Demystifying the Hybrid SOC

Demystifying the Hybrid SOC

There is a growing trend in the adoption of ‘hybrid SOCs’. More organisations are considering either outsourcing part of their SOC capability or building a partial capability in-house.

Partial outsourcing is nothing new. So, if we have a 3rd party that provides forensic analysis capabilities, do we have a hybrid SOC? Or is an incident response retainer enough to call it hybrid? Whereas there is no single definition of a hybrid SOC, I would argue that there should at least be joint operational delivery of a single service. A form of security monitoring (which is a continuous operational security task) is a good way to think about hybrid SOCs.

Hybrid SOCs can emerge when a MSSP client who has been using SOC as a service is not satisfied with certain parts of the service delivery. In such a case, the client may choose to partially insource the SOC capabilities. In other cases, an internal SOC may choose to outsource part of their service delivery to an outsourcing partner. This can be due to reasons of convenience (outsource the less interesting work) or necessity (lack of internal expertise).

This article explores hybrid SOC models and recommendations for a hybrid SOC setup.

Hybrid SOC models

First, let’s look at the possible models for doing a hybrid SOC. There needs to be some form of clean separation between the service provider and the internal SOC. This can be achieved in a number of ways:

  • Separation based on tiering. The most common way to create a hybrid SOC is to make a split based on analyst tiers. The MSSP provides a tier-1 analysis function and sends alerts to the internal SOC capability for tier-2 and tier-3 follow-up. It is also possible that the services provider provides both tier-1 and tier-2 analysis functions that is followed up by the internal tier-3 capability. ?Likely, the position of the tech stack (internal or with the service provider) differs between these setups.
  • Separation based on operational hours. In cases where 24/7 eyes-on-screen is a security requirement, but the capacity for running a 24/7 SOC is not available in-house, a hybrid setup based on operation hours may prove a solution. In this case, the internal SOC provides monitoring on regular (or extended) business hours. Outside of these business hours, monitoring is performed by the service provider.In this setup, the internal SOC should make sure that shift handover takes place between the internal SOC and the service provider (at start and end of service provider shift), and that the internal SOC still has a fully operational stand-by capability that can be leveraged when high-priority incidents that require immediate follow-up are detected by the service provider. Giving the service provider mandate for first response should be considered to speed up the response process.
  • Separation based on use cases (generic vs specific). Splitting security monitoring based on use cases is an option if the organisation-specific monitoring requires knowledge and context not available to the service provider. In that case, the service provider could only provide a signalling function and not an analysis function. For such use cases, the added value of the service provider is limited. An internal security monitoring capability could define and monitoring the organisation-specific use cases (critical assets / crown jewels), while the service provider focuses on monitoring the generic infrastructure. Since the generic infrastructure is mostly the same for all their customers, the organisation would benefit from the service provider experience and effectiveness of that type of monitoring, the economy of scale and the lessons learned from other clients.If separation is based on use cases, there is still the question of who performs detection engineering, automation engineering and playbook creation. The internal SOC may want to develop its own detection engineering capability to build their application-specific use cases. However, it is also conceivable that the internal SOC designs the use cases, while operational implementation of the use case is done by the service provider. Of course, it also depends on where the tech stack is located and if the internal SOC has the knowledge required to do detection engineering. Detection engineering is not just building the rules but also includes rule validation, data source optimisation, and pipelines for detection-as-code. The same applies to automation engineering and playbook creation (i.e. technical playbook in a SOAR solution), that can be done by the service provider or by the internal SOC.
  • Separation based on monitoring scope (infrastructure). Lastly, a separation can be made based on the scope of monitoring. This means that a certain part of the infrastructure is monitored by the service provider, and that the rest is monitored by the internal SOC. This does require a logical separation in the infrastructure. For example, this type of hybrid construction would make sense if the organisation would like to do cloud-native monitoring but doesn’t have the capacity or knowledge to operate the cloud-native SIEM. An external service provider could take on this part of the monitoring scope.

The figure below shows the different hybrid SOC types.

Hybrid SOC models

Placement and management of the tech stack

In hybrid situations, the placement of the tech stack is also a consideration: is the tech stack operated and positioned with the service provider? Or with the internal organisation? This will also depend on the hybrid soc model used. For example, in cases where the split is made on monitoring infrastructure and the service provider is monitoring the cloud environment, there may be 2 tech stacks: one for the on-prem infrastructure and one for the cloud environment. In another example: it is more likely that the tech stack is positioned with the internal SOC in case of a split in operational hours. Outside business hours, the service provider would connect to the monitoring platform securely and continue monitoring using the organisation’s tech stack and processes. In case of multiple tech stacks, it is vital that the capability levels are aligned.

Governing the hybrid SOC

Governing a hybrid SOC implementation requires more effort and planning than governing an internal SOC capability. Governance in hybrid SOC setups (from the internal SOC perspective) should focus on alignment between the service provider and the internal SOC. Some relevant aspects are:

  • Having clear responsibilities for the internal SOC and the service provider. Hybrid SOCs have grey areas of responsibilities where the separation between the SOCs is not fully clear. Identifying such areas and clearly defining where each responsibility ends and starts is vital. Ensure that overlap is managed as much as possible, and at the same time, ensure that gaps in responsibilities are prevented at all times. A RACI matrix is a powerful tool to assign responsibility & accountability unambiguously.
  • Defining feedback loops across the hybrid SOC. Feedback loops are essential to continuous improvement. The organisation should seek to understand how processes integrate and interact and define feedback loops across these integrations.
  • Defining handover points and process interactions. Whenever there are 2 entities collaborating, handover is required. That could be shift handover if the separation is based on operational hours, or incident handover if the separation is based on tiers. Clearly define what activities need to be handed over and what information is required for proper handover.
  • Measuring performance both SOC entities. Performance measurement is key to understanding and identifying weak points. Ensure consistent measurement takes place on both sides of the hybrid SOC using a carefully selected set of metrics. Also take into account that metrics can be defined for interactions / handover to evaluate and optimize this part of operations.
  • Assessing maturity for both SOC entities. Measuring maturity provides insight into strengths and weaknesses of the SOC. The get a full overview of the strength of defensive cyber capabilities, both SOC entities should undergo a capability maturity assessment. The assessment should focus on the capability maturity of the individual entities and also evaluate the maturity of the operational and technical interfaces between the 2 entities.

Summary and best practices

Hybrid SOC setups are nothing new. However, there is a growing trend in the adoption of a hybrid SOC model. Several types of hybrid models can be considered, the most fitting type depends on the specific requirements of the SOC and should be made clear in a business case that outlines costs and benefits as well as potential risks. Running a hybrid SOC is more complex than running a single centralised SOC. Making informed decision on when a hybrid SOC situation is the preferred setup

To increase chances of success, apply the following best practices:

  • Make clear choices on what you want to do inhouse and what you want done by the service provider.
  • Select a service provider that is open to a hybrid SOC setup. Make the service provider part of the hybrid service delivery design, so that the setup is optimised on both sides.
  • Ensure you have an exit / rollback strategy that you can use when you are unsatisfied with the results.
  • Understand and regularly align mutual responsibilities to discover.
  • Ensure proper governance is in place.
  • Ensure you have full attack chain visibility across the hybrid SOC. It may be necessary to correlate information from both SOCs.
  • Implement feedback loops as part of your continuous improvement strategy to learn from the other SOC.
  • Assess performance, maturity, and capability for both SOC entities.

Konrads Klints

Solving Cyber

7 个月

I’ve yet to see an external T1/T2 type of SOC deliver much value in hybrid environments. If it’s simple to do, a computer can probably do it. If it’s complex to do then T1/T2 probably won’t do it. Even if MSSP staffs T1/T2 with high quality analysts then at procurement they are typically penalised for it. Any thoughts?

回复
Shairesh Algoe

Board Member / Quantum Gateway Foundation / CISO / Lecturer / Public speaker

7 个月

Rob van Os its all about perspective. Thanks for sharing this nice read!

Marvin N.

Principal Security Architect at Elastic

7 个月

Nice write up, great insights as usual Rob van Os. Another growing consideration is, given the high rate of staff turnover, maybe keep the loyal ones and focus in-house services around their skills and outsource the rest? Most CISOs say it’s risky building SOC teams because of high staff turnover coupled with lack of skills and the hustle of staff retention…

Unal Altay MBA/MISM

CIO & CISO | Strategic Leadership | Humanistic Encouraging | IT Governance and Management | Driving Engaged Business Partnerships | Delivering Transformational Change

7 个月

My preference would be to outsource based on skills and capability you wish to maintain, and outsource the rest. Concentrate on good contract management using balanced score card to drive diligent and constructive conversations with partners. This is the key as many leaders shy away from awkward conversations and providing direction.

回复
Ph?m Tài Tu? (tuedenn)

Cyber Incident Responder & Threat Hunter

7 个月

Let me quote this from 11 Strategies of a World-Class Cybersecurity Operations Center, MITRE: "There are many functions and services a SOC could offer. The choice of services should support the constituency’s risk posture and the defined SOC mission. Maturity, funding, what the constituency requires, operating model play major factors here. These are also likely to vary as the SOC matures over time. No one SOC will offer every function and service possible." I think this is the point that In-house SOC meets MSSP SOC, and then, hybrid SOC was born :D

要查看或添加评论,请登录

社区洞察

其他会员也浏览了