The use of a Managed SOC VS an Automated SOC through EDR/XDR Tools; What are the advantages? What are the dis-advantages? What one provides you with the best solution? This begs the question: Are computers really better than people?
What is a Security Operations Centre (SOC)?
A Security Operations Center or SOC is a centralised unit that deals with security issues on an organisational and technical level. A SOC provides the opportunity for organisations to understand what ‘normal’ looks like. It is made up of three building blocks for managing and enhancing an organisation’s security posture: people, processes, and technology.
What is an Automated SOC?
Through the use of the XDR/EDR products as explained above, some will offer an additional capability of an Automated SOC service. This service is often sold as a way to use automation with alarm/rule sets within the EDR/XDR products so instead of a traditional SOC approach of an incident being triggered and it sitting there for someone to investigate it will trigger a set of predefined scripts or functions with the intention of reducing response time, for example if a malware outbreak was to be spotted the ruleset would automatically isolate a device.
Think of these tools like google maps; the SOC tool provides a satellite overview, An EDR/XDR tool gives you a street view approach allowing you to look closer into your network.
What is Endpoint Detection and Response (EDR)?
Endpoint detection and Response (EDR) is a baseline monitoring and threat detection tool for endpoints. This solution relies on software agents or sensors to be installed on endpoints to capture data, which it then sends to a centralised responder for analysis.
This can be extended by an XDR (Extended Detection and Response) tool that monitors more endpoints, the infrastructure, streamlining security data ingestion, analysis and workflows across an organisation to enhance visibility around hidden and advanced threats, and to unify the response. XDR takes a wider view, integrating data from endpoint, cloud, identity, and other solutions.
What are the advantages and dis-advantages?
The main area of difference is that a Managed SOC not only detects but also responds to an alert whereas an EDR tool only detects.
|– 24/7 Security Flexibility and Scalability
– Threat Intelligence Access Detects Incidents based on your organisations routine/habits
– Handcrafted by a SIEM (Security Incident and Event Management) engineer
– Detection and Response
– Team of experts monitoring using best practices
|– Provides a layer of protection
– Gives you security and peace of mind
– Scalability and Flexibility of scope
– Potential cost reduction
– Accelerate incident reaction time – Increase forensic capabilities
– Alerts to larger threats to your organisation
|– Outsourced SOC means data sits externally
– An outsourced SOC relies on a third party to identify and alert internally; Communication is key
|– Detects incidents based on the rate at which they happen – without looking at the habits of your organisation
– No baseline for monitoring/detectionIncreases workload on your organisation, can be argued as more expensive than an outsourced SOC
– Attackers can exploit AI Capabilities
We are not saying XDR/EDR tools don’t provide any value…
XDR/EDR tools do have a place, it is just a case of understanding what this place is. XDR tool with an Automated SOC function provides value to your organisation, the XDR/Automated SOC tool will alert you to any larger threats, providing a layer of security for your organisation.
However, XDR tools on their own typically look at internal alerts and in the case of security, if it is internal it is too late…
Think about it in terms of your home, how do you prevent your house getting burgled when the burglar is already inside?
The intention of these tools is to provide an early warning system, a Managed SOC aims to be proactive at detecting potential attacks before they become breaches to your network, as well as having human expertise on the side to assist in best practice to mitigate the alerts.
We are not arguing that one tool is better than the other, or that EDR tools do not have a place in providing a level of security to your organisation. Having something in place is better than nothing.
At CyberCrowd we believe that every organisations security posture is important, no matter where you are on the scale of maturity. If an organisation is taking steps to protect their assets and data then you are in the best position to grow.
So, what does this mean for your business?
Our Head of Pen Testing noticed that when a nessus or nmap scan is run with default settings for speed, no alerts were triggered, this is something that a Managed SOC would have picked up on.
Only when scans are run with a specified higher speed did they begin to make alerts, however running any scans should send alerts straight away in a traditional SOC environment through the use of marker ports.
For a detection device to be the most efficient for your business these scans should be detected on ports that are vulnerable, opposed to the speed in which attempts are being made.
If three attempts are made every ten minutes in some cases this triggers the lock out policy, it is easy for a hacker to identify this and begin to run three attempts every eleven minutes which misses this ruleset, a managed SOC would still pick this up.
Testing with these tools; performing a brute force attack on an admin account will go undetected using an EDR/XDR for an Automated SOC tool if not done at a certain speed; however a managed SOC analyst would identify this immediately as it goes against the norm of your environment.
What about the cost?
We know budgets can be difficult, especially when it comes to cyber security, you might think that an Automated SOC is more cost effective, however, this is not always the case.
An Automated SOC tends to use EDR/XDR products, whereas a Managed SOC will typically use a SIEM tool, which is actually less expensive than an EDR tool.
Using a Managed SOC also reduces the internal resource cost for the customer. A Managed SOC will filter out incidents that come through, whereas with an Automated SOC every escalation goes directly to the customer with no filtering, requiring a heavier reliance on filtering and a dedicated internal source to look after the tools, adding additional cost to the business.
On average we find that the difference in cost for a Managed SOC would be no more than 15% of the cost for an Automated SOC not taking into consideration the internal resource cost of the customer and with the added benefit of a Managed SOC having cyber security experts on hand should an incident be detected.
What makes CyberCrowd’s offering different?
At CyberCrowd our SOC engineering comes as standard, as part of the life cycle of the SIEM, this is something that doesn’t come with Automated SOC’s, without the use of a consistent and trained internal resource.
Our SOC runs 24/7 x365, providing you with expert advice on how to mitigate potential risk as and when they are flagged. The use of XDR/EDR tools are there to detect any abnormalities and build on our capabilities, providing you with a Managed SOC service that utilise best in class people, process and technology.
If you would like to hear more or are interested in the services we provide please, Contact Us.