Is Outsourcing a Security Operations Center a Good Idea?

By Fred Newberry, CISO, BDP International

Fred Newberry, CISO, BDP International

Threats have become so significant and sophisticated in recent years, that technology and human resources are struggling to keep up, much less get ahead of them. Gone are the days when anti-virus and a strongly configured firewall could keep out most of the script kiddies and run-of-the-mill hackers. Now terms like Advanced Persistent Threat (APT) and Next Generation technologies are becoming common place. Traditional anti-virus programs, firewalls, network intrusion devices (NIDs) and host intrusion devices (HIDs) with signature based technologies are no longer adequate alone to combat intrusions from criminals, nation states, and activists. Now they all know how to evade them. These attacks are disruptive to business and recovery is expensive. In addition, organizations are faced with losing valuable proprietary information and other valuable assets. Individuals are being stripped of their identity, privacy, and in many cases, funds in their bank accounts.

"MSSP is an excellent solution for providing around the clock security monitoring and the benefits of Next Generation technologies" 

So what should you do as a security professional to combat APTs, especially when budgets are limited and skilled security analysts are becoming scarce? Outsourcing your Security Operations Center (SOC) is an excellent option, but this may be a counter intuitive concept for some of you. Releasing control of your monitoring environment to a security vendor has been an unheard of concept in the past. How can I make such a recommendation to outsource this critical function and what do I know about SOCs?

A few years ago, I led a team that designed, built, and operated the first security operations center (SOC) for the FBI, as well as being part of the team that developed the FBI’s Information Assurance program. Several members of my team have since accepted executive positions managing security programs in large corporations. In the private sector, I worked for a major networking vendor and consulted with Fortune 100 clients and supported them in designing and building SOCs as well as initiating several cyber security programs. Throughout my cyber security career in government and industry, I have experienced significant changes in the threat landscape and the technologies to mitigate them. Currently, I manage my own security program for a global logistics company and I collaborate with other CISOs and share best practices for addressing many of these tough security issues. But today, the real superstars and security experts are in the SOC outsourcing business!

One of the key problems facing organizations, both government and commercial, is how do they keep up with the rapidly changing security technologies to combat the ever changing threat and at the same time, how are they going to maintain a highly skilled security workforce while factoring in the high costs associated with both?. I believe that outsourcing some or a majority of security programs to trusted, well-equipped and qualified cyber security vendors, commonly called Managed Security Service Providers (MSSPs), is a viable solution to address the issues I have identified.

Considering the complexity of the SOC, it lends itself to being outsourced since many organizations are unable to equip and staff it. I am not trying to dilute the importance of other critical aspects of a cyber security program such as well written enforceable policy, robust security training, and board room support. Since the SOC is on the front line of most cyber attacks, it is a key security component. In the following sections, I have identified five major items that should be considered for outsourcing SOC functions to MSSPs: (1) Cost of Technology, (2) Access to Knowledge Bases, (3) Skilled Security Analysts, (4) Other Support Services, and (5) Is Outsourcing a Good Idea?

Cost of Technology

Many of the really effective MSSPs have invested millions of dollars into their SOCs’ technology and capabilities, providing 24X7X365 monitoring of their clients’ networks. For small businesses, this type of investment is cost prohibitive and an MSSP is an excellent solution for providing around the clock security monitoring and the benefits of Next Generation technologies. Not only are these vendors auditing system logs, but many are using Security Information and Event Management (SIEM) technologies to correlate disparate events in their clients’ networks. The SIEM provides them with knowledge about intrusions that would otherwise go undetected. SIEMs alone are very expensive and require highly skilled security personnel to configure and operate them, as well as being able to generate complex, critical reports. Access to Knowledge Bases
Another key service provided by MSSPs is their ability to utilize knowledge bases in the cloud to assist in detecting very sophisticated attacks that could go undetected. These knowledge bases have been developed as a result of following trends and collecting data from numerous attacks and then capturing this information in a centralized database. Organizations with internally managed SOCs, would most likely not have access to such security information, and without it, they may be unaware of possible of attacks in their enterprise. As an example, most knowledge bases contain known bad IP addresses or Blacklisted IPs that are important in blocking known bad actors from future intrusions.

Skilled Security Analysts

Organizations benefit from MSSPs’ highly skilled security analysts that are difficult to recruit, expensive, and difficult to retain. Some MSSPs have the benefit of hiring these analysts through their partnerships with local universities and colleges. Their retention rate is high and can be attributed to their continuous training programs and providing their employees a structured career growth path and other benefits. As an added benefit, MSSP analysts gain significantly more experience than other analysts because they are exposed to a greater variety of attacks, considering they are monitoring events across a large, diverse customer base.Other Support Services.

Additional services of MSSPs include not only 24X7 network monitoring, but firewall and other security device management, vulnerability scanning, penetration testing, web application assessments, and forensics support. Supporting all of these capabilities in-house is not only expensive, but difficult to maintain skilled staff with the required specialized skills.

Is Outsourcing a Good Idea?

Although I have outlined many of the benefits of outsourcing SOC functions to MSSPs, this may not always be a good option for some organizations. Outsourcing a SOC to vendors, especially those who employed personnel without security clearances, was not acceptable. If outsourcing is a viable option, it is important to take the time to do due diligence and thoroughly investigate the background and capabilities of MSSPs. Most importantly, contracts should be written to provide adequate service level agreements (SLAs), detailed clauses, and deliverables.

Finally, the benefits of outsourcing a Security Operations Center are worth the effort and a good idea!  

Weekly Brief