Inhalt
Ever faster and more sophisticated cyber attacks make a Security Operations Center (SOC) mandatory for every company. However, this is too much for most companies and they therefore start looking for an external partner. We explain what is important when choosing a provider and which criteria are important for small, medium-sized and large companies.
Outsourcing IT security services is becoming a necessary strategy for more and more companies in order to shorten response times to attacks and optimize internal resources against the backdrop of a shortage of skilled workers. A Managed Detection & Response Service (MDR) with a professionally managed Security Operations Center improves cyber security, in particular through 24/7 monitoring with rapid attack detection and defense. Below, companies of different sizes will find important criteria for selecting a suitable offer:
Small businesses: Basic protection with monitoring from the cloud
Smaller companies often do not have their own IT security department and are therefore reliant on external partners. As part of an MDR offering, 24/7 monitoring ensures that alarms are monitored around the clock in order to detect and ward off threats immediately. This is because ransomware attacks often only take a few hours between the initial intrusion and the complete encryption of the IT infrastructure with subsequent ransom demand. If the attack is targeted at night or at the weekend, which is increasingly common, the financial damage can hardly be limited due to the long response time.
The MDR offering should also include continuous threat analysis (threat intelligence) and the development of a structured response plan. This can further reduce the risks significantly. Last but not least, security services should be flexible enough to grow with the company. Framework agreements with fixed response times offer financial planning security and cost control.
The most efficient route to a comprehensive MDR service for smaller companies is usually via the cloud. With a cloud-based MDR service, attack detection and response are completely outsourced, most easily and independently to a Microsoft cloud. This is possible at relatively short notice, but the user must integrate the solution into their environment.
Medium-sized companies: Combining flexibility and expertise
Hybrid security models are often attractive for medium-sized companies as they combine internal and external resources. Such an on-premises MDR solution provides 24/7 monitoring at the service provider, while data storage remains with the customer. In the event of a security incident, the external analysts inform the customer and initiate appropriate measures independently, on recommendation or after consultation, depending on the agreement.
Due to the increased complexity, companies should ensure a clear division of roles between the internal IT team and the external service provider when selecting a provider in order to benefit from maximum efficiency and fast response times. Certifications and proof of qualifications such as ISO 27001, SOC 2 or TISAX are also an important point of reference. This applies in particular if critical IT systems are affected.
In terms of the solutions offered, all security technologies and tools should be up to date. The two most important building blocks of a modern Security Operations Center for MDR are: Endpoint Detection & Response (DER) for signature-based detection of threatening behavior, a SIEM (Security Information and Event Management) for log processing and rule-based attack detection, and a NDR (Network Detection & Response) system for network traffic analysis. In addition, proactive threat hunting helps to detect threats at an early stage before they can cause any damage.
Large companies: Specialization and depth
Large companies require specialized security services that are tailored to complex infrastructures and highly sensitive data. The most important selection criteria here are the technological integration of existing systems such as EDR, SIEM and NDR as well as ensuring data sovereignty. This is because the company generally wants to retain control over its sensitive data.
The larger the company, the more cooperation with the service provider is tantamount to a strategic partnership. This also makes sense, as long-term cooperation with specialized providers also enables the continuous improvement of IT resilience, ongoing adaptation to new threats and the connection to technological innovations such as AI-based methods for attack detection and defense. Incident response and forensics solutions should also be included in a holistic MDR offering. After all, an in-depth attack analysis provides important insights for strengthening cyber defense.
Organizationally, these requirements can be mapped either with an on-premises solution or with a co-managed SOC . In the latter case, the customer grants the service provider access to its own systems. The main difference to the on-premises solution is who owns the system, where the data is located and what level of access the service provider has.
Further selection criteria
Whether a provider is actually in a position to provide genuine 24/7 monitoring can be easily determined by the number of employees and customers . For example, an efficient three-shift model can hardly be realized with only five analysts. If there are many analysts per customer, this is a sign of good alarm processing. If there are only a few analysts per customer, response times can be unnecessarily long. Really short response times can only be achieved with a three-shift operation or if the provider deploys analysts in different time zones who alternate seamlessly (follow-the-sun principle). On-call monitoring, on the other hand, can only offer “guaranteed”, i.e. comparatively long response times.
Especially in the case of rapidly escalating attacks such as ransomware, an immediate response by an analyst can be crucial. The degree of automation of alarm processing therefore also plays an important role. The higher it is, the more efficiently the SOC’s resources can be used. It is also important that the sensors generate high-quality alarms. This is because false alarms can lead to wrong decisions and significantly impair efficiency.
The most important tools of a SOC are EDR, SIEM and NDR. As a rule, all or part of these systems are available at the customer’s premises. A service provider should therefore have a sufficient level of integration expertise so that the individual functions can be optimally used for threat detection and response. Compatibility with SOAR solutions also plays a role, as many providers specialize in certain products.
Conclusion
A professional MDR service provider can help companies of any size to achieve a high standard of protection without overburdening internal resources. However, choosing the right provider and offering requires intensive consideration of which services are required and which operating model suits the company. How efficiently the external SOC works can be assessed based on the provider’s employee capacity, degree of automation and integration expertise.
Would you like to find out more about this topic? Then we recommend the detailed article from iX, issue 10/2024 (available for a fee from heise+). The accompanying market overview lists 30 selected providers of MDR and SOC services in great detail. SECUINFRA is presented in detail as one of 30 selected providers. The company fulfills almost all of the criteria highlighted as particularly important in the article.
