In-house SOC vs. MSSP for Managing Security Events: Not as Difficult as Finding Magic Stones
These days finding a qualified and available Security Analyst seems more difficult than locating an Infinity Stone in the Marvel Universe. Like Thanos, I’m sure many CISOs are wishing they could snap their fingers, but instead of destroying half the population, creating an army of security professionals to manage the complex threat landscape.
Due to the massive gap in available security skill sets and qualified people, many organizations are outsourcing at least a portion of their operations to Managed Security Service Providers (MSSP). This seems to be a reasonable alternative, but just like in-house security operations, MSSPs have their share of challenges. In this blog, we will discuss those challenges to help you determine if an MSSP is the right security operations model for your organization. Then if you decide to keep security operations in-house, we'll share a better alternative that doesn’t involve voyaging through the galaxy hunting for magical stones.
6 considerations when working with or hiring an MSSP
- Get ready for a long ramp: According to Gartner, onboarding time for an MSSP is 1 to 4 months.* This elongated time means organizations that are thinking about hiring an MSSP must be patient. Just remember those bad actors are not so tolerant and will not wait for you to get on board and set up with your MSSP before they attack.
- Typical outsourcing issues: MSSPs have many customers, therefore they lack intimate knowledge of a single customer’s network or infrastructure. This makes it extremely difficult to perform effective analysis of that customer’s unique security configuration and requirements.
- Take a number: Like any organization, MSSP’s have resource constraints. MSSPs will typically devote resources to larger customers who tend to pay the most when the largest incidents hit or volumes peak.
- We've got you covered—not so much: Due to the high volume of alerts they are trying to manage, MSSPs will usually tune down sensors. That means the MSSP’s ability to identify an attack will degrade.
- Law of diminishing returns: Just like any organization, MSSPs face high analyst turnover and resource shortages. When an analyst leaves the MSSP, customers suffer, as they are paying the same price for lower quality results. Additionally, the MSSP must re-focus their attention to hire new talent from an already dwindling pool of candidates adversely impacting the current level of service that the customer receives. This problem can often become worse over time.
- Cookie cutter solutions: MSSPs have an uncustomizable delivery model. In other words, the MSSP model is optimized for their business, not for the requirements of the customer.
These challenges are merely a sampling of a much larger set of difficulties that service providers face demonstrating that the MSSP alternative may not be the best for every organization. When moving to an MSSP or using one, carefully think through all of the challenges listed above, as these will impact the amount of time you need to investigate false positives and may cause you to miss important attacks or threats. Of course, you might decide to keep your security operations in-house, but you will likely face many of the same challenges as the MSSP.
And finally, remember there is a third alternative that doesn’t require you to search the galaxy for that illusive security expert. Robotic Decision Automation software for security operations will automate event analysis, management, and triage. The Respond Analyst delivers these capabilities, performing just like an expert analyst, but at machine speed and with 100% consistency.
If addressing the skills gap shortage with software seems like an alternative for you, please visit the following pages for more information:
*Gartner, “How to Work with an MSSP to Improve Security,” January 30, 2018