An elite team of experts ready to detect and respond
2024 MDR BUYER'S GUIDESOC即服务是网络安全公司提供的一种服务,通常充当客户的全部 security operations center (SOC). Due to extenuating circumstances, 比如人才短缺,或者一家企业可能处于初创或中年阶段,没有资源来保护其网络, SOC即服务(SOCaaS)可以作为该组织的战术控制台,从中可以跟踪安全警报, defend against cyber attacks, and improve overall security posture.
According to IDC,组织可以将一组安全功能外包给SOC团队,包括如下 SIEM, vulnerability management, endpoint security, and other detection and response tools. A customer organization could also sign up for the entire menu of services. 虽然作为云服务交付,但操作将在异地进行并托管在云中. SOCaaS提供商希望代表客户提供的一些实际结果是:
With this in mind, 对于企业或安全组织来说,对其当前的安全程序进行彻底的分析也很重要, 确定其优势和劣势以及他们以前可能没有解决的实践领域. This will help narrow the focus of a SOCaaS vendor search to criteria unique to the customer.
让服务提供商承担特定安全领域的最大好处可能是,客户不再需要担心该领域. Since SOCaaS encompasses many areas, as mentioned above, let’s take a look at some of the specific benefits:
If a team is slow to respond when an anomaly is detected, odds are there are priorities pulling personnel in multiple directions. SOCaaS提供商将派遣专门的分析师来响应网络威胁和漏洞,并将其删除或修复. For an in-house SOC, rapid context switching from situation to situation can be a real time suck, thus a team dedicated solely to detection, response, and remediation will be able to move much faster.
SOC分析师必须涵盖所有专业,并代表客户快速响应. SOCaaS供应商应该能够向能够解决端点遏制问题的分析师提供访问权限, threat hunting、恶意软件分析和遏制、分布式警报和升级路径等等. 了解SOC的人员、技术和路径可以帮助您寻找值得信赖的供应商.
客户安全程序加速发展的好处不容低估. SOCs are faced with threats every day – or many of them. Having a budget to address immaturity in a security program is great, but if there is no strategic in-house talent acquisition plan, 那么将重点转移到寻找合适的SOCaaS合作伙伴可能是一个更有效的解决方案.
Speaking of talent acquisition, 从头开始构建SOC可能会比聘请托管服务合作伙伴带来许多额外的成本. 寻找合适的技术和人员显然需要启动成本,而且一旦你拥有了这些人员和操作流程,也会出现人员流失的问题. Around 71% of SOC analysts say they feel burned out on the job, 特别是如果这些分析师的总数只有7人左右,而且他们肩负着公司安全领域的重任.
即使公司或小型安全组织已经决定开始寻找SOCaaS供应商, 了解该SOC中的分析师和员工的角色和职责仍然至关重要. After all, they’ll be the ones protecting your environment – and reputation.
This person/position oversees the SOC, and will be in charge of directly managing a security team of several people. SOC经理的角色包括为公司制定整体安全策略,为招聘创造愿景, building processes, and developing the technology stack. This person should be able to provide both technical guidance and managerial oversight.
An analyst in the provider’s SOC will field and alert and triage it. 在调查期间,他们将确定它应该落在补丁或修复队列中的哪个位置. Alerts can take up a significant amount of time for an in-house security organization, and with a team managing and automating the triage process, it can drastically reduce the daily burden on those in-house teams.
This type of analyst will typically field alerts from their Tier 1 counterpart. If an alert ends up in this person’s queue, that means it has been determined to be real and should be prioritized for response. Deeper investigation into the alert, identifying systems affected, and crafting of a response and/or remediation plan are key responsibilities of this role.
At this stage of the process, the hunt is on. If the incident has been determined to be of a more severe nature, 威胁猎人将查看攻击者或威胁如何能够通过最初的安全检查. A threat hunt enables security analysts to actively look at a customer’s network, endpoints, 和安全技术,寻找威胁或攻击者可能潜伏尚未被发现.
An architect is typically responsible for building security architecture, engineering security systems, and implementing those systems. They should also be able to document the requirements, procedures, and protocols of the architecture and systems they create. Additionally, 他们将代表他们的SOCaaS客户对关键的法规和遵从性要求进行权衡.
A SOC is the control center for a company’s cybersecurity operations, thus there are some complex operations taking place. Some aspects are automated, some are manual human operations. 寻找合适合作伙伴的客户组织将把部分或全部业务外包出去. 让我们来看看SOCaaS在企业决定将其数字信任交给外部团队时所面临的一些挑战.
A vulnerable phase will follow any engagement of a SOCaaS provider. That is, the provider must configure its tech stack to work within a new client’s environment, 客户端必须准备好自己的网络,以便由新的提供者部署监视协议. 下一阶段将测试和实施收集见解和根据见解采取行动的模板.
Securing a customer’s network is one thing, but ensuring the data is safe on the SOCaaS provider’s side is another altogether. Therefore, 对于客户来说,进行研究以找到一个自身防御得到强化以保护其所有客户的企业数据的提供商是至关重要的. This essentially becomes a supply chain issue, and should be handled with all the considerations that come with that approach.
对提供商操作的完全访问权和自主权(对于特定客户而言)对于该客户来说可能是昂贵的. While it is technically the information generated by that customer’s network, the operations and actions the SOCaaS provider is taking are their own. When taking this into consideration, 很明显,对于安全组织来说,获得对日志数据的完全访问可能代价高昂.
也许最关键的考虑因素之一是在将密钥移交给安全组织的任何操作部分时,遵守法规标准并保持合规性. 保持合规性的很大一部分是公司内外的沟通和报告. 公司高管将需要持续的报告,以向某些监管机构传达良好的合规性. 关键是要知道SOCaaS提供者是否处理遵从性,或者他们是否将实践外包给第三方提供者.
Learn more about Rapid7's Managed SOC Services