From under one roof up to the cloud – matching SOCs to the tasks afoot
Luke Ager, CTO Enterprise Cyber
By detecting, alerting and enabling an immediate response to be made to any cyber attack, SOCs have quickly become indispensible for both commercial and public service organisations. Certainly, their importance has grown in tandem with the exponential growth in the volume and diversity of data, the strength of new data security regulations, the multitude and complexity of platforms, applications and processes …… and, of course, the ability of increasingly capable adversaries to exploit any weaknesses.
However, simply having a SOC is not an end in itself. An effective SOC will evolve, adapt and develop to reflect the constantly changing digital capabilities of an organisation as well as the continuous emergence of new technologies, threats and vulnerabilities. There are also various options available to help ensure the functions, remit and composition of a SOC are tailored to meet the specific strategic objectives and risk appetite of an organisation. It could be an internal resource, an outsourced service or a combination of both. And, it could be a traditional or cloud-based model.
Deciding on the most appropriate approach is not an overnight exercise. It requires detailed understanding of the requirements, operational governance and digital landscape as well as a great deal of thought and planning that takes not only immediate priorities into account but also evaluates longer term considerations. Ill-advised decisions could be very costly indeed, so it is hardly surprising that the role of Chief Information Security Officers (CISO) has grown in importance and stature over the past few years.
A natural starting point for any security matter is normally the principle of control. Keeping data under one roof, minimising data movement and restricting access to potentially sensitive information does, at first glance, seem like a logical default position to optimise data and digital security. Large and mature organisations working in risk-averse, complex and mission-critical service areas will often prefer to be masters of their own destiny and have a dedicated internal SOC to help respond quickly and effectively to any cyber attack. Here, there is no third party engagement, data management and processing remains within the organisation and there is a high level of visibility and responsiveness across the digital network. That’s all well and good then!
But - and it’s a big ‘but’ - the investment required to deliver a well resourced and effective SOC 24/7 and for 365 days a year is substantial, as is the time required to develop and maintain the operation at the required level. Experienced security analysts are high earners and in very high demand (and short supply!). Typically, at least 12 FTEs will be required to comply with national employment directives, so staffing costs alone can easily amount to a little shy of £1million.
There’s also technology and licensing costs to consider – not just in the set-up phase but also in ensuring intelligence, behavioural analytics, detection and defence mechanisms remain fit for purpose against a constantly changing threat landscape. Balancing such a significant investment with the multitude of increasingly complex security issues poses quite a dilemma. Because of this, some large organisations are now using a combination of external and internal SOC capabilities. When basic SOC activities are outsourced, for example, the in-house team then has the scope to focus on more business-specific security operations that only an internal resource can conduct.
The tasks facing an internal SOC team are becoming all the more onerous with the relentless development of new digital platforms and capabilities. A good case in point is the way many organisations have followed the lead and success of e-commerce retailers by adopting cloud technologies. Such a move delivers undeniable operational and service benefits, although it raises new security challenges and requires new processes and a significant shift in skillsets away from traditional infrastructure engineering. The cloud will deal with many of the potential security weaknesses of internal servers and systems by default. It’s important, however, that users adhere to the new processes and are aware that there is potential for a wider attack surface to be exposed to cyber criminals as a cloud service is far less forgiving of user error.
There’s also the added complication of data moving outside of the direct control of an organisation and the need for the SOC team to combine real-time information from public cloud platforms with data from other internal applications, servers and networks. But, that’s not the end of the story. It is anyone’s guess just how far smart solutions and burgeoning AI capabilities will transform our current perception and understanding of the digital environment, and the steps an organisation will need to take to maintain security of its data and digital infrastructure.
The benefits of a collaborative approach
For all of these reasons, the majority of organisations are now turning towards Managed Security Service Providers (MSSP) to implement, manage and develop their SOC function. The practical and financial benefits of using an experienced MSSP are considerable and now far outweigh any earlier reticence regarding data handling by a third party.
Recruiting and retaining experienced cyber skills can be particularly problematic for a large organisation based in an intensive and highly competitive commercial district, and working with a MSSP is a convenient and effective way to address the issue. A staff augmentation approach is now regarded as the conventional model of a managed SOC, with the assigned MSSP team delivering a dedicated on-site service using the customer’s SOC tools and equipment. In some cases this will be a hybrid arrangement where the business familiarity of in-house personnel is complemented with the specialist expertise and insight of the MSSP team. Either way, an organisation will agree SLA’s with an MSSP that then has responsibility for maintaining the required staffing level for the SOC.
An alternative is for an organisation to outsource its entire SOC operation, taking full advantage of the professional team, multi-tenanted tools, equipment and threat intelligence of the MSSP. This more flexible approach is readily deployable, is less costly to deliver and overcomes the need for significant upfront investment to meet any projected uplift in capacity - although stringent preventative control measures and assurances must be in place for data separation and storage for each customer organisation. It also provides quick detection and response times and fosters effective knowledge transfer and learning opportunities for service provider and customer alike. These are all important qualities in the eyes of any CISO.
This takes us to an area that I believe is absolutely fundamental for delivering an effective SOC service – a spirit of trust and transparency. It’s important to establish this spirit from the outset of a SOC when scoping the security objectives, digital infrastructure and response procedures. Thereafter, a responsive MSSP should provide authorised users from a customer organisation with direct access to SOC tools and the opportunity to monitor and comment on SOC activities through secure incident and reporting portals.
Such an approach helps to foster a truly collaborative environment, where the cyber security expertise and intelligence-led foresight of the MSSP is truly integrated with business-specific knowledge and the operational nuances of the customer organisation. I have seen at first hand on many occasions how the mutual understanding created by such a collective resolve presents a powerful additional tool in the cyber security armoury.
Availability and scalability
The growing volume of data, the increasing layers of digital complexity and the frequency of massive spikes in data – from a sudden surge in service demand, website hits, system upgrades or a concerted denial of service cyber attack – remain a worry though. An appropriate managed service will provide a degree of flexibility, but such peaks of activity can easily take a SOC to its operating threshold where it can no longer cope with the volume of data inputs and logs without a significant uplift in capacity. Aside from the cost implications and the obvious risk of security measures being compromised, this highlights the importance of SOC performance and capability in all circumstances.
One of the most effective ways to ensure service availability, scalability and business continuity at all times is to opt for a cloud-based solution. A well-architected cloud SOC will take agility, operational resilience and the benefits of collaboration onto a new level, where capacity is no longer an issue and where advanced monitoring, analytical and machine-learning tools and greater process automation can evolve and develop as required. This represents a huge step forward. It is also highly cost-effective.
There is a misplaced perception issue, however. Will data really be secure in the public cloud? Firstly, the term is rather misleading, as it is only as public as an organisation wants it to be and, for a cloud SOC, tools are only shared with predefined audiences. Secondly, it is not a question whether the cloud is secure. The cloud provides the flexibility to ensure data and systems are as secure as any other approach, so it is more a case of whether the cloud is being used securely. In other words, has it been adopted and configured to mitigate against any security concerns and is there clarity regarding responsibilities for different functions and services in the cloud?
Correctly architected in accordance with the Cloud Security Principles of the National Cyber Security Centre and best practice guidance from the cloud service provider, a cloud SOC will not pose any greater security issues than more traditional standalone SOC solutions – whether in-house or outsourced. However, the auto-scaling capability and operational benefits of a cloud SOC are huge.
There is also the additional assurance of a deep and far-reaching supply chain of like-minded vendors and service providers. This is a community where everyone shares a common purpose and the principle of collaboration is second nature. There is no doubting the combined power of an entire community working towards the precisely the same target outcome - to maximise cyber security and to keep pace with the increasingly sophisticated activities of well-funded and evasive cyber criminals. That’s where a cloud SOC definitely comes into its own.