based on the level of threat and vulnerabilities detection as the way in which the interaction between the provider and the client’s team is established. The types of metrics they have to show, etc. are more important.
As far as costs are concerned, they naturally depend on the company maturity and how many projects it currently has in flight. High price does not always mean high quality. As in other services, there is a risk of brand overpayment and lesser known smaller service providers may be more ready to show flexibility to adapt to your requirements.
In any case, the selection of a service provider is one of the key steps in SOC building. You have to tackle this as carefully. The more the company is ready for detailed market and market participant research, the fewer problems it will face later on.
___________________________________________________
Know more about services:
