Threat Monitoring Alerts in the Night: Is Anybody Watching?
Threat monitoring is an essential practice for any security program, and there are many approaches that can be taken. But coming up with the right strategy to fulfill this function can seem daunting with so many options available. It can be boiled down to the same set of requirements that drive just about any other IT function: people, process and technology.
Once you figure out the people strategy, the rest of your approach will fall into place. Who will serve as your watchers? Threat monitoring and analysis is still a people-driven function. Sure, there are technologies that automate pieces of it, and cognitive security is a huge factor. But we’ll never eliminate the need for human threat analysts to review activity on a network and determine whether sensitive assets are secure. This capability can be staffed through internal headcount, leveraging a service provider or using a hybrid model.
Staffing a security operations center (SOC) with your own security experts will give you the most control over the function and workflows. This is a challenge, however, given the skills shortage and the increasing need to run 24/7 security operations. Security leaders often need to get creative, assigning team members to roles that maximize their individual skills and better suit the organization’s complex and specific needs.
A managed security services provider (MSSP) can provide 24/7 threat monitoring as well as the resources and expertise required to fulfill this function. Using an MSSP is more cost effective than building the function internally. The traditional MSSP model puts the service provider in the driver’s seat, enabling it to deliver security information and event management (SIEM) services to many customers at once through a large-scale platform.
While this can greatly benefit organizations seeking to maximize security investments, it does limit the extent to which organizations and security teams can control, customize and monitor this function.
A Hybrid Approach to Threat Monitoring
For the reasons explained above, the hybrid approach to threat monitoring is gaining a lot of popularity in the marketplace. Industry analysts have started referring to this model as co-managed SIEM. This hybrid approach allows an organization to tune and tweak its own technology universe — the SIEM — to its specific environment and characteristics.
While the 24/7 threat monitoring is staffed by a service provider, this approach enables organizations to observe and influence the process and use cases. With the emergence of cloud-based SIEM solutions and more scalable service offerings, the hybrid approach is becoming much more accessible to the market.
Any of the above approaches are perfectly viable when it comes to threat monitoring. It really depends on your budget, the expertise available to your team, and your desire for transparency and influence over the program. If you decide to adopt an MSSP, consider its ability to meet your needs today as well as its potential to grow and mature with your security program over time.