Three journeys to SOC success: Pt 2
IT leaders in mid-sized organisations face a monumental task when it comes to mitigating cyber-risk effectively. A cybercrime underground now measured in the trillions offers adversaries a massive head-start—providing automated tooling and “as-a-service” offerings to launch attacks with ease, and a readymade market for stolen data.
They have the element of surprise and need to bypass corporate defences just once to be successful. On the other hand, IT bosses must contend with limited resources which often don’t stretch to a full-time security operations (SecOps) team. Many outsource security monitoring to an Managed Security Service Provider (MSSP) as a result. But the results can be sub-optimal and represent challenges for the MSSP provider and customer.
What’s the problem?
The challenge that many mid-sized organisations have from a SecOps perspective is the sheer number of alerts being generated by their security tools. Stretched security teams look to “MSSPs to provide security solutions and expertise, which protect their business in the face of cyberattacks”.
Choosing to outsource alert log management to a managed security service provider operating a SIEM-as-a-service platform allows the Security team to shift the burden of alert triage to an external provider who may have the benefit of additional tooling to enhance their processing and malicious or anomalous activity detection.
Although this sounds fine on paper, there can be challenges. There’s no “one size fits all” solution, or “silver bullet” when it comes to cybersecurity.
Many MSSPs provide log monitoring services on behalf of their clients, meaning that with limited or no access to the clients’ environments, their ability to provide threat hunting or incident response services is in turn limited. This makes it difficult for them to provide meaningful or actionable insights into a customer’s alerts, which can be frustrating for both parties. Without visibility into the customer’s environment, it can also be hard to tell how well the services provided integrate with their existing tools, and identify and filter out false positives.
While managed security service providers can help to cut alert volumes for the customer, by filtering out some of the “noise”, by nature, SIEM-as-a-service offerings can sometimes lack visibility and explainability.
What are the options?
What IT leaders really want is a more holistic service which delivers good visibility of anything incoming, and enables them to work efficiently to process actionable alerts at the other end. Both MSSPs and users would benefit from increased visibility, interrogation capabilities and joined up alert data. Achieving this allows security analysts to become more proactive in their work.
How can SOC.OS help?
This is where SOC.OS comes in. It works like an extra member of the SecOps team, taking security alerts from across the business and enriching them with business context and third-party intelligence. It then groups these alerts into prioritised clusters for further action.
It’s all about giving stretched IT teams the intelligence they need to understand which threats to tackle first—optimising their productivity whilst helping to reduce risk. Whether the internal security team at an organisation or an MSSP.