Managed SOC. Where now?
It’s fair to say that the past and to some degree present life of MSSP's has had a chequered history. The Industry has got the measure of this over time and MSSP’s, the good ones, have had to adapt and reshape their offerings by going into a period of listen and evolve mode.
A problem we hear a great deal about is that MSSP’s talk a great service, powered by leading edge SIEM and analytics technology but once the dust settles after the transition phase of the contract, things start to decline quite early on into a bare minimum log & flog service and the value is lost, SecOps staff get overwhelmed by erroneous and meaningless incidents with no context, Service credits break the bank, perception hits the boardoom floor and contracts get torn up and MSSP’s booted out, only to be replaced by a similar outcome from another MSSP. Rinse-replace- repeat.
How these common issues manifest is a multi-dimensional story, nobody is directly to blame, but, one big factor is that larger MSSP’s struggle to connect with their customers on a contextual level because delivering high value Security operations services is expensive for them to operate and maintain. In order to be competitive in the market there is contention between high value security services versus making them cheap to win business, it’s hard nose economics. So, we end up with standard security operations services which are leveraged across many customers and the only direction that can really go is log and flog and little else. Customers need to understand and acknowledge that there is no such thing as high utility outsourced SOC's on the cheap.
Always look on the bright side..(RIP Terry Jones)
Standard services are here to stay. Managed Detect & Response is now the Flavour du jour. A reframing of the outcome you buy by changing the wording from outsourced SOC to Managed Detect & response helps set the expectations a little more, from a semantic perspective, but again, it can lead to bad outcomes if not fully understood by the service consumer.
Analogous to the overused Brexit slogan, customers are now ‘taking back control’. Hurray! Maybe?
There is a shift now toward Hybrid SOC models. Here we see Customers contracting in more specialist SOC elements where the economics work and retaining or creating their own in-house elements. Synergies between MSSP and customer are bound closer together by a robust shared service model. It can't just be about the power of the technology, it is about the Security teams skills in diverse disciplines that harmonise across MSSP and customer, overlaid with clear and well defined processes and key performance indicators which enable a tightly bound feedback loop to measure service performance and maturity/value over time, as one jointly owned service venture. Service Value can be controlled and measured better if each party knows what they are responsible for delivering from the start and can share a common cause as opposed to blame ping pong between MSSP and customer where nobody wins because expectations were never locked down. Who really wants that pain anymore? regardless of the money lost.
So a shared Outcome between MSSP and Customer, whom are clear on their stake in the overall service and can therefore focus on their parts of the sum, each doing what they do best has to be an improvement? Yes, so long as that 'doing what they do best' bit is measured and incentivised to evolve and improve over the contract lifecycle. Stagnation can kill value. Stagnation avoidance might be tricky if one of the stakeholders drops the ball or loses sight of the prize due to refocusing of business priorities or personnel changes in senior positions etc, so to protect against such impacts the Hybrid service needs to be clearly scoped and demarcated between MSSP & Customer before pen meets paper and expectations firmed up or else it’s another broken security outsource model that began with sound intentions.
Ultimately, it's incumbent on the customer to buy MSSP services smartly and contract smartly. This cant be overstated enough and it drives better behaviour on both sides.
It's worth our while to remember that Cyber Security monitoring & detection services, in the scheme of things, are just coming out of infancy. We only truly learn by failure and we've all learnt. Hybrid looks and feels like progress so long as stakeholders put the work in and operate as a joint virtual team, not 'them and us' and foster closer working relationships through collaboration tooling and emphasis on the service capability, not just the technology capability, each play their part equally. If we want to make a success of Hybrid then ‘Dedication is what you need’ as the late great Roy Castle once warbled..