Hybrid SOC Scenarios

One more important angle we are exploring in our SOC paper update is about so-called “hybrid SOCs.” In our SOC materials, this admittedly nebulous term refers to a SOC that uses a substantial (as I warned … “nebulous”) amount of external services and/or uses them for critical functions (so an external coffee delivery service does not count). In slightly more clear terms, this is not a completely in-house SOC, but also not a “complete” (they never truly are complete) MSSP outsourcing arrangement, but something of a hybrid of both.

Now, you can say that every SOC uses some services today and in every MSSP arrangement the client retains control of some security ops functions (like, say, IR). Sure, of course, whatever. Maybe a hybrid SOC is like porn? You recognize it when you see it? In any case, we will figure the crisp definition later, but intuitively we get it.

So, in this post I wanted to “toss out and test” a few of the hybrid SOC models we have encountered. Are there more? What do you think of each? Did one work well for you? Perhaps one let you down?

1. MSSP at night, your SOC for daytime/workdays – many seem to want it, but handoff and joint operations often get pretty tricky.
2. MSSP for basic monitoring, advanced — in-house SOC – this seems attractive since commodity stuff gets outsourced, but where do you get the talent to do the advanced if you never did the basic.
3. MSSP for perimeter/DMZ/web alerts, SOC for inside application/user monitoring – I rather like this model and seen it work well, it may sometimes break for the threats that show up on the perimeter first; also, it suffers from some of the talent challenges above
4. Services help run your SIEM and other tools for your SOC – this is not truly a hybrid, but an example where services play a critical role in saving your SOC team from the boring tasks like SIEM maintenance (or: you can SaaS the SIEM)
5. In-house SOC runs and uses a SIEM, but an MDR runs your EDR (typically the one with the name that rhymes with “trike”) – this has come up a few times and it seemed to work well, at least as a transition stage
6. Some combination of the above.

Now, some may say that “MSSP for Level 1 alert triage, and Level 2+ in-house” is a hybrid model too, but IMHO it is not. It simply means “we use an MSSP.”

And, finally, when doing a hybrid SOC planning remember the classic saying [well, I said it and I kinda like it :-)]: “MSSP’s business is … business, not your security.”

Related blog posts for 2018 SOC research:

• Next Research: SOC, SIEM, and Again Overall Detection and Response
• Is Your SOC your CSIRT? (by Augusto)
• Can You Do a SIEM-less SOC?
• SIEM Alternatives? What Are They? Do They Exist?
• SOC Webinar Questions Answered
• Our “How to Plan, Design, Operate and Evolve a SOC” Paper Is Published (from 2016 – now the update is under development)