By Chase Richardson, Lead Principal at Bridewell
The last year has seen its fair share of high profile cyber-attacks on a global scale. A ransomware attack on the Los Angeles Unified School District in September 2022 by Russian-speaking gang Vice Society saw 500 gigabytes of personal data stolen from around 600,000 enrolled students in over 1,000 schools. When the district declined to negotiate the ransom, legal records, driver’s license numbers, student assessment records and even positive Covid test results were published online.
Even more damaging was the release of student psychological evaluations which contained details around medications, diagnoses, incidents of abuse and past traumas. With more pressure falling on the Los Angeles Unified School District for failing to acknowledge that these records existed, the breach highlights the gap in federal privacy laws, and the need for visibility across all areas of cybersecurity.
With sensitive data at risk, businesses can’t rest on their laurels. Security operations centers (SOCs) act as the nerve center for defenses against cyber dangers as part of a modern cybersecurity strategy. With human expertise involved, SOCs utilize 24/7 surveillance and responsiveness to proactively hunt for risks, monitor and respond to real-time security threats, while also reducing detection and response time.
The traditional approaches to threat prevention, such as monitoring and notification, are no longer suitable. Threat detection and response capabilities are needed to minimize cyber-attack impact and strengthen the business to approach future threats with confidence. The SOC is the driving force behind this capability.
SOC model types
There are numerous SOC models to choose from. Many organizations are likely to be drawn towards in-house management for full control over their operations. Our recent research revealed 38% of US critical national infrastructure organizations are currently adopting a dedicated or internal SOC. An in-house SOC can also be customized to meet very specific needs and requirements, enabling the organization to tailor policies, procedures, and security controls to their unique risk profile.
A fully in-house approach can however bring drawbacks. For example, as IT estates spread and perimeters expand, so does the number of tools needed to cover the cloud and all possible vulnerabilities. Each of these tools must be expertly configured, supported, and monitored 24/7, to the highest standards. To add to the challenge, many organizations currently have tools that are poorly integrated, or have overlaps or dangerous gaps in coverage that could leave them exposed.
The skills shortage in the sector is also a persistent issue. Of those that do make up the workforce, it’s estimated that 62% of professionals in the U.S. have less than four years of experience. Stretched teams therefore have little time to deal with the numerous alerts that come in, with almost no opportunity to respond, let alone monitor in the first place. A large quantity of false positives may also create excessive noise that needs to be sifted through and will lead to inaccurate reporting.
A fully outsourced service sits at the opposite end of the scale. On the surface, this seems to be the obvious alternative and provides access to much-needed external expertise. A managed security services provider (MSSP) will typically provide an end-to-end threat detection and response service, helping in-house IT teams to understand potential risks. They usually have a wider range of threat intelligence platforms to inform detection capabilities and can access open-source intelligence from across the web. A fully outsourced SOC can also be easily scaled up or down based on the organization’s changing needs and budgets.
Fully outsourced services can be problematic in that MSSPs typically lack the inside knowledge of the business. This can lead to communication challenges with the organization’s internal IT teams, which then makes it difficult to mount a coordinated response to security incidents. Remoteness from an organization’s operations can also result in difficulties integrating with their existing IT infrastructure, causing delays, false alarms, additional costs, or even friction and indifference.
The benefits of hybrid
A hybrid SOC model on the other hand can make the most of the benefits offered by in-house and outsourced variants, while removing any drawbacks. The hybrid SOC makes the most of the knowledge and skills of professionals already within the business alongside the expertise of the MSSP. A key focus is on collaboration between the two teams and suggested improvements. It might be that the MSSP takes responsibility for threat intelligence, security engineering or managed architecture. However, flexibility is important to adapt to changing business needs.
There are many examples of successful hybrid SOC models. Manchester Airport Group (MAG) leveraged a hybrid model to safely transition from an outsourced to in-house SOC setup. It was provided with the confidence and expertise to fully upskill team members, resulting in significant cost savings on training and a greatly enhanced security posture. Bridewell’s research found this model of SOC is most popular, with 41% of CNI organizations opting for a hybrid approach.
A hybrid SOC empowers businesses to respond to cyber threats while giving staff the opportunity to make improvements. An MSSP in this setup can take the lead on the high value incidents, but also develop the skills of in-house personnel. Security orchestration, automation and response (SOAR) tools can be better utilized for investigation and action. Developers are also able to build custom API-based integrations to enable even greater efficiencies beyond SOAR setups.
It must be noted however that regardless of SOC type chosen, ongoing training of employees is key. Effective threat detection and response relies on security teams being knowledgeable and coordinated at all times. Organizations must provide regular, multilayered cybersecurity education to all SOC personnel, complete with hands-on opportunities to practice their skills in real-world situations. This training will ensure that SOC teams keep pace with the latest threats and technologies.
The best of both worlds
Growing threats, such as ransomware, are striking fear in organizations. A SOC model is vital to defend against increasingly threatening cyber-attacks, but businesses must consider the type utilized to ensure success. Rather than fully commit to either an outsourced or in-house deployment, a hybrid model is the perfect blend. It allows staff to access relevant expertise while eradicating any recruitment concerns, while being able to keep pace with emerging threats or trends. Accessing the benefits of a hybrid model ultimately drives much-needed improvements in cybersecurity posture.
Chase Richardson lives in Houston, TX where he leads US Operations at Bridewell, a global Cybersecurity consulting firm. He joined Bridewell last year to open its first US office. Prior to Bridewell, Chase was a founding member of another Cybersecurity consulting firm in Houston where he helped grow the business from 5 to 50 employees over 4 years, specializing in Cybersecurity Risk, Governance, and Compliance, Offensive Penetration Testing, Security Operations and Data Privacy. Chase has an MBA from Emory University and is a Certified Information Systems Security Professional (CISSP) and Certified Information Privacy Professional.