It is time that Security Operations Centres (SOC) consider a more comprehensive approach in the way services are priced.
Many SOCs scope costs using the events per second (EPS), or Gigs Per Day (GPD) costing model, in which events generated by the plethora of inputs inside a company are logged with a security services provider and are then accordingly charged for.
This approach can often lead companies to prioritise certain logs based solely on commercial value. In doing so, companies omit security logs that may have proven vital in detecting high-fidelity incidences.
Stephen Osler, Founder and Business Development Manager at Nclose, a Managed Detection and Response (MDR) and Manged Security Services (MSS) provider, explains that companies should be able to log potential security events irrespective of cost. “We want valuable security logs and to not lose crucial telemetry that helps in identifying high-fidelity incidences.” Nclose uses Nview, a technology developed in-house, which enables its clients to implement a site-based fee model, eliminating the cost considerations for companies when logging events.
With the EPS model, companies are often faced with enormous fees come renewal time and they need to add logs from systems to improve maturity. This should not be a factor, says Osler.
Moreover, when security service providers use vendor products, they have to buy new software and hardware licenses every time they onboard a client, adding to the total cost, whereas a MDR offering, such as Nview, focuses solely on consuming security logs and the detection of incidences, Osler explains. “Companies may need more features to address new requirements with the addition of servers or systems, but they shouldn’t be paying more to monitor logs from these inputs,” he says.
“The larger the volume of quality security logs, the better our detection capabilities and our influence over high-fidelity alerts,” Osler notes. It is a case of big data analysis, whereas in other cases, companies withhold data as it proves too costly to log every event.
“We stipulate beforehand the events we ingest, and we base this on several variables,” Osler explains. “Do we have sufficient coverage of the network and do our alerts identify all stages the attack life cycle, with reference to the Lockheed Martin Cyber Killchain or Mitre Attack Framework?
“Many of the current costing models are based on the consumption of data rather than on detection capabilities. It should be based on the value we add, not the number of security logs consumed. Seeking an MDR service provider with a holistic view of security and costing is the first step in adding value to your security systems and company,” he concludes.