Demo
Buy, Build or Partner? - Talion

How to acquire an IT security monitoring capability that is right for your business

It’s an age-old question but one still facing many Information Security teams when they are deciding how best to monitor and protect their IT estate.

The most important decision you will need to make is whether to build and operate the monitoring capability yourself or to outsource it. Key to this decision is whether you have the resources to design, implement and operate a 24/7 monitoring solution.

MSSPs operate in a competitive environment and in a market where MSS prices can vary by more than 100%, what you get may be quite different to what you expect. For example, a compliance-based MSS will generate alerts based on “out-of-the-box” rules with little information to help you respond, but a security-based MSS operating sophisticated rules and analytics will deliver to the client fully investigated security incidents with clear remedial action.

As Managed Security Solutions become more all-encompassing you also need to assess if you have the capability and capacity to integrate and manage multiple different products in your technology stack. A full-blown MSS will likely be offering the following in an integrated fashion:

  • Managed Detection & Response utilising SIEM and SOAR technology
  • Network Detection & Response
  • Endpoint Detection & Response
  • Insider Threat Detection & Response
  • Vulnerability Management
  • Threat Hunting
  • Threat Intelligence
  • Penetration Testing
  • Incident Response

Within each of these categories there is a whole swath of product on offer so the task of building your own solution is rightly a daunting one. If you decide to go down the path of procuring an MSSP, there are both strategic and cultural factors to consider:

  1. Pick a partner: Your MSSP should have an intimate knowledge of your business and when things go wrong, you need to be confident that they will respond in the right way.
  2. Pick a company for whom security is its core business
  3. Look at their heritage: How long have they been doing this? How long will they be around?
  4. Look at what they are investing: How detailed is the roadmap; to what features are they committing to deliver?
  5. For security monitoring, avoid “follow-the-sun” services: Monitoring is most effective when outsourced services are delivered from a single 24/7 SOC from which the quality of service is easier to control.
  6. Detection visibility: Is your MSSP willing to demonstrate exactly how specific threats are detected and to contractually commit to remain effective as the threat evolves?
  7. Performance visibility: Can your MSSP demonstrate in real time how effective they are? Are they hitting key KPIs?
  8. Collaboration: Does your MSSP enable you to collaborate with their analysts to investigate and remediate an incident?
  9. Control: Does your MSSP allow you full access to the data their own analysts see, should you want to access or interact with it?
  10. Price transparency: Insist on a simple, predictable model and catalogue prices for the term of the contract.

Now you’ll need to understand your solution requirements

Talk to your IT architects and operations managers to identify the options for meeting your monitoring needs. The right answer depends on your organisation’s operational constraints. The main ones are:

  1. Affordability: can you obtain the capital expenditure budget required to set up a monitoring capability?
  2. Training and awareness: to what extent could good security awareness allow you to reduce your reliance on monitoring Technology?
  3. Operational maturity: what monitoring do you already have in place? Does it deliver a consistent service across the globe, even at weekends? Is it integrated with the incident response function?
  4. IT assets: do you own and control your network devices?
  5. Threat intelligence: do you know how to exploit it to maintain an effective monitoring capability?
  6. In-house skills: are you able to attract and retain the skills to support an in-house capability?
  7. Standards: are there any architectural requirements or regulatory standards that a solution must support?
  8. Existing investments: which components could be harnessed to form a monitoring solution?
  9. Solution development: do you have the skills to design and implement a monitoring solution that is integrated to the security devices in your network?
  10. Commercial Off-the-Shelf (COTS) solution quality: if you decide to buy a monitoring product, how easily could it fit with your IT security architecture, and how much of its capability could you exploit?

Build or buy decisions made in the context of such operational constraints will be logically founded and defensible. In general, only the well-resourced organisations in regulated market sectors such as banks and energy companies choose to build their own monitoring capability. The rest of the market favours outsourcing. In both cases, you will need to find the right security partner to support you.

We provide consulting services to support you in building or improving your own monitoring capability. We can also provide threat detection products and outsourced management security services. If you would like to discuss how we can help you acquire an IT security monitoring capability that is right for your business, please contact us.

 
Leave a comment
Filed in Blog, by Talion. 0 comments
Watch demo video
We’re a tight-knit, highly skilled operation, so when a threat arises, we move quickly.
Talion
Watch demo video
We’re a tight-knit, highly skilled operation, so when a threat arises, we move quickly.
Talion
24x7x365 UK-based Security Operations Centre
Talion
Service underpinned by market leading threat intelligence team
Talion
Continually developed threat relevant content, backed by SLAs
Talion
MDR service has featured in the Gartner Magic Quadrant for 6 consecutive years
Talion
Experts in SIEM and SOAR technology
Talion
UK-based Senior Leadership
I'm ready
Request a more in-depth demo.
Discuss your cyber security needs
Fill in the form below and one of our team will be in touch to arrange your demo.

Call us on 0800 048 5775

Call us directly and we’ll put you in touch with the most relevant cyber expert.

Send us a message

Give us a brief description of what you’re looking for and we’ll put you in touch with the best person.