Expertise assisted SOC Model

The last two decades have certainly been a challenging time for the global economy, with several significant financial crises and the COVID-19 pandemic having a major impact on financial markets and economies worldwide. These macro-economic situations forced organisations to look at optimising their cost-centres.

The cascading effect on Cyber Security “Cost-centre” was the frantic adoption of the “fully outsourced Security operations service (SOC)”, wherein organisations offloaded “The Process, People and Technology” of SOC to third-party SOC providers.

In financial terms, this helped

-??????Reduce the Capex investments,

-??????transfer some of the “financial” risks to third parties and

-??????reduce human capital investment.

In security terms these measures did not effectively reduce their risk profile. Infact, only a handful of SOC services cross the first contract renewal cycle; resulting in organisations having to restart the outsourcing process again.

Having seen, experienced and provided “Threat management” services to customers, I have come to firmly believe that a more hybrid SOC operating model with a coalesced ownership of technology and knowledge will be the best outcome for the customer.

The model I propose, “Expertise assisted SOC”, is to essentially split the CORE elements namely, Process, People and Technology between the customer and the provider.

In this model the Technology and the Data will always be controlled (owned) by the customer while the Cyber security human capital (and the SOC process) will be utilized from service provider.

Organisational Profiles that suit this model:

While I believe every Organisation should embrace this model, I do understand there are non-security compulsions that can have impact on the choice.

?Nevertheless, the following organisation profiles can look at this SOC operating model:

• Organisations that have regulatory oversight
• Organisations that have critical business functions that are under constant cyber threat.
• Organisations that are looking at Cyber security investments as a due-care principle
• Organisations that have a fiduciary responsibility on customer data protection

?

Benefits of this model:

I strongly believe the technology (and log) ownership model provides the following benefits:

1. Technology control
2. Use the log data for non-security analytics.
3. No provider lock-in
4. Skills outsourcing

I’ll expand on each one of these in the following sections and provide my views.

?

Technology control (data Control)

Regulations mandate that logs are to be retained for a certain duration (eg: CERT-In mandates 6 months retention https://www.cert-in.org.in/PDF/CERT-In_Directions_70B_28.04.2022.pdf) and provided on request. Irrespective of the model that an organisation chooses, they are ultimately accountable for the data.

By controlling the technology, the Organization has stronger control on the data that is consumed.

In typical outsourcing models, the cost of service is mapped to a few variable parameters like Maximum Events per second, Max Log size per day, max log sources etc. In the fully outsourced model, the service provider will work on multiple ways to massage/manage the log ingestion mechanism(s) to either limit the ingestion to the higher watermark (when the project is fixed price) or tweak ingestion variables (like logging options) to increase the volume thereby increase the price.

If the cost of technology is removed from the service provider ‘s scope, the focus of measurement will only be on the value the provider brings to the Organization and not on the cost of log ingestion and storage. Controlling the technology gives more leverage to the organisation in getting more direct visibility into their data patterns.

By investing in the technology and controlling the data store, organisations do not have to be at the mercy of the service provider to access/analyse their data.

There are numerous instances of customers not being able to get the right data, at the right time, in the right format from a SOC service provider.

Though there are contractual clauses (SLAs) that cover retrieval mandates, the intended objective of data retrieval may be lost and can have serious implications.

The reasons I have seen service providers not being able to retrieve data are:?

• the way they store multi-tenanted data.
• the mechanism they employ to reduce storage costs (read moving data to archival much earlier, combining data in single store etc.)
• not actually factoring data retrieval mechanisms (including cost of retrieval)

The next problem is the level of access to the data stored in the provider environment. The only access the customer gets from the Service provider is the information related to the “incidents”. This is a minuscule subset of the large volume of data that is ingested into the SOC.

Organisations also do not get visibility into their log data to validate the service provider’s “incident identification” efficacy.

The obvious question that will come now is ~ should we invest in the technology (CapEx) or subscribe to the technology (SaaS). I’ll answer this in another blog.

Use the Log data for non-security Analytics:

?Log data generated by every single asset (system, application, service) has immense potential value. Log mining helps in prescriptive and predictive analytics. Log correlation helps in real-time anomaly detection.

?By signing up for a fully outsourced SOC operations that is focused only on Mean time to Detect (MTTD) / Mean time to Respond (MTTR), an organisation losses analytical information that can be mined from the generated logs.

?While security is the primary use case for SOC, mining of the collected log data can help the organisation unearth “non-security” patterns / relationships / outliers that can provide tangible operational as well as financial benefits.

?When controlling the data and outsourcing the SOC services, the log data can be consumed by both the parties (customer and the service provider) concurrently for two differing purposes.

?In a fully outsourced model customer has negligible (limited) visibility of the raw data and hence cannot take advantage of the data beyond what the SOC provider shares as “alert associated information”. There could be good economic value in analysing the log data. Why would you want to miss it?

?

?Provider lock-in:

?This is a very important aspect that many customers tend to not give more attention to. Typically, SOC contracts are multi-year (the minimum I have seen is 2 years) and post the contract period, I have known customers who have been forced to sign the extension due to the following reasons:

• Data retrieval is costly.
• No mechanism for data portability to a new provider
• Technology variance

With the cost of migration extremely high, they are forced to continue the service (even if unsatisfied) with the same provider. This creates a sense of lock-in with the provider who is undesirable for the organisation.?

?

Skills outsourcing:

“Whatever the complexities of the puzzles we strive to solve, and whatever the sophisticated techniques we may use to collect the pieces and store them, there can never be a time when the thoughtful man can be supplanted as the intelligence device supreme… " - Sherman Kent in his book Strategic Intelligence (1965).

Whatever the advances in the technology for cyber defence, having the right skill, more importantly, retaining and cultivating it inhouse is the most difficult task for the organisation. This is particularly true for those organisations whose business is not providing cyber defence services. This is where Specialised service providers come into play. They have the experience, the capability, and can provide a progression path that creates stickiness for the talented cyber security professionals.

?By using the services of such specialised service providers, Organisations can leverage expertise to better manage their cyber posture, without having to spend resources on “recruitment/retention” costs, operational costs, and opportunity costs. They can offload the “non-core” aspect of business to a service provider and concentrate on their “core” business.

?I’m sure your question will be ~ how to find and choose such a service provider. I’ll give my perspectives on this topic in another blog.

?

Conclusion

Organizations should not look at Security Operations outsourcing as a mere risk transference option. Whatever the operating model of SOC, the ultimate responsibility of Safe/Secure business will always be with the Customer.

?When looking at SOC with this prism of ownership, the model of cooperative cyber defence where the technology controlled (owned) by the customer and operated by the SOC provider provides the best bet to achieve meaningful Security investment return for the organization.