SSDP explanation
David Bizeul
Co-founder & Chief Scientific Officer @ Sekoia.io | SOCPlatform ? CTI | #openxdrarchitecture
This is my second article on SOC story. Here is the existing list.
#3 - SSDP explanation (this article)
Follow me if you want to be notified on the next ones this summer.
Introduction
Cybersecurity Industry sometimes invent new acronyms.
We’ll talk here about a recent one: SSDP?
So what could it mean?
Synchronized Swimming Ducks Parade?
This would have been funny but the answer is NO!
This stands for Security Service Delivery Platform, so more something that looks like this:
SSDP emerged as a technology evolution to deliver most of SOC operations but what does it mean exactly? Is it more about an evolution or a revolution? We’ll dive into these topics.
Basically, we can consider SOC are delivered either internally into large and mature organizations or as a managed security service by a security provider (MSSP or MDR).?
Even if they have skills and resources, large organizations can also decide to outsource their SOC capabilities for many reasons or even build up a co-managed SOC where a joint operational team is handling tasks based on predefined rules and processes.
Market Needs
Let’ start with the Market needs on SOC evolution
- The customer does not want any more to be engaged by a long BUILD stage. The SOC capability should be able to leverage the technologies components in place, whatever and wherever they are.
- The customer wants to see the value fast? (the CISO will be committed on that). That means as soon as the SOC ingests data from multiple data sources, they must be understood and enter into a ready detection pipeline, whether it uses prebuilt rules, CTI, AI or other emerging technology. It needs to demonstrate a real time to value.
- With attack complexity being understood better and better, organizations want to operate their SOC capabilities in different ways, sometimes fully managed, sometimes fully internally and sometimes in the middle. The key point is that the organization should be clear if it has enough skills and capabilities to face a major attack by itself. Depending on the answer the shift toward managed security makes 100% sense.
- IT budget is still clearly oriented on SaaS consumption to predict the cost better and limit the immobilization of cash. Needless to say that an efficient SOC requires many components and having this engineering being done and maintained internally is a risky choice for a wise CISO or CIO. SaaS definitely solves this.
- Still on budget side, of course, the customer will expect from the provider to get a strong discount compared with building and operating the solution himself. That means the provider must be able to leverage a? capability from its SOC solution to operate in a way to get the best from mutualization and dedication. This will require well-designed multi-tenancy.
SOC delivery mode
When we say SOC, we have to consider that it can be delivered in different ways
- Fully managed mode
In this mode, the customer will fully trust the service provider to operate its security operations, both for detection and response.?
- Internal mode
In this mode, it’s the opposite, the customer operate the security operation himself and does not rely on a partner service provider. Eventually, he can bring them in later in case of a joint operation during an internal incident.
领英推è
- Co-managed mode?
This mode is the middle point between internal and fully managed. Depending on an agreement, part of the operation will be done by one and another part by the other. It can be a smart model to make sure both teams know how to play together in the same field. It is also an interesting approach to design precisely a process with joint responsibility to handle cyber attacks
- The licence ownership
Sometimes the organization wants to keep the ownership of the licence of the solution used to process the detection and response upon its data. This way, they stay in control and can later decide to keep the solution but change the service provider layer. This is especially interesting in context of a co-managed mode.
Intermediate illustrated wrap-up
Ok let’s make a pause at this step, we talked about different mandatory needs and different delivery modes.
On a picture, this would looks like this:
Decoupling product / service
As it can be seen on the fugure above , the delivery platform is a perfect transition layer between the provider and the customer as it afford the first one to deliver the agreed services to the second one.
Gartner talk about a decoupling capability between product and security services but why is it so interesting? for the provider instead of creating its own product.
The obvious reason is the cost and complexity effort to develop such solution. As efficiency is required by stakeholders everywhere, a service provider must focus on its differentiators on the market more than creating a delivery platform that would fit perfectly its services but without scaling possibility.
Instead of that, maybe the best approach is to assign this Delivery capability to a platform that will bring on the table other benefits:
- the maintenance of the SSDP by the platform editor
- the integration of this capability with other detection and response tools?
- the ability to get insights not only from a customer fleet of one MSSP, but from all customers of service providers
- the ability to leverage new concepts or standards so that the service provider can still continue to focus on its added value and expertise and delegate the technical stuff to the platform
Which stack for SSDP?
When we said in the previous part that service providers can benefit from the integration of SSDP with other detection and response tools. We have two ways to think about it.?
- Either each major technology used in detection and/or response and playing an active role into customer environment deliver part of this SSDP capability and then, the equation is not solved because you still have to aggregate all of them to provide a global and consistant answer to your customers
- Or you associate this capability to a centralized environment where you aggregate most of the detection visibility (SIEM capability) and you decide strategically (SOAR capability). This combination is where the SOC has its roots and it can probably be named a SOC platform.
Full illustrated wrap-up
Ok so now we can sketch a more fine grained positioning of SSDP.
Conclusion
Regarding major market and technology shifts, it is obvious that the SOC will be delivered more and more by providers (partially or entirely) , relying on a strong SOC platform. The way to deliver the SOC services must be embedded into this SOC platform so I would say that SSDP is definitely an evolution on the way to bring SOCs to an upper level, a kind of hyphen between the what the customer needs and what the service provider offers.
At Sekoia.io , we develop our SOC platform to enable modern SOCs (operated either by end-users or providers). When SSDP acronym came in on our radar, we were pretty aligned with the rationale behind it and we consider this is what we already integrated as a capability in our platform. If you are interested into this topic, find out more by visiting the website.
Co-founder & Chief Scientific Officer @ Sekoia.io | SOCPlatform ? CTI | #openxdrarchitecture
7 个月For those of you with a visual memory, here is the conclusion figure
Co-founder & Chief Scientific Officer @ Sekoia.io | SOCPlatform ? CTI | #openxdrarchitecture
7 个月The first time I heard about this acronym, it was in a Gartner document written by Travis Lee and Matthew Milone, PMP, MBA, CISSP Lucas Ferreyra this might interest you as well
?? Cybersecurity@Amazon ??
7 个月I like the vision and were you are going. Both from a business and security perspective : Being able to leverage a "plug and play" data source with a "pick and choose" approach to service that you consume is definitely a good approach.