“You simply cannot do incident response and all the functions of a security operations center anymore without vendor operational support.” That is a paraphrased version of what a colleague told me recently. At first, I raised my eyebrows; I’m a huge believer in self-reliance. After more consideration, though, I saw more than a little truth in the statement.
A typical modern SOC covers numerous functions, including incident response, intrusion detection system (IDS) monitoring, threat hunting and threat intelligence. And that’s pretty much the bare minimum. Of course, in smaller environments, some of those functions may well be handled by the same person, but the functions nonetheless need to be there. This is 2016, after all.
Almost all of the things found in a SOC — IDSs, security information and event management (SIEM), correlation and search tools, and a host of deeply technical tools such as disassemblers, decompilers, malware unpackers, etc. — require significant and fairly specialized tools. Clearly, you’re going to have several vendors in that mix, though they may not be lending operational support.
Some of the tools require specialized training as well. Becoming proficient at things such as IDS and malware analysis is not something you can do by reading a vendor’s sales brochures. But again, tool training is a support element, albeit a vital one. What about operations?
In the past 15 to 20 years, a cadre of security operations companies has appeared, companies that provide everything from staff augmentation during major incidents to deeply specialized services such as malware reverse engineering. Even threat intelligence companies have popped up. These companies provide expert support from their teams of engineers who specialize in threat monitoring and analysis. They can be highly effective at providing actionable technical information that can save a SOC staff a great deal of effort.
So, yeah, I fully recognize there are companies out there that can offer enormously helpful services during times of crisis. But are they essential? Well, from firsthand observations of SOCs over the past five years, I can’t think of a single one that doesn’t have a dozen or so vendors on speed dial for operational support issues. Some of these aren’t used often, but when they’re needed, they’re really needed.
Put differently, you probably could build a top-notch SOC without operational support, but you’d need expert-level-trained staff that span several highly technical functions, some of which you’ll only have occasional use for, in all likelihood. Even if you can afford to train and drill staff to that level of proficiency, you’re likely to have an unacceptable staff turnover rate if your tech A team is sitting around twiddling their thumbs much of the time.
Sign up for CIO Asia eNewsletters.