Any cyber security service is based on three core pillars of security operations which are people, process and technology. It is a known fact that Security Information and Event Management or SIEM is a complex technology and requires skilled resources to implement and manage. In addition, SIEM loses its value if alerts are not fine-tuned regularly and noise aka false positives are not suppressed. The primary reason why most SIEM implementations fail is the lack of effective management and regular monitoring.
For any SIEM to be able to detect the latest threats, requires continuous security use case development by translating latest threats into use-cases which can then be alerted and responded. A lack of regular use case development and implementation also impacts the ROI of an SIEM solution.
In case of managed security service providers, all the responsibilities for implementation and management are transferred to service providers, for whom this a prime responsibility. Hence, assurance with regard to effective management of the SIEM infrastructure is very high with the outsourced model.
A SIEM which is not regularly monitored will add little or no business value, hence it is important to have 24x7x365 monitoring and analysis to be able to detect attacks, malicious connection or any anomalies. This round the clock cover requires a dedicated security operations team of at least ten members. Also, this team needs to be regularly trained on the latest threats and different technology within the organisation’s infrastructure.
If a company is able to hire, train and retain such skills, it may be good consideration to run the security operations centre in-house. However, considering the dynamics involved, in most cases, it may make business sense to transfer this responsibility to a partner who can demonstrate the right level of capabilities and commitment to provide this as a service.
By engaging a managed security service provider, businesses also get the advantage of the skills and knowledge the analysts have attained while managing diverse security infrastructure elements and attacks that have targeted other customers.
For effective security operations, it is important to adapt an incident lifecycle that is based on the type of incident and its impact. Some guidance around standard lifecycle can be derived from SANS incident handling methodology, however it may need to be tweaked based on type of incident.
Some managed security service providers adopt a dynamic incident lifecycle based on the type of incidents by pre-populating tasks which should be completed to effectively manage the incidents. This ensures the consistency and quality of incident handing.
While considering an in-house implementation, businesses need to factor cost of hardware required to set up the SIEM infrastructure and the associated annual support contracts which could be somewhere between 15% and 30% of the initial capital. With managed security service providers, this cost could be converted into operational costs without the need for heavy initial investment.
From a cost perspective, the cost of in-house implementation may start making sense after a period of four to five years. However, like any other technology, SIEM may also require a revamp thereby adding to this cost again.
SIEM Infrastructure requires regular maintenance and development to be able to detect new attacks. Generally, if security is not the prime focus for an organisation, there may be lack of emphasis thereby impacting the effectiveness of the solution.
By engaging a managed security service provider, your organisation can get benefits from regular development work, which is generally practiced by most services providers. This is essential as it enables them to detect new attacks, which are ever evolving.
Effective security operations use both known and unknown threats, and threat intelligence which provides lists of known threats by means of reputation, known bad IPs, malicious hashes, others. Hence, it is important to have threat intelligence incorporated into security operations.
Although there are multiple free and commercial providers of threat feeds, if this information is not effectively filtered, it may not add a lot of value. Some managed security service providers are able to qualify and apply threat intelligence relevant to business they are supporting by geography, and business vertical.
Managing your security services inhouse or outsourcing, have their share of advantages and disadvantages, explains Majid Khan at Help AG.