“Be wary of any supplier that says their SIEM is a panacea”
The Local Pensions Partnership (LPP) – a public sector pension fund service provider with £17.4 billion of assets under management – says it is considering using a third-party security operations centre (SOC), and has allocated a humble £15,000 to estabishing whether or not this is a good idea.
All interested third-party suppliers should be able to demonstrate a ‘traceable’ view of the benefits that a SOC would provide to the LPP, alongside a clear determination of the internal and external cost of such a system, it said in a contract notice for this discovery phase analysis .
Local Pensions Partnership: So, Why Use a SOC?
The LPP has currently tasked its own internal security working group with the cybersecurity safeguarding of its data and infrastructure. (The LPP also provides pensions administration services to more than 600,000 members across LGPS, Police and Firefighters pension schemes.)
The LPP’s security team outlined their requirements in the contract notice, with the project lead saying: “I need to ensure that pro-active and reactive threat detection is occurring on a continuous basis, thereby enabling action to be taken to protect LPP technologies, data and the domain.”
The closing data for supplier applications to the discovery phase is December 10, 2019. The analysis needs to be conducted within eight weeks.
SOC’s Come in “Variety of Flavours”
As the UK’s National Cyber Security Centre (NCSC) notes, SOCs come in a “variety of flavours” and can cover the entire incident management process.
Their offerings can span:
- integration, management and review of traffic feeds
- protective monitoring
- initial triage and analysis
- vulnerability management
- alerting and response
- incident management
- root cause analysis
- patching & remediation
- correlation management, Security Information and Event Management (SIEM) tuning
- continuous improvement
- key management
As the NCSC warns in a useful guide for businesses in a similar situation: “Be wary of any supplier that tells you that security information and event management (SIEM) is a panacea…
“Good SOC analysts don’t develop anything in the SIEM until they’ve proved an idea using scripts and logs first. A good supplier will have a content development checklist and a standard process for proposing, justifying and implementing rulesets in your SIEM.”
It adds: “Don’t assume your business wants to hear what the SOC finds. Your SOC has detected something; who will care and what you do next? Work back from the end of the incident and verify you can achieve each stage before levying a requirement upon your SOC. Ensure the action you wish to take is legal and covered by internal policy.”
As a SOC enters the operational phase, resourcing overheads will diminish, but expect a number of false positives to occur while the supplier learns to understand the way your business operates, it adds.
Do you use an SOC? Are you happy with its services? Get in touch with our editorial team – we’d like to hear about your experiences.