Choosing the right people, processes and technology to build a modern security operations function is one of the biggest challenges for today’s IT and security professionals. It’s even harder to recruit and retain cyber talent for a government salary — and the stakes are even higher to protect your organization from ransomware and other cyber threats so that mission-critical systems are always available.
Just because you’re tasked with managing cybersecurity for your organization, of course, doesn’t mean your organization exists to do cybersecurity. Your mission as a public safety agency, or as a state or local government entity, is to provide services that keep the public safe.
A strong cybersecurity program is critical to keeping your systems secure and available in the times that matter most so that you’re not distracted or taken offline by cyber attacks. Having the right cybersecurity staff with the right skills at the right time is crucial to your success, but finding and retaining skilled professionals, developing robust processes and keeping up with the latest technology isn’t easy.
Many organizations are turning to managed security service providers (MSSP) to address the dilemma of building their own security operations center (SOC) or hiring and retaining a 24/7 security team in-house. In this blog, we’ll explain what managed security services are and how they can provide cost-effective protection to help your organization detect, prevent and respond to cyber attacks or other cybersecurity incidents.
Managed Security Services Overview: The Role of the SOC
A key component to managing risk and building a strong cybersecurity practice is a SOC. A SOC typically handles the following functions:
- Plan, Configure and Maintain Security Infrastructure – Much of the day-to-day work of the SOC is in planning and configuring the technology stack (endpoints, SaaS applications, cloud infrastructure, and network security tools) to identify relevant activity and tune out unnecessary “noise” or data. The SOC staff must constantly monitor data sources to ensure the ecosystem is always connected.
- Detect and Respond – Monitoring incoming alert activity and investigating alerts to determine if they represent a true security incident or if they’re false alarms is a 24/7 job for SOC security analysts. If something is a legitimate security concern, they must quickly assess the breadth of the situation and respond to it, then document the situation to keep others informed. By utilizing advanced security orchestration, automation and response (SOAR), an effective SOC can reduce more than 95 percent of false positives and ease the burden on security analysts.
- Hunt for Threats – Threat hunting requires reviewing event activity to determine if there are any signs of compromise that may have evaded automated controls. The most common scenario is to review the history of an IP address or file if it’s found to be malicious.
- Log Storage for Forensics – Another function of the SOC is collecting and securely storing log files for forensics and compliance. The team will need to provide this critical data when a security situation arises. Log files are typically kept for a year, but can be retained for up to seven years in some environments.
- Track KPIs for Execs and Boards – Finally, measuring and reporting key performance indicators (KPIs) that demonstrate to the executive team and other stakeholders how well the SOC is doing is an often overlooked but necessary task that requires a skilled team and an advanced platform.
Next, we’ll take a look at different options for deploying SOC-level capabilities for your agency or organization.
Options for Deploying SOC-Level Capabilities
If you’re considering how to add these capabilities, there are several options to consider, each of which has pros and cons:
- Build, manage and staff your own SOC, which requires a substantial amount of time, energy and funding. For public sector organizations, this can cost an average of $2.25 million annually. However, you do have complete control over the process.
- Hire an MSSP with their own SOC and team of highly trained experts to manage your cybersecurity for you. You give up some control in this scenario, but most reputable MSSPs will work with you to craft a support plan that fits your needs and budget.
- Create your own hybrid model, supporting some aspects of cybersecurity with in-house talent and then hiring an MSSP to fill the gaps. Depending on the size and skillsets of your internal team, this can be a practical and cost-effective way to get the advantages of both.
Given that few public safety or government organizations have the time, expertise, budget and cybersecurity talent pipeline to pursue Option 1, working with a qualified MSSP in a full or hybrid capacity is the only viable option for most operations.
There is another option, of course, which is to cross your fingers and hope that your partial cybersecurity operations don’t get exploited by bad actors. This approach is not recommended.
Making the Case for Managed Security Services
If your organization is still debating the merits of an in-house, outsourced or hybrid approach to cybersecurity, here are some points to consider.
24/7 cybersecurity coverage is no longer optional. It’s a necessity.
By the end of 2021, ransomware is expected to hit an organization every 11 seconds, and Public Safety Answer Points (PSAPs) and Computer Aided Dispatch (CAD) systems continue to be popular targets for cyber attackers. Besides the potential costs of the ransom if an agency or government entity decides to pay it, the expense of containing and remediating an attack while ensuring that mission-critical systems stay online can run into millions of dollars.
Leaving an adversary free to plant seeds for hours, days, or weeks makes it infinitely harder to contain and remove threats. The adversary knows they have limited time to do as much damage as possible, as in the case of ransomware, or to set back doors, as in the case of data exfiltration. You have the best chance of recovery if you can investigate and respond within minutes, so a solution that provides 24/7 coverage is crucial.
Finding, training and retaining cybersecurity talent is difficult.
The talent you need to handle cybersecurity tasks is in high demand. According to the International Information Systems Security Certifications Consortium, Inc. (ISC)², the number of unfilled positions worldwide is now at 3.12 million professionals.
Training staff with a broader IT background in cybersecurity skills is an option, but retaining these people is expensive. Replacing them when they are recruited away starts the cycle all over. It usually ends up being more expensive than planned.
Additionally, the individuals who do well in this area usually want to explore new topics and take on new challenges. You will need to find other, related projects or roles to rotate SOC staff through to keep them engaged. This also helps build their skills, so they are ready to respond and act when needed.
Managing multiple technologies and integrating tools is expensive.
Cybersecurity is complex, and technology evolves quickly. There will always be multiple technologies that need to work together. On average, researchers report, organizations are struggling to manage an average of more than 57 tools in their security tech stack – and this number continues to grow.
This requires maintaining skills to implement, update, and configure each component and training your staff on new versions and features. If you build and manage your own SOC, you need to manage these vendor relationships, licensing, and training activity.
The bottom line here is that creating the capability you need is going to require a lot of low-level tasks and extensive day-to-day work. For very large organizations that can support it, the effort may make sense. For most organizations, though, the task is better left to a partner that can provide this as a service, enabling you to get all the benefits of a top-notch SOC without the expense and distraction of building it yourself.
Cybersecurity is a team sport. It’s important to have a diverse set of skills and a team that works well together.
Security threats evolve quickly. Proper investigation and response requires people who understand endpoints, IT networks, cloud applications and infrastructure. Most importantly for public safety agencies, it also requires people who also understand your mission-critical systems.
People working in the SOC can wear a variety or different hats depending on what day it is and what’s most urgent at the moment. This means you need a team that is always learning so they have the right skills when you need them. People who do well in this area thrive in a team setting where they can learn from and challenge each other.
Think of it this way. You wouldn’t put a football team on the field that hasn’t practiced together. Your SOC team is going up against an adversary that plays together every day.
To be successful, you need a SOC that has lots of game-time experience to build their skills in their position and as a team. A SOC function that does not see regular practice is not going to be ready when hit with the full force of a well-practiced adversary. It’s difficult to get this experience in a small organization.
Managed security services offer many advantages for resource-strapped public safety agencies as well as state and local governments, ensuring predictable spending, up-to-date security tools, and less time spent managing technology and vendors. Contracting with an MSSP for a subscription-based plan can be particularly helpful for governmental organizations, where hiring and retaining an in-house team, as well as meeting compliance requirements related to cybersecurity, can be even more difficult.
If budget isn’t an issue and you have the time and staff to properly focus on building out a 24/7 SOC, then it may make sense to go that route. If you are constrained on any of those fronts, then managed security services can be a better approach.
If you have a dedicated in-house cybersecurity team that’s available weekdays but you need a team to cover nights and weekends, or to manage specific technologies that you don’t have the skills to in-house, a hybrid approach may make sense.
Managed security services can also help you get in front of cyber attacks before they happen, and be better prepared when they do.
Learn more about Motorola Solution’s managed security services for public safety agencies here.