Should you invest or outsource your security operations
As with any security service, three core pillars of operations are people, process and technology. In order to simplify understanding, we compare each of these options in two scenarios: as an in-house Security Operations Centre and as a Managed Security Services Provider.
It is a known fact that Security Information and Event Management is a complex technology and requires skilled resources to implement and to manage its infrastructure. In addition, Security Information and Event Management loses its value if alerts are not fine-tuned regularly and noise aka false positives are not suppressed. Primary reasons why most Security Information and Event Management implementations fail are lack of effective management and regular monitoring.
For any Security Information and Event Management solution to be able to detect the latest threats, requires continuous security use-case development by translating latest threats into use-cases, which can then be used for alerts and responses. A lack of regular use case development and implementation also impacts return on investment in Security Information and Event Management.
While in the case of Managed Security Service Providers, the responsibilities for implementation and management are transferred to the service provider, for whom this a prime responsibility. Hence, assurance about effective management of Security Information and Event Management infrastructure is very high with the outsourced model.
A Security Information and Event Management solution, which is not regularly monitored will add little or no business value, hence it is important to have 24x7x365 monitoring and analysis to be able to detect attacks, malicious connections or any anomalies. This round-the-clock cover requires a dedicated security operations team of at least ten members. The team needs to be regularly trained on the latest threats and different technologies within the organisation’s infrastructure.
“A Security Information and Event Management solution, which is not regularly monitored will add little or no business value”
“Lack of regular use case development and implementation also impacts return on investment in Security Information and Event Management”
If a company is able to hire, train and retain such skills, it may be good consideration to run the Security Operations Centre in-house. However, considering the dynamics involved, in most cases, it may make business sense to transfer this responsibility to a partner who can demonstrate the right level of capabilities and commitment to provide this as a service.
By engaging a Managed Security Services Provider, businesses also get the advantage of analyst’s skills and knowledge gained while managing diverse security infrastructure elements and the latest attacks impacting other customers.
Some Managed Security Services Providers adopt dynamic incident lifecycle based on the type of incidents, by pre-populating tasks which should be completed to effectively manage the incidents. This ensures consistent quality of incident handing.
While considering an in-house implementation, businesses need to factor cost of hardware required to set up the Security Information and Event Management infrastructure and the associated annual support contracts. These could be somewhere between 15% and 30% of the initial capital. With Managed Security Services Providers, this cost could be converted into operational expenditure without the need for significant initial investment.
From a cost perspective, the cost of an in-house implementation may start making sense after a period of four to five years. However, like any other technology, Security Information and Event Management may also require an upgrade revamp thereby adding to this cost again. Security Information and Event Management infrastructure, requires regular maintenance and development to be able to detect new attacks. Generally, if security is not the prime focus for an organisation, there may be a lack of emphasis thereby impacting the effectiveness of the solution.
By engaging a Managed Security Services Provider, organisations gets benefits from regular development work, which is generally practiced by most services provides, which equips them to be able to detect new attacks which are ever evolving.
Majid Khan at Help AG explores pros and cons of managing a SIEM solution in-house or through a managed services provider.