LINEARSTACK
March 23, 2023

Modern SOC -The Case of Consolidation

On average businesses deploy 45 security tools, too many tools create complexity hindering breach detection & response efforts. – IBM Cyber Resilient Organisation Report

"Any change, no matter what form, is good!"

The case for modernisation and consolidation of the security operations is a continuous process requiring innovation, patience, and leadership. SOC sprawl is a clever term defining an environment with more ground roots than a 200-year-old oak tree.

Yet, most organisations lack the discipline and patience to understand the SOC's sprawl better. Yes, having too many security technologies generates more alerts creating alarm fatigue among the SecOps engineers and support teams. In some ways, the process of determining the root cause, even with the enablement of the MITRE ATT&CK framework and Lockheed Martin Kill Chain, does not expedite the organisations ability to determine RCA and the current security posture.

SOC consolidation starts with why?

Why should organisations consolidate their SOC?  Obviously, for many reasons, the current strategy for a SOC is broken on many levels. Here are some critical areas of focus to begin the SOC consolidation strategy:

●      How many security products today leverage the vendor's managed services?

●      Are we too dependent on vendor-specific security architectures like Microsoft, Oracle, and Cisco?

●      Do we need a managed service to manage the various independent managed services were currently leveraging?

●      Should product owners within DevOps be responsible for all security enablement and operations in place of consolidated SOC to support the disparate application and solution stacks?

●      Why is the risk management leader not involved with SOC decisions?

●      How do we prevent future complex security operations and product sprawl?

The SOC sprawl gained negative traction because of these dynamics. Many security approaches get added into the enterprise in some cases by a product owner or group to meet their specific needs. Organisations have tried to develop a consolidated security architecture or a one-size-fits-all approach for years. This idea failed because the organisation's various product or department-level strategies did not align well with the consolidated security architecture. The concept of bolt-on security compiled the complexity of the SOC culture. Cross-charging for SOC services and access to the universal network and security became a corporate headache.

SOC consolidation drives the how and when conversation

Once organisations have determined their product solution strategy and whether these departments plan to develop and support their various platforms are a critical first step. If the departments determine the need for the organisation to provide a consolidated SOC co-funded by their group, that is a welcome sign.

The SOC itself is no longer snapped at the end of the product life cycle. The SOC is a sprint with the continuous improvement/continuous/delivery(CI/CD) process within the DevOps strategy. This includes enabling SecOps engineers to become travelers within the scrums to help align, educate, and strategize SOC capabilities during the product development cycle.

This engagement sprint gives the SOC and product teams early visibility into the security needs, potentially leveraging existing tools, and what internal service level agreements will need to be met.

SOC becoming a (CI/CD) partner with the product groups

Similar to DevOps and Appdev working together within their various sprints, adding a traveler from the SecOps team will help create and enable a cost-effective and efficient security operations model.

●      Defining SLAs by product group and early interaction through scrum team alignments will help solve the legacy SOCissues.

●      Better early and frequent communication between product groups and the SOC

●      Eliminating the SOC needing to manage the managed services by vendor culture

●      Leverage the security asset available within the company first

●      Partner with third-party managed security partners that have experience in the consolidation of SOC strategies

How critical is a consolidated SOC strategy to digital transformation?

Organisations are investing millions in a digital transformation to reshape and realign their company's direction. These transformation strategies could range from moving all the applications to the cloud, sourcing customer service, or moving all new product development to a more efficient DevOps strategy. Embedded security capabilities are still not top of mind with many organisations. Still reviewed a costly addition, organisations that face cyber security attacks see their cost savings and transformation capital washed away at the cost of recovering from security breaches.

Will the company's decision to invest in a digital transformation plan align with the organisation's SOC strategy? A critical question should be asked during the due diligence process of the digital transformation strategy.

The journey toward security consolidation

Before any discussion around a SOC consolidation, leveraging a professional services company like LinearStack would be a positive investment.

LinearStack's extensive years in the cybersecurity market bring experts into each engagement to help with the consolidation question. Leveraging LinearStack's professional services teams, the organisation could engage in several areas of importance, including:

●      Security tools consolidation. Most-house SOC teams have between 70 to 90 security tools to manage. Linear's team can evaluate each tool and make recommendations to help reduce overlap of processes and duplication of toolsets.

●      Assess current security product inventory. Does the organisation have too many overlapping adaptive controls? Did the organisation purchase several point products due to a security breach or last-minute compliance mandate?

●      Access the resource pool with the organisation. Does the organisation have enough capable security engineers and incident response personnel to handle the volume of alerting traffic?

●      Does the current SOC leverage the MITRE ATT&CK framework efficiently? LinearStack leveraged the MITREATT&CK framework within their SOC-as-a-Service offering.

LinearStack security posture assessment and professional services engagement is the most critical step before any attempt to consolidate the SOC strategy.

Understanding the value of SOC-as-a-Service Strategy With LinearStack

Who is this for?

Our SOC-as-a-Service is designed for organisations that want a partner to monitor their security threats around the clock, allowing them to focus on business as usual and more strategic projects.

Follow the sun coverage.

With teams in two time zones, you can be confident that your security analysts are always alert and fresh when defending your infrastructure. As your partners, you can reach out to any of our analysts24/7 to understand the journey of a threat.

Work within budget

No need to manage and fund your SOC team.

●      We monitor all systems – servers, databases, endpoints, applications, websites, and more.

●      We find one-off and recurring issues, then give you actionable advice so you can fix security breaches.

●      We use the MITRE ATT&CK™framework and top threat intelligence sources to manage and escalate threats.

Full or co-managed SOC service


We offer a full or co-managed service according to your in-house skill set and where you seek to augment your team. ChooseEssential, Advanced, Expert levels, or any combination of the three. This framework is designed to help you gain efficiency at each level of your SOCmaturity journey.


Conclusion

After the organisation has reshaped their security architecture, workflow, and enablement of security services within the organisation, the company leaders need to evaluate if the organisation has the resources to support the new strategy by creating an internal SOC, and understand if it is more efficient and cost-effective than leveraging a global provider like LinearStack?

While cost is an essential element of a SOC consolidation strategy, access to top talent globally while leveraging proven processes and incident response capabilities is a critical drive for hiring companies like LinearStack.

About Us

LinearStack is a New Zealand-owned and operated specialised cyber security services company with a global footprint. We are 100% privately held.

The core focus of our business is to accelerate our customer’s cyber security operations with the help of our cyberdefence services. We offer a range of managed and professional services to accomplish this goal for our customers. We are a true 24x7 eyes-on-glass and hands-on-keyboard operation.

We augment our client’s teams by acting as a true an extension of their team empowering our clients to prioritise their cyber security strategy and customers while we protect their business from cyber threats 24x7. This is a transition we manage smoothly through tried &tested, robust, and well-defined processes.

How LinearStack can help

At LinearStack, we’ve helped enterprises with complex third-party ecosystems to secure their business against supply-chain attacks. We provide advice and assistance to reduce third-party risk and can also build and manage your security infrastructure to protect you from advanced attacks 24x7x365.

For cyber security services in New Zealand, the United States, or Australia, call us at 0800 008 795 or emailinfo@linearstack.co.nz.

Blogs

Start Reading

Our latest blogs and news are here for you

Incident Response Planning and Preparation

Why every organisation needs an incident response plan and what to include in your IR plan
Read More

Incident Response Best Practices

Common mistakes to avoid when responding to a cyber incident
Read More

Incident Management vs. Incident Response

IM vs IR, what’s the difference? Should you merge them? What complexities does that bring?
Read More
Are you experiencing a security issue? Call us now.