It’s all pretty alarming, especially if you work at a small-to-medium-size enterprise. Many of these organizations are turning to managed security services, which provide comprehensive and compliant security protection without the high cost of an on-premise security operations center.
Should you consider managed security services? Here is a quick Q&A to help you understand if this type of outsourcing is your best option for mitigating risk.
Q: How do we choose a qualified provider?
Your overall objective is to find a managed security service provider that will improve your security posture and operational efficiency. To make this assessment, ask prospective providers to explain how they will provide visibility into your network. They should have a strategy for ingesting endpoint, storage, server, and cloud data and alerting on suspicious log files wherever they exist.
Part of the objective is also to remove the security burden from in-house staff. So, prospective providers should be able to explain how they will use technology and resources to manage your environment.
While you expect them to use automation, artificial intelligence, and machine learning, you also want to know they have sufficient staff to spot creative or nonstandard attacks. Providers should talk about their engineer-to-customer ratio and approach to detecting and remediating anomalies.
Whatever controls they have should align with your security framework and compliance requirements. If your organization has to comply with the Payment Card Industry Data Security Standard (PCI DSS), Gramm-Leach-Bliley Act (GLBA), Health Insurance Portability and Accountability Act (HIPAA), Sarbanes-Oxley Act (SOX), or other regulations, the providers should be able to support those requirements.
Qualified providers should have a global monitoring presence for detecting and alerting on new threats as they emerge. Since multi- and hybrid-cloud architectures are increasingly popular, they must be able to handle cloud-based API integrations and monitoring for major cloud providers such as Amazon Web Services, Microsoft Azure Cloud, and Google Cloud.
In some cases, experience in industries such as financial services, energy, or healthcare simplifies the outsourcing process. Whatever your marketplace focus, the providers should have clear plans for integrating their services into your risk management program.
Their staff should be available 24/7/365 for incident response and forensic analysis. When necessary, they should be on-call to work with your team and auditors, law enforcement, and other legal entities. They also should be able to provide reports whenever retention periods are met and data is destroyed.
Finally, discuss contract terms and lockout clauses. If you decide to terminate the relationship, it is important to have a documented method for transferring your logs to a new provider.
Q: Why outsource alerting, monitoring, and log management?
It usually boils down to what is practical and affordable. You can use an in-house security operations center (SOC) or managed security services to handle alerting, monitoring, and log management.
But a 24x7x365 SOC can be expensive. One study estimates the fully loaded costs between $387,200 and $783,560 per year. That’s a lot of moola even for a large and well-funded enterprise.
Funding aside, keeping a SOC staffed is challenging. As a recent Gartner study reported, IT is running a talent deficit that is expected to reach 1.4 million unfilled positions by 2020. This projection suggests recruiting for a SOC will continue to be difficult and expensive.
When these challenges are considered, it is easy to see why smaller organizations are attracted to managed security services. Outsourcing is a more affordable way of buying access to sophisticated tools and scarce talent.
Q: Can a managed security services provider help with SOAR?
Security orchestration, automation, and response (SOAR) combines security technologies into a single pane of glass. It enables organizations to take inputs from a security information and event management system, for example, and use workflows to address vulnerabilities more efficiently and effectively.
If you are a smaller organization, implementing SOAR could be difficult. The platforms and integrations are costly and usually require an advanced development skillset.
But business scale allows a competent managed security services provider to leverage SOAR. A provider’s developers can reduce your attack surface by aggregating asset data, behaviors, and threats into branched workflows. They can use these workflows to automate incidence-response and resolve attacks with fewer human interventions.
With SOAR as part of your security strategy, you benefit from an improved mean time to detect (MTTD) and mean time to respond (MTTR). Those are key advantages when threats may occur anywhere in the technology stack.
 Steve Morgan. “Cyber Crime Costs Projected to Reach $2 Trillion by 2019.” Forbes. January 17, 2016.
 “A Cost Analysis of Outsourcing Security Operations Centers.” Northland Control Systems, Inc. 2016.
 “Gartner Says Global IT Spending to Grow 1.1 Percent in 2019.” Gartner, Inc. April 17, 2019.