Gain greater control and stay protected with hybrid Security Operation Centres |
By Annemarie Grass
Share this article
It has been reported the number of ransomware attacks worldwide increased by 13% over 2020–21, a larger increase than the past years combined1. Consistent with these global trends, ransomware attacks have also proliferated in Australia. The ACSC received almost 500 ransomware-related cybercrime reports in the 2020–21 financial year, which represented an increase of about 15% on the previous financial year, and across the board the rate of cybercrime continues to increase.
The alarming rise and severity of ransomware attacks and other cyber threat vectors means all organisations must have their best defences up. And while there’s no cybersecurity silver bullet, Security Operations Centres (SOCs) have at least provided an organisational construct for bringing together defensive tools, people and processes.
SOCs are a central location where security analysts and engineers build, operate and enhance tooling that provides visibility across an organisation's technology environment. SOCs provide organisations with the best chance to detect an attacker in the early stages of their attack and respond before they have the opportunity to carry out significant damage or theft of data. For most organisations, SOCs are the front line in their defensive security arsenal, but they are also exceedingly difficult to get right.
There’s the deeply technical challenges of wading through the hundreds of potential logging sources and getting these into a central technology platform. Then you need analysts with an inherently curious mindset and a love of data to go searching for the breadcrumbs of an attack, all within the usual constraints of tight budgets and organisational demands to show value. These are also skills in high demand with a premium price tag attached.
Enter the Managed Detection and Response (MDR) operating model provided by the cyber security industry - a popular solution for organisations that cannot train, retain and pay for talent. MDRs offer the ability to engage and interact with integrated teams and seamless customer experience for day-to-day incident triage and incident management, which attracts customers to this type of model.
In cyber, there’s a lot of glitter. While hard and fast metrics like SLAs illustrate how well a vendor is holding up their end of a contractual bargain, they aren’t always meaningful. They don’t provide an insight into the day-to-day functioning and effectiveness of a SOC; what’s really happening inside the MDR black box.
Mean Time to Detect (MTTD) and Mean Time to Respond (MTTR) are indicators of how fast a security alert is being acknowledged and passed to an analyst to investigate, but they don’t measure the quality of the work performed or the value of the insight provided back to the customer. They also set a bar for minimum acceptable service level to not pay a financial penalty, which is often all the service provided is incentivised to deliver. More time spent on each customer means less scale and less profit.
Whilst the MDR model has provided many organisations with some degree of basic coverage, it’s proven less effective than first thought. Some of the common feedback from customers includes:
- Different analysts working on their account each week
- Limited working relationships with MDR providers; 'an impersonal service'
- Limited understanding of their business objectives, risks and technology environment
- Generic and often automated weekly reports that provide limited insights and value
- Data sovereignty concerns where overseas staff are accessing technology environments in ‘follow-the-sun’ models
- Inability to access their own data, or being charged fees for the privilege
- Expensive transition-in and transition-out costs, lead to being entrenched on a vendor’s platform
- A general feeling that the operation is largely 'a black box'
Hybrid or ‘co-managed’ SOC models aren’t new, but they are gaining momentum with customers wanting greater control over their data and technology investments. In a hybrid model, the customer owns the technology and data (and often provides a few operational staff with good knowledge of the business), and the industry partner provides team capacity, technical expertise, mature procedures and documentation, and intellectual property accelerators to quickly uplift capability. Significant investment in the ‘hyperscaler' platforms by most organisations has made transition-in costs negligible.
The benefits gained from a people, process and technology perspective are making hybrid SOCs an attractive choice. As the combined team is working together on improving the customer’s technology, the customer retains all of the improvements made over time. Future decisions around insourcing or outsourcing become easier, as the spectre of vendor lock-in no longer factors into the decision. Furthermore, customers retain control over where their data is stored, reducing data sovereignty risks.
The hybrid model facilitates process improvement and through interactions with an augmented team, the customer’s own SOC analysts also improve their skills and industry knowledge. It promotes a ‘one team’ approach, where the hybrid team is focused on delivering long-term improvements for the organisation rather than not breaching their SLAs.
A working hybrid SOC solution helps clients refocus security analysts and engineers on remediation and high-value work that requires in-depth understanding of the broader organisational context. When a hybrid approach is functioning optimally, clients can expect content integrated teams, continually improving network visibility, robust incident management and a focus on continuous improvement. SOC data can also be leveraged to solve broader business problems like fraud and non-cyber insider risks.
As a community of solvers, PwC understands the importance of working together with your organisation to create the right SOC operating model for your business, giving your organisation the visibility you need to detect, respond and recover from cyber attacks. We know what good looks like for Security Operations. Why not talk to us about sharing our learnings and best practice on Security Operations? Or better yet, talk to us about our Hybrid SOC operating model.