EXPERT SPEAK
Outsourcing your
security events
management
Managing your security services inhouse or outsourcing, have
their share of advantages and disadvantages, explains Majid
Khan at Help AG.
A
ny cyber security service is based
on three core pillars of security
operations which are people,
process and technology. It is a known
fact that Security Information and Event
Management or SIEM is a complex
technology and requires skilled resources
to implement and manage. In addition,
SIEM loses its value if alerts are not
fine-tuned regularly and noise aka false
positives are not suppressed. The primary
reason why most SIEM implementations
fail is the lack of effective management and
regular monitoring.
For any SIEM to be able to detect the
latest threats, requires continuous security
use case development by translating latest
threats into use-cases which can then be
alerted and responded. A lack of regular
use case development and implementation
also impacts the ROI of an SIEM solution.
In case of managed security service
providers, all the responsibilities for
implementation and management
are transferred to service providers,
for whom this a prime responsibility.
Hence, assurance with regard to effective
management of the SIEM infrastructure is
very high with the outsourced model.
A SIEM which is not regularly
monitored will add little or no business
value, hence it is important to have
24x7x365 monitoring and analysis to be
able to detect attacks, malicious connection
or any anomalies. This round the clock
cover requires a dedicated security
operations team of at least ten members.
Also, this team needs to be regularly
trained on the latest threats and different
technology within the organisation’s
52
infrastructure. If a company is able to
hire, train and retain such skills, it may
be good consideration to run the security
operations centre in-house. However,
considering the dynamics involved, in
most cases, it may make business sense
to transfer this responsibility to a partner
who can demonstrate the right level of
capabilities and commitment to provide
this as a service.
By engaging a managed security service
provider, businesses also get the advantage
of the skills and knowledge the analysts
have attained while managing diverse
security infrastructure elements and attacks
that have targeted other customers.
For effective security operations, it is
important to adapt an incident lifecycle
that is based on the type of incident and its
impact. Some guidance around standard
lifecycle can be derived from SANS incident
handling methodology, however it may need
to be tweaked based on type of incident.
Some managed security service
providers adopt a dynamic incident
lifecycle based on the type of incidents
by pre-populating tasks which should
be completed to effectively manage the
incidents. This ensures the consistency
and quality of incident handing.
While considering an in-house
implementation, businesses need to factor
cost of hardware required to set up the
SIEM infrastructure and the associated
annual support contracts which could be
somewhere between 15% and 30% of the
initial capital. With managed security
service providers, this cost could be
converted into operational costs without
the need for heavy initial investment.
Majid Khan, Manager Cybersecurity Managed
Services at Help AG.
From a cost perspective, the cost of in-
house implementation may start making
sense after a period of four to five years.
However, like any other technology, SIEM
may also require a revamp thereby adding
to this cost again.
SIEM Infrastructure requires regular
maintenance and development to be able
to detect new attacks. Generally, if security
is not the prime focus for an organisation,
there may be lack of emphasis thereby
impacting the effectiveness of the solution.
By engaging a managed security
service provider, your organisation can
get benefits from regular development
work, which is generally practiced by most
services providers. This is essential as it
enables them to detect new attacks, which
are ever evolving.
Effective security operations use both
known and unknown threats, and threat
intelligence which provides lists of known
threats by means of reputation, known
bad IPs, malicious hashes, others. Hence,
it is important to have threat intelligence
incorporated into security operations.
Although there are multiple free and
commercial providers of threat feeds, if
this information is not effectively filtered, it
may not add a lot of value. Some managed
security service providers are able to qualify
and apply threat intelligence relevant to
business they are supporting by geography,
and business vertical.
Issue 16
INTELLIGENT TECH CHANNELS