Implementing a coordinated Security Operation Center and Incident Response.

What Does it Take to Deploy a Hybrid, Multi-Vendor Security Operations Center (SOC) and Effective Incident Response (IR). Today’s organizations rely on multiple IT-Service providers and SaaS applications who may have their own Managed Security Service Providers (MSSP). Companies are often short staffed or lack the expertise necessary to build an effective SOC and Cyber Incident Response (IR) Center. As a result, most are saddled with a haphazard SOC and IR program.

Companies must consider a hybrid SOC that leverages their Service Provider’s SOC with clear expectations and responsibilities.

A hybrid SOC combines both internal resources (e.g., staff with the required expertise) and those from MSSPs. It also considers the following six key components to provide 24/7 IR:

1. Governance: Establishes business objectives, expectations and responsibilities, communication and escalation paths, KPIs and KRIs, and reporting.

2. People: Identifies the internal and external teams participating in the IR lifecycle.

3. Processes: Outlines processes for preparing, detecting, containing, eradicating, recovering, and continuously improving the SOC and IR.

4. Technology: Deploys the necessary tools and technologies for Security Information Event Management (SIEM), monitoring, case management, forensics, vulnerability management, and log collection, retention and disposal.

5. Sources: Carefully selects security event sources that enable effective IR for assets.

6. Threat Intelligence: Identifies threat intelligence sources that facilitate automated and manual cyber incident processing.

It is increasingly common for organizations to have multiple technology Service Providers and MSSPs. For example: your company may outsource endpoint and messaging security to one provider, and analytics and reporting to another provider, in addition to using Azure, AWS and GCP as platforms along with internal data centers.

The building blocks for a hybrid SOC are provided in the arrangement below, as well as how internal SOC staff and MSSPs work together to operate a hybrid SOC:
Having multiple MSSPs can offer numerous benefits if activities are orchestrated properly. First, it reduces stress on internal resources and ensures that IR is effectively managed. It also enables the internal SOC to expand coverage and manage IR progress without having to expend scarce resources.

However, when implementing a hybrid SOC and IR program, it is crucial to consider the following:

  • Roles and Responsibilities: Ensure all expectations and responsibilities are clearly documented, communicated, and reported. Key questions to ask are:

    1.  Who is detecting, responding, and mitigating incidents?

    2.  Who is handling Applications? Network? OS? VMs?

    3.  What is the escalation path for new incidents?

  • IR Playbooks & Rehearsals: Playbooks must be accessible and rehearsed. All SOC staff must know where playbooks are located and what steps to take to address incidents (e.g., phishing). Key questions to ask are:

    1.  Where are playbooks stored and how accessible are they to staff? Are staff trained on where they are located?

    2.  Are playbooks too lengthy or difficult to understand?

    3.  Are playbooks reviewed, rehearsed and updated annually?

  • Communication Channels: Organizations must have defined channels available to communicate with MSSPs. Regular reporting is also vital to establishing an effective SOC. This involves collecting KPIs and KRIs from all MSSPs. Key questions to ask are:

    1.  Who are key points of contact for IR?

    2.  What specific processes are being taken to address security events?

    3.  KPI and KRIs – what are MSSPs exactly doing?

  • Ticketing and Case Management: Whether using an internal team or MSSP portal to record incidents, tickets must be easy to create, track, and escalate. They act as a communication point between impacted individuals and the SOC. They also prove vital for continuous improvement after an incident is mitigated. Key questions to ask are

    1.  Are ticketing systems readily accessible?

    2.  What do existing incident response times look like?

    3.  Can we see the history of a security event – or just a snapshot?

  • Auditing: Continuous improvement ensures that the hybrid SOC and IR processes evolve and mature. Key questions to ask are:

    1.  What are lessons learned from organizational security incident response plans and processes?

    2.  Are relevant staff members adequately trained on incident response?

    3.  What is the feedback from the SOC and staff members? Is everyone’s input being considered?

RiskView offers over 20 years of support with building hybrid SOCs using these key building blocks.

For more information, contact us at  | 416-997-2824 | RiskView, Inc. | 2230 Lakeshore Blvd. West, Unit 3507, Toronto, Ontario, M8V-0B2