Threat prevention, monitoring, detection and response are vitally important for all businesses.
However, the problem for many organisations is that building and running an in-house Security Operations Centre (SOC) to perform these important functions 24/7 is cost-prohibitive and requires a level of security expertise most don’t have.
Without a SOC, organisations can be left exposed. Even those with large IT teams often lack the time and specialist expertise to monitor security events around-the-clock, tune technologies to identify genuine threats and reduce false positives, or respond quickly to incidents.
The Hybrid SOC approach, where security responsibilities are divided between in-house teams and a Managed Security Service (MSSP) or Managed Detection and Response (MDR) provider, can be an ideal solution for organisations looking to improve threat visibility, overcome resourcing challenges and add specialist security capabilities.
What is a Hybrid SOC?
A Hybrid SOC is a Security Operations Centre that is staffed by both in-house and outsourced security professionals, either on-site or remotely.
The Hybrid SOC is not a new concept – similar models have been adopted by organisations for many years, but the associated flexibility, scalability and cost savings are proving increasingly popular with organisations that need support to achieve a higher level of cyber maturity.
Bridging the security skills gap
Gartner predicts that by 2022, 50% of all SOCs will transform into modern SOCs with integrated incident response, cyber intelligence and threat hunting capabilities, up from less than 10% in 2015. To achieve this, all but the largest organisations will need to consider outsourcing, at least in the shorter term while in-house expertise is developed over time.
Reasons to choose a Hybrid SOC
The Hybrid SOC model can be used by organisations to help address a wide variety of security challenges. Organisations may choose to augment their in-house SOC capabilities by enlisting the assistance of external providers for:
Out-of-hours coverage
An attractive option for businesses that want to maintain as much control as possible over their security operations, this approach involves an organisation operating all security functions in-house during the day but outsourcing them out of hours. Daily handovers and establishing accountability can, however, prove challenging.
Routine maintenance and monitoring
For organisations that want to reduce the strain on in-house teams, another popular Hybrid SOC approach is to enlist the support of an MSSP to completely oversee 24/7 monitoring of existing prevention and detection technologies, while more in-depth analysis, as well as incident response and remediation, is handled internally.
Internal monitoring
An approach that can be particularly useful for mid-market organisations is to oversee perimeter network security and firewall management in-house, but utilise a managed service or MDR provider to undertake log management and behavioural monitoring inside the network.
Endpoint Detection and Response
Many organisations have intrusion detection and SIEM systems to identify network-based attacks but have limited visibility of threats that target endpoints. An increasingly popular Hybrid SOC approach is to enlist an external provider to deploy and utilise advanced Endpoint Detection and Response (EDR) tools to perform proactive threat hunting and forensic analysis, as well as facilitate faster incident response through threat containment and disruption.
Supplementary detection technologies and intelligence
Innovation within the security industry means that new technologies and threat intelligence feeds are continuously being adopted by businesses to better prevent and respond to threats. Cutting-edge technology can, however, be beyond the financial reach of all but the largest enterprises. This has prompted many businesses to seek out specialist MDR providers to provide a turnkey solution that combines the latest technologies and aggregated intelligence as part of a subscription service.
Advanced technologies could include machine learning and traffic analysis solutions, used to improve visibility and obtain additional context around alerts, and Security Orchestration and Automation (SOAR), which enables the aggregation of data and intelligence from a range of sources and creation of standardised incident response workflows. Cloud security is a growing concern and many organisations are also turning to providers capable of providing these capabilities across their cloud, hybrid and virtual environments.
Choosing a Hybrid SOC model
No two businesses are the same and as such, outsourcing requirements differ. While the Hybrid SOC options above provide an idea of the options available to businesses, most will use a combination of approaches.
When choosing a Hybrid SOC model, it’s important to consider the tools and resources your organisation has in-house and the main security challenges you are looking to address. Flexible, vendor-agnostic providers will be able to recommend the best technologies for each environment and create a tiered solution to produce the widest and most effective security coverage.
Ensuring a successful Hybrid SOC project will often rely on ensuring the right KPIs and SLAs are in place and regularly reported. It is also vital to ensure responsibilities and accountability are clearly defined at the outset.
Why choose Redscan?
Redscan is an award-winning provider of managed security services designed to help organisations mitigate the risk of suffering breaches by improving their ability to detect and respond to the latest cyber-threats.
ThreatDetect™, our Managed Detection and Response service, combines world-class security expertise, network and endpoint detection technologies and aggregated security intelligence to hunt for, respond to and remediate threats across our clients’ on-premise, cloud and hybrid environments. With flexible deployment options and a vendor-agnostic approach to technology, we can work around your current technology stack and our service can be tailored to the changing needs of your business.
Integrating scenario-based testing as part of ThreatDetect also helps us to validate and improve performance by running regular breach and attack simulations mapped to the MITRE ATT&CK framework.
Whether you’re looking for a fully outsourced service or a custom solution to augment your in-house SOC, Redscan is here to help.
Read more:
What is red teaming and how can it improve your cyber security?
Redscan announced as a finalist in five categories at the Computing Security Awards 2019
A guide to insider threats in cyber security