The Best of Both Worlds Made Possible with A Hybrid SOC

By Chase Richardson, Principal Lead Consultant, Bridewell

The revolving door of cyber-attacks on major organizations continues to turn. Among the most significant of breaches over the last year was a ransomware attack on the Los Angeles Unified School District in September. Accounting for over 1,000 schools and approximately 600,000 enrolled students, hackers from the Russian-speaking ransomware gang Vice Society stole 500 gigabytes of personal data and demanded a ransom for its return. When the district refused to negotiate, thousands of social security numbers, student assessment records, driver’s license numbers, positive Covid test results, and legal records were leaked online.

Furthermore, it later came to light that student psychological evaluations had also been published in their hundreds on the dark web, containing intimate details about medications, diagnoses, incidents of abuse, and past traumas. With the Los Angeles Unified School District coming under renewed fire for failing to acknowledge the existence of these records, this incident highlights a crucial gap in existing federal privacy laws – and the critical need for transparency at all levels of cybersecurity.

With extremely sensitive data at play, organizations can’t stand still in the fight against evolving risks. As the nerve center for defenses against cyber dangers, security operations centers (SOCs) are essential to modern cybersecurity strategy. With 24/7 surveillance and responsiveness, shaped and supported by human expertise, a SOC helps to proactively hunt for risks, monitor and respond to real-time security incidents, and reduce the time taken to detect and respond to an attack.

Today, traditional security monitoring and notification approaches to threat prevention are not sufficient. Threat detection and response capabilities are needed drastically minimize the impact of cyber-attacks and ensure organizations are better prepared to deal with future security threats. The SOC is the engine that allows this to happen.

Searching for the right SOC model

There are a number of available SOC models, so it can be a little overwhelming at first. Many organizations are likely to be drawn towards in-house management for full control over their operations. An in-house SOC can also be customized to meet very specific needs and requirements, enabling the organization to tailor policies, procedures, and security controls to their unique risk profile.

However, several issues arise from a fully in-house approach. For example, as IT estates spread and perimeters expand, so does the number of tools needed to cover the cloud and all possible vulnerabilities. Each of these tools must be expertly configured, supported, and monitored 24/7, to the highest standards. To add to the challenge, many organizations currently have tools that are poorly integrated, or have overlaps or dangerous gaps in coverage that could leave them exposed.

Then there is the issue of cybersecurity skills shortages – a problem that continues to plague the industry across the country. Of those that do make up the workforce, it’s estimated that 62% of professionals in the U.S. have less than four years of experience. Stretched teams therefore have little time to deal with the numerous alerts that come in, with almost no opportunity to respond, let alone monitor in the first place. A large quantity of false positives may also create excessive noise that needs to be sifted through and will lead to inaccurate reporting.

At the other end of the scale is a fully outsourced service. On the surface, this seems to be the obvious alternative and provides access to much-needed external expertise. A managed security services provider (MSSP) will typically provide an end-to-end threat detection and response service, helping in-house IT teams to understand potential risks. They usually have a wider range of threat intelligence platforms to inform detection capabilities and can access open-source intelligence from across the web. A fully outsourced SOC can also be easily scaled up or down based on the organization’s changing needs and budgets.

However, the main downside to a comprehensive outsourcing strategy is that MSSPs often lack a full understanding of the environment and context of the business. This can lead to communication challenges with the organization’s internal IT teams, which then makes it difficult to mount a coordinated response to security incidents. Remoteness from an organization’s operations can also result in difficulties integrating with their existing IT infrastructure, causing delays, false alarms, additional costs, or even friction and indifference.

The hype around hybrid

To find that perfect middle ground, a hybrid SOC model can bring out the advantages posed by in-house and outsourced variants, while eradicating the drawbacks. The hybrid SOC makes the most of the knowledge and skills of professionals already within the business alongside the expertise of the MSSP. A key focus is on collaboration between the two teams and how improvements can be made. It might be that the MSSP takes responsibility for threat intelligence, security engineering or managed architecture. However, flexibility is important to adapt to changing business needs.

There are many examples of successful hybrid SOC models. Manchester Airport Group (MAG), the largest UK-owned airport operator, launched a hybrid SOC pilot scheme in partnership with Microsoft in 2021, in order to improve its visibility and protection against ever-evolving cyber threats targeting the aviation sector. This approach increased real-time monitoring on devices and servers from 5,000 to 80,000 events per second, supporting faster, more comprehensive, and accurate threat detection and response. By leveraging a hybrid model to safely transition from an outsourced to in-house SOC setup, MAG was provided with the confidence and expertise to fully upskill team members, resulting in significant cost savings on training and a greatly enhanced security posture.

Crucially, a hybrid SOC gives a business autonomy over its cyber threat response while still allowing staff to drive projects and internal improvements. An MSSP in this setup can take the lead on the high value incidents, but also develop the skills of in-house personnel where capabilities are lacking. Security orchestration, automation and response (SOAR) tools can be better utilized for investigation and action. Developers are also able to build custom API-based integrations to enable even greater efficiencies beyond SOAR setups.

However, regardless of the nature of the SOC they opt for, every organization should be prioritizing ongoing education and training for SOC personnel. Effective threat detection and response relies on security teams being knowledgeable, up-to-date, and coordinated at all times, working together seamlessly to investigate and tackle an ever-widening range of security incidents. To ensure a collaborative and agile response to threats, organizations must provide regular, multilayered cybersecurity education to all SOC personnel, complete with hands-on opportunities to practice their skills in real-world situations. This training will ensure that SOC teams keep pace with the latest threats and technologies, so that they can be relied on to protect their organization’s assets 24/7.

Flexibility under a combined approach

Ransomware and other growing threat vectors are understandably causing concern among organizations. A SOC model is necessary to defend against increasingly sophisticated cyber-attacks, but the type deployed can prove to be the difference between success and failure. Rather than go all in on outsourced or in-house variants, a hybrid model eradicates recruitment headaches, provides relevant expertise, and keeps the business up-to-speed on the latest trends and threats. By incorporating this, organizations can drive much-needed improvements in their cybersecurity posture – and ultimately, ensure their security operations are maximizing the benefits of both worlds.

About the Author

Chase Richardson is a Principal Lead Consultant at Bridewell.  Chase lives in Houston, TX where he leads US Operations at Bridewell, a global Cybersecurity consulting firm. He joined Bridewell last year to open its first US office. Prior to Bridewell, Chase was a founding member of another Cybersecurity consulting firm in Houston where he helped grow the business from 5 to 50 employees over 4 years, specializing in Cybersecurity Risk, Governance, and Compliance, Offensive Penetration Testing, Security Operations and Data Privacy. Chase has an MBA from Emory University and is a Certified Information Systems Security Professional (CISSP) and Certified Information Privacy Professional (CIPP/US).

Chase can be reached online at LinkedIn and at our company website https://www.bridewell.com/us.