Developing the capability to prevent threats through monitoring, detection and response continue to be the goal for all organisations and a Hybrid SOC will help complement and develop existing teams, increasing overall security performance.
Many organisations that are building and running a Security Operations Centre (SOC) in-house struggle to do so successfully for several reasons. Firstly, building a 24/7 needs a minimum number of people to support the need. Secondly, a SOC comprises of several functions, skills, expertise, and roles that drives the need for more people. Finally, attracting, retaining, and developing cyber security talent is difficult. All of these contribute to the high costs of running a capable Security Operations Centre.
Without a SOC, organisations are playing a dangerous game and running the risk of a cyber- attack with substantial consequences. Even if they have SIEM technology, organisations can be left at a disadvantage with security falling to IT as a secondary concern with no time or skills to monitor and respond to activities. Adding to that, these IT teams rarely operate 24/7. This is where many companies look to Bridewell for a fully outsourced SOC where the ownership of the SOC is handled by a MSSP who can deliver threat detection and response end to end, and interact with and helping IT teams understand the risk and mitigation options where required.
Whilst outsourcing can be attractive, we come across organisations who have received a poor experience with an MSSP, which often comes down to the Managed Security Services Provider not understanding the organisation’s environment, context and failing to deliver real tangible value to the organisation. Our SOC always seeks to fully understand our customer’s culture, environments and ensure the solution is adding tangible cyber and business outcomes to our customer. It is about providing a strong customer experience, not just managing technology.
Another option, where organisations may already have some capability and requires the best of both worlds, mixing in-house knowledge and the outsourced expertise is a hybrid option. This leverages the MSSP’s experience, and resource to deliver a 24/7 threat detection and response solution that proactively hunts for threats, tunes and optimises the technology to reduce false positives and proactively responds to security incidents to drastically the reduce detection, dwell, and response times of an attack. This is where a Hybrid SOC model will help organisations achieve this goal.
What is the Hybrid SOC?
A hybrid SOC model, leverages the cyber skills of in-house engineers, cyber security teams and an MSSP to create a single security operations centre. Within the hybrid SOC model the activities of the security operations centre are distributed across the in-house teams and security services partner. This allows you to build your own teams that have good context of your organisation and can work on high value incidents, improvement activity, projects, or other practices whilst you leverage the skills, experience, and resources available within the MSSP to improve threat visibility and hit your security goals effectively.
The most successful models offer flexibility rather than a rigid responsibilities matrix. For example, having your MSSP perform just triage or first line analyst activities, provides the 24/7 capability, but limits activities that they can perform. Working with your provider to design and constantly review where they have authority to act, means that you can shift more of the low value work into your partner, rather than your in-house teams. The hybrid SOC concept is not new, but with the growth of Managed Detection and Response (MDR) many providers have chosen to not offer this capability. Bridewell however, see this as the ideal delivery model for organisations that want the associated flexibility, scaling and cost benefits that when combined, achieve a high level of cyber security maturing for the organisation.
Modernising the Security Operations Centre
When modernising the SOC, the market has been shifting towards a pro-active and rapid response model within Security Operations and with the development of Extended Detection and Response (XDR) technology this has become a reality and has shifted the security services market with it. Gartner predicts “By 2025, 50% of organizations will be using Managed Detection and Response services for threat monitoring, detection and response functions that offer threat containment capabilities” which are underpinned by XDR technologies.
With this shift, there continues to be an increasing cyber security skills gap to support the latest generation Extended Detection and Response tools which have been built to support the latest in endpoint and cloud-based solutions in a zero-trust security model. For organisations to adopt and mature a modern SOC they will need to consider outsourcing, at least in the short term, whilst skills and experience are developed in house and possible permanently for the advanced specialisms and supporting functions.
Leveraging a Hybrid SOC model
There are a few ways in which you can use the hybrid model to address challenges and mature a security operation. Organisations may select a MSSP to become an extension of their SOC to enable the following capabilities:
If your SOC is looking to modernise and improve its tools, for example moving to a Security Information and Event Management (SIEM) and Security Orchestration, Automation and Response (SOAR), then working with a partner that is experienced in SIEM migration and can offer you advise on best practice, then you can transfer from one tool to another with very little risk and improve visibility and ability to respond rapidly whilst doing so.
It is highly likely that your security partner has seen a lot of scenarios and experience that you can leverage to improve your tooling, detections and use cases to increase the fidelity of alerts, lowering the number of false positives.
If you have transitioned or adopted a technology that allows automation, leveraging the cyber and development skills in your partner to maximise your use of SOAR tool. The automation of playbooks for investigation and response or interactions with third party tools help reduce the burden on precious resource and improve the overall performance.
Extending the automation capabilities within SOAR, having access to developers that can build bespoke integrations and leverage a broad scope of API services, enables greater improvements and efficiencies beyond the scope of your SIEM and SOAR.
Access highly skilled and experienced cyber security professionals
Managed Security Service Providers attract talent because of the varied and exciting opportunities that is presented by working across several customers, verticals, and technologies. At Bridewell, we pride ourselves on attracting that talent but also continually developing them to become experts within their field, picking up industry leading certifications along the way. Integrating these individuals with your teams and services allows you to benefit from their knowledge and experiences, finding improvements in areas that are not always in scope of the service, creating more value from the partnership.
247 Threat Detection and Response
Being able to warrant out-of-hours coverage is a challenge to many organisations with their own security operation. Being able to extend your team with a 24/7 team from an outsourced partner can readily address this. They key is to work together on establishing threat detection and response activities, accountability and working practices that complement both organisations to ensure a successful relationship.
Extended Detection and Response
No modern SOC is complete without some Detection and Response tools. Many organisations have or are adopting Endpoint Detection and Response and with a wider selection of tools available, working with a partner that has deep knowledge of your chosen stack, enables you to rapidly improve the benefit of these tools. You can leverage the hybrid SOC partner to managed and respond to those events driven by these tools for greater coverage and response.
Technology, tools, and detections are not infallible. In fact, you may tune out certain alerts because they are very noisy with a low fidelity. Threat Hunting uses a hypothesis or intelligence-based approach to active hunting of threat indicators, actors and breaches that bypass other mechanisms. As part of the hunt, investigations can quickly uncover indicators, but then continue to work through the information and hypothesis to rule in or out any malicious activity. Leveraging the skills and experience of your SOC partner to deliver this function quickly enables a pro-active element to your security operations. The hypothesis element of threat hunting can also help uncover gaps in data and detections for continued visibility.
Cyber Threat Intelligence
Shared intelligence is a great benefit of a security provider. Although feeds are available from Threat Intelligence platforms (TIP), your security provider is able to enhance this with access to a wider array of shared TIP feeds, but also offer intelligence from investigations within other customers. Adding to this, the provider will have a team that develops Open-Source Intelligence from the surface, deep and dark web that can feed threat modelling and identify leaked information. Also, potential threats and additional indicators of compromises that can feed intelligence into your security operations centre through integrated solutions and regular reports.
Developing in-house talent
This is probably the most valuable aspect of a Hybrid SOC model. With a partner such as Bridewell, the close working relationship enables continual knowledge transfer of technology and process that allows you to develop your in-house talent. This helps with the growth and retention of in-house talent.
Considering a Hybrid SOC Model
Every organisation is different and as such, the cyber security needs differ too. The Hybrid SOC benefits outlined here, helps to clarify the options and benefits to businesses, that are available with this model.
When selecting a partner, there are some important elements to consider when developing the right model and needs for your organisation. It is important to consider your business goals and supporting IT and cyber security strategy upfront. If you are not aligning with these, any model is likely going to fail.
Next, consider the current and future tools that your organisation is looking to utilise to support the business and security operations team to ensure that a partner can align with these needs. Having a partner that is flexible, agnostic and who has the experience and knowledge of a wide range of the technologies, helps them align to your needs.
Lastly and importantly, consider your in-house talent. Where are you looking to retain, grow and develop capabilities in house? What do you want to work with a partner on – outsourcing to complement and extend your capabilities?
A successful Hybrid SOC will have important KPIs and SLA’s, but the real success comes from collaboration, flexibility, and cultural alignment as it is important that both organisations work cohesively, as one team.
Bridewell is a leading, highly accredited UK provider of managed security services that helps organisations rapidly improve their cyber security maturity and mitigate risks by improving the ability to respond to cyber threats.
Bridewell's Managed Detection and Response service combines our world class expertise and experienced security professionals with SIEM and XDR technology to aggregate, respond to and hunt for threats in real time and is available in a hybrid or fully outsourced model.
We are industry leading experts in providing managed security services around Azure Sentinel, Defender XDR and other leading SIEM technologies that provide the flexibility to choose the capabilities needed to complement your SOC. With our vendor-agnostic approach, our service can be tailored to meet your needs now and flex with your future ambitions. For Bridewell, it is all about being a trusted partner that is focused on providing industry leading cyber security services that adds tangible business value to our clients.