Running Cyber Security Operations is crucial but difficult
Successful and effective cyber security is not only about tools, but (increasingly) about the processes and people to operate those tools effectively. While organizations used to buy security tools and believed this would be sufficient, they increasingly realize that running the actual Cyber Security Operations (CSO) with the right people is necessary to benefit from those tools.
Designing, implementing and operating CSO is by no means easy. Especially the expertise (e.g. specialized security knowledge to make sense of many alerts) and processes (e.g. quick follow-up on high risk events) are often difficult to implement.
Many organizations want to build, improve or (partly) outsource their CSO because they realize it is a crucial part in becoming more secure. However, they struggle to find the right balance between in-house and outsourced operations, especially when it comes to controlling the full operational process. Also, many organizations do not know how to become sufficiently cyber resilient quickly during this transition process.
In addition, operating cost effective CSO is difficult for tasks requiring scale, such as:
- 24/7 human monitoring
- high expertise intelligence gathering
- emergency response
Many organizations choose not to build those capabilities in-house, but to outsource them to a security partner.
Fox-IT has developed its hybrid approach to address the above mentioned challenges.
A hybrid approach makes Cyber Security Operations easy and secure from the start
With a hybrid approach to CSO, organizations can choose a mix of outsourcing tasks and performing tasks in-house. For example, an organization can choose to outsource all detection tasks, while keeping other functions (e.g. vulnerability management, incident response) in-house. This ensures that difficult tasks, that require significant build-up periods, are operational from the start, while tasks requiring local knowledge or physical proximity can still be performed in-house.
Another advantage of this approach is that an organization can gradually grow into the in-house operation of specific parts of security. For example, after having outsourced all detection tasks, all 1st line tasks can initially be performed in-house, followed by the 2nd and 3rd line if the initial step is successful. The security partner can support this transition by performing these tasks and provide specific training modules. This way, the organization optimally benefits from the security partner’s expertise.
Organizations that want a hybrid approach to CSO should realize that, even though parts of the operation are outsourced, this approach will require significant investment and resources. However, we believe those investments and resources are significantly smaller than when either outsourcing all security tasks (because several tasks could be performed more efficiently by employees with specific knowledge of the organizations’ situation and physical proximity) or performing them in-house (because of a lack of scale in certain tasks).
A hybrid approach to Cyber Security Operations typically takes four steps
The implementation of a hybrid approach to CSO is not easy. Care should be taken in planning and implementing this approach. In our experience, four distinct steps can be identified in a hybrid CSO implementation:
- An assessment of the current state of cyber security operations is performed. This includes identifying the existing technology, processes and people in place that perform security tasks. Also a target situation of security operations is defined, to guide the whole transition.
- The functional design of the hybrid CSO is developed. All cyber security operations tasks (e.g. vulnerability management, intelligence management, incident detection, etc.) are detailed on a technology, process and people level. That design is mapped on a project plan or roadmap for implementation with different phases.
- The technical design and implementation phase starts with the easy activities or quick wins to become more cyber resilient early in the project. Then, more complex phases can be implemented. Also, the capability building program (e.g. training) should start early to hand over tasks to the in-house team as soon as possible. During this phase strong project management with regular measurement of progress is crucial.
- The operations phase starts gradually for each implemented task. In this phase, continuous improvement is crucial to remain cyber resilient. Feedback from incidents, false positives and false negatives should be fed back to improve each part of the operation. Also, intelligence on new threats, vulnerabilities and protected interests should be used to improve operations.
Fox-IT can support your organization in developing a plan towards a Hybrid CSO or to guide you through the whole transition. If you have any questions regarding the hybrid approach to CSO, please contact us at firstname.lastname@example.org