Over the years, many security organizations of all sizes have turned to SOC services offered by MSSPs and MDR providers to help supplement and replace internal security analysts. Whether it is to save money, quickly ramp up expertise in a certain areas like threat hunting, or to contend with long-term struggles in analyst recruitment, these arrangements certainly have their place in the world of security operations. However, they’re far from a magic wand for solving all of a SOC’s problems.
Even the best outsourced analyst still can never quite replace the utility and organizational fit offered by even just moderately skilled SOC analysts with hands on keyboards within your team. As someone who worked for one of those service providers for a long time, I can tell you from first-hand experience that you’re never going to get people as knowledgeable and as integrated into your teams as someone on company payroll.
Many organizations are recognizing this, which is why we’re starting to see the pendulum swing back to the desire to insource more SOC functionality these days. I believe that striking a good balance is key—even if you maintain SOC services, it’s crucial to maintain a core team of SOC and response analysts in house. Here’s why.
Internal analysts will always have access to more data than service provider analysts. Even with MDR and other services that assign your organization a point person to walk your organization through the process of incident analysis and response, these people are likely going to be asking a lot of questions to complete their investigations. There are frequently breaks in analysis in these situations because there are only so many data feeds and access points that your organization will be able to offer a third-party on an ongoing basis. They still need someone in-house to provide them with information or documentation on an ad hoc basis. This leads to the request, wait, request, wait scenarios slowing response and potentially mitigation efforts.
When I worked for a service provider, we had our own documentation about our customer, but we rarely had access to their documentation about their own tools. Although we could keep track of whatever we learned about their tool set, we were always outside looking in. Internal staff can prove invaluable to bridge that knowledge gap and carry the institutional memory that can make all the difference in understanding if something truly bad is happening or if an internal system is just doing the wonky thing that it always does in a given situation.
Having a team of internal analysts at the ready—even if they’re dual-hatting with other duties—can be a crucial success factor in ramping up for a major security incident. While an outsourced provider may be the ones who tip the organization off to a problem, the buck stops in-house with internal people. They’re the ones who will be working at 10 p.m. on a Friday to escalate and inform stakeholders across the business. You need them to coordinate response internally and externally and work the incident. The important thing to remember is that internal analysts maintain personal connections with crucial company stakeholders and other teams outside the SOC in a way that external analysts never can. That inner communication and personalization of having someone on your team who knows your people and knows your process is indispensable.
Organizations should also be careful that they maintain enough of these internal analysts that nobody is regularly overburdened. One of the bigger Issues that I used to run into as an outsourced analyst was when I’d work an incident with a company that maybe only had one or two internal people. Those skeleton crews were asked to do too much work to see the company through their incidents. They were often junior people who would obviously become quickly disgruntled because they were doing the work of what should have been shouldered by an entire team. And then their employers would scratch their heads when these folks would leave.
So rather than thinking about how to make things more efficient by cutting internal SOC staffers, it’s crucial that organizations plan for how to arm these people with better tools and improved training. Even when your organization is using service providers to fill in gaps, your internal people are a vital part of the SOC ecosystem.
Read more from Brandon Denker, Cyborg’s Director of Research and Intelligence, in his blog Automation is a Tool for Analysts – Not Vice Versa.