How do we know of being attacked? It is very challenging to detect Advanced Persistent Threat (APT) and advanced event correlation is the most effective ways to identify such attacks. There are various routine procedures and precautionary steps can be taken to prevent, detect and contain an attack including:
Engaging outsourced MSSP with a well-equipped local SOC is always a better option comparing to the in-house option for detecting, preventing and containing APTs, We have identified as folows:
1) Cost Saving
While a MSSP is a dedicated provider of network security services to several organizations, an in-house option exists solely to support a single organization. As a result the cost per organization is significantly lower when using an outsourced SOC since the costs of acquisition, staffing, tools and training are shared among the MSSPs multiple clients, versus an in-house option that bears the costs alone. As of 2013, studies shows in an international research that that the average MSSP would spend 10 million USD to $30 million USD to launch their operations. We do not think that there are many organizations can justify such investment for an in-house SOC.
2) Strength of Skilled Staff
Very often, if an APT is not an imminent threat to the organization, the costs spent hiring such staff may be viewed as unnecessary. Organization hiring of in-house staffs very often are based on its needs and a budget, and that is often hampered by its business priority. An MSSP like SysArmy (www.sysarmy.net) hires staff as an investment and the cost of hiring such staff to provide solutions and services is its higher priority & existing part of its strategy. Furthermore, an MSSP also spends money to hire more skilled staff to deal with divergent requirements as its business prospects depend on an adequate response to the various security problems of its clients.
3) Security and Reliability
In the event of any APT intrusion, there is no effective way for the in-house SOC department to stop its systems from being equally breached and compromised since it is within the same environment. On the other hand, MSSP’s infrastructure is external, providing the necessary isolation from being easily compromised while efficiently handling the tasks of monitoring the security status of client infrastructure. MSSP do not share client resources and thus making it a more robust and reliable security option should problems arise. An in-house SOC located at a company owned network infrastructure may be compromised or rendered ineffective through its reliance on company resources, and that can be compromised by attackers who have already breached internal systems.
4) Acquisition & Sharing of Knowledge
Due to the variety of situations and range of customers they deal with and the solutions they provide, MSSPs usually are more up-to-date than in-house security teams. MSSPs are also regularly approached by vendors of various security solutions as a target market for their products and are kept up to date about latest technologies and practices. In-house SOCs seldom publicize what they do and are not likely to be approached by as many vendors. Acquiring knowledge is also an integral part of an MSSP’s business strategy as they need to be competitive at all times while an in-house SOC may view the knowledge acquisition exercise as an expense with no immediate benefits.