Requirements for managed SOC

sunhux
sunhux used Ask the Experts™
on
Q1:
We are calling a tender for Managed SOC & drafting requirements.
Can point me to samples or share requirements normally expected
of vendors for such Managed SOC?

Q2:
Besides piping firewalls, network devices, servers, UEBA events to
them for correlation, is it common to pipe  originating IP addresses
of incoming emails (eg: O365) to them to check against blacklists?
I felt O365 antispam & antiphish & anti-malware protection is
not enough.

Q3:
We have EDR in place but was told to do MDR (Managed Detection
& Response), we must go back to the same EDR vendor (Trendmicro
to be specific) but TM doesn't do managed SOC, only MDR.
We don't want fragmented service providers ie one for managed
SOC & another for MDR.

Q4:
Also, can we include a requirement  such that we do away with our
current Defacement vendor (it's a Telco) & the managed SOC use
their own tool to manage our URLs  (eg: using 'wget' or 'curl' to
download our web pages contents & compare against a baseline?
Or this is a function specific to Defacement vendor only & SOC
doesn't normally do this function?

Q5:
What are the certifications required of such vendors eg: ISO27001/2,
must have certain encryptions, ... ?  

Q6:
I guess we can specify 'hot', 'warm' & 'cold/archive' of the events
for us to access via a dashboard??  Can we specify that the 'hot'
events must be on an SSD, 'warm' on fiber storage & 'cold' on
SATA (or usually it's tapes) if this vendor operates on cloud?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Author

Commented:
Q7:
I guess besides CEF (Common Event Format) & syslog formats,
good to include that any format should be acceptable (be it by
customization) by the vendor's  log receivers.

Q8:
Thought of adding an option that vendor could block IOCs (eg:
malicious IP on firewalls, malicious incoming emails by originating
IP or subject headings) & malicious domains (in Trendmicro to
prevent users from browsing them)
Exec Consultant
Distinguished Expert 2018
Commented:
1:
You probably be looking at MSSP specification - you can take a look at this which will help in clarity on the requirement of services to be offered. Should focus on people, process and technology in areas of security monitoring, incident response and threat intelligence . Also I fing what is lacking still are elements of consultancy on other necessary services to make the MSSP complete and not an one way communication.
  • value added resale (VAR): we can help you buy security equipment or software
  • technology integration: we can help you setup and configure technology you purchase
  • incident response: we can provide a block of IR hours on retainer, as well as ad-hoc services
  • information assurance: we can provide VM scanning/assessments, PCI assessments, etc
  • security program review: we evaluate your existing processes/procedures/documentation and make recommendations to enhance or bolster the program
https://www.ey.com/Publication/vwLUAssets/ManagedSOC/$FILE/EY-Managed-SOC.pdf

2:
Yes, if available. Like one example below it is trueSrc representing True source IP address. There are other   including those SPF results, message traffic events etc - see Message log
<13>%<:%b %_2d %T> %<applianceHostName>
CEF:0|Forcepoint|Email
Security|%<version>|Message|Message|5| dvc=%<applianceIP>
dvchost=%<=applianceHostName> rt=%<timestamp>
externalId=%<connectionID> messageId=%<messageId>
suser=%<=sender> duser=%<=recipient> msg=%<=subject>
in=%<messageSize> trueSrc=%<tsip> from=%<=from> to=%<=to>
cc=%<=cc> x-mailer=%<=x_mailer> %<\\n>

There are other logs as well such as Policy log (below), Connection log, Delivery log, Audit Log etc
<13>%<:%b %_2d %T> %<applianceHostName>
CEF:0|Forcepoint|Email
Security|%<version>|Policy|%<reason>|5| dvc=%<applianceIP>
dvchost=%<=applianceHostName> rt=%<timestamp>
messageId=%<messageId> suser=%<=sender> duser=%<=recipient>
from=%<=fromAddress> replyTo=%<=replyToAddress> to=%<=to>
cc=%<=cc> in=%<messageSize> deviceDirection=%<direction>
deviceFacility=%<=policyName> deviceProcessName=%<=ruleName>
act=%<action> url=%<=urlDetail> cat=%<=spamEngineName>
cs1=%<=virusName>
fnameAndfileHash=%<=fileResult>
exceptionReason=%<=exceptionReason>
hybridSpamScore=%<=hybridSpamScore>
localSpamScore=%<=localSpamScore>
msg=%<=subject>
trueSrc=%<tsip> x-mailer=%<=x_mailer> %<\\n>

3:
Managed SOC should take on the EDR piece for full monitoring. Having too many sitpic from the various solution does not correlate to make one pic for your update to management. Either the MDR send logs to the MSSP for correlation otherwise you need to figure out manually how to piece these picture together. You should have the MSSP does this contractually and same applies to MDR vendor.

4:
You can state that under MSSP but not may does that and likely it has to be consortium where MSSP get other to come under them.
Nonetheless, the manual means to spider is thought to be alright but not comprehensive. Defacement need to even be able to check integrity of images and hidden files injected but the looks and web pages are not tainted. simple crawling is not going to identify the taints done.

5:
I would not think of qualification to choose the provider but rather look at the track record.
We are not looking at individual or compliance only. Rather I will look out for
  • Access to a professional team with experience in major breach response
  • Access to SME to advise on a wide range of tactical and strategic information security improvements to help remediate incident root causes
  • Tried-and-tested, documented processes, procedures and playbooks
  • Metrics informed by business value or outcomes relevant to the business
  • Analytics used to inform countermeasure recommendations
  • Identify areas to focus on improving defense posture effectiveness

6:
I am not why you need to go to that level, it is a managed SOC. Instead you should be concern on the severity and SLA reporting.
Let the MSSP managed the backend. Those hot, warm and etc are what they need to already have in place. Whether they are effective is besides the point as compared to eventually able to pull out the logs and archive to correlate and threat hunt for the patient zeros are more critical.

7:
Yes, but beyond the CEF and syslog, you find difficuly integrating and can be proprietary and if you have that sort of device then consider changing for the tech refresh. Most will support these two already. There are connectors still possible and just professional service that you need to cater as contingencies

8:
Managed SOC can be detective and be actively defending as well. Just like DDOS mitigation services where obvious threat and attack, should be blocked and not let the backend suffer any hit. That is the reason for such subscription. So you should ask why and what you need to Managed SOC to do and achieve. Minimally the 24x7 watch need to be there and the obvious attack should not bring down your services - so blocking is alright but on obvious cases. I see more of threat hunting instead e.g.
  • Manage impact to IT and security for incident containment and attacker eradication activities
  • Rich data aggregation and search allows for “incident discovery” or “proactive hunting” when not alerted through predefined alert rules
  • Increased ability to detect attackers with ability and intent to make material impact on your business
Become a Certified Penetration Testing Engineer

This CPTE Certified Penetration Testing Engineer course covers everything you need to know about becoming a Certified Penetration Testing Engineer. Career Path: Professional roles include Ethical Hackers, Security Consultants, System Administrators, and Chief Security Officers.

Author

Commented:
Is it common that a Managed SOC or MSSP perform annual simulated
Incident Response drills for customers (esp DDoS, ransomware, APT
attacks)?   Quite a few audit require this

Author

Commented:
And red-teaming exercise as well?
btanExec Consultant
Distinguished Expert 2018
Commented:
Managed SOC should be able to conduct the cybersecurity exercise and drills for the customer. This is also shared in the link in my post.

As for Red team, it is not a necessity from a managed SOC as it can be a specialised team as compared to penetration testing that it offers typically. Best is to check out from the offering by the vendor. In fact, I foresee they would be able to bundle together but just not well adopted as baseline since many are still in the mind of compliance by design.

You should also look at bug bounty programme too. Yes this is not offered by managed SOC as it required intensive experience to manage the pool of whitehat.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial