It is time that Security Operations Centres (SOC) consider a more comprehensive approach in the way services are priced.
Many SOCsย scopeย costs using the events per second (EPS), or Gigs Per Day (GPD) costing model, in which events generated by the plethora of inputs inside a company are logged with a security services provider and are then accordingly charged for.โฏย ย
This approachย canย often lead companies to prioritise certain logs based solely on commercial value. In doing so, companies omit security logs that may have proven vital in detecting high-fidelity incidences.โฏย
Stephen Osler, Founder and Business Development Manager at Nclose, a Managed Detection and Response (MDR)ย and Manged Security Servicesย (MSS)ย provider, explains that companies should be able to log potential security events irrespective of cost. “We want valuable security logs and to not lose crucial telemetry that helps in identifying high-fidelity incidences.” Nclose usesย Nview,ย aย technology developed in-house, which enablesย its clients to implement a site-based fee model, eliminating the cost considerations for companies when logging events.โฏย
With the EPS model, companies are often faced with enormous fees come renewal time and they need to add logs fromย systems to improve maturity. This should not be a factor, says Osler.โฏย
Moreover, when security service providers use vendor products, they have to buy new software and hardware licenses every time they onboard a client, adding to the total cost, whereasย aย MDRย offering, such as Nview, focusesย solely on consuming security logs and the detection of incidences, Osler explains. “Companies may need more features to address new requirements with the additionย of servers or systems, but they shouldn’t be paying moreย to monitorย logs from these inputs,” he says.โฏย
“The larger the volume ofย qualityย security logs, the betterย ourย detection capabilities and our influence over high-fidelity alerts,” Osler notes. It is a case of big data analysis, whereas in other cases, companies withhold data as it proves too costly to log every event.ย
“We stipulate beforehand the eventsย we ingest, and we base this on several variables,” Osler explains. “Do we have sufficient coverage of the networkย and do our alerts identify allย stagesย the attack life cycle,ย with reference to theย Lockheedย Martinย Cyberย Killchainย or Mitreย Attackย Framework?
“Many of the current costing models are based on the consumption of data rather than on detection capabilities. It should be based on the value we add, not the number of security logs consumed. Seeking an MDR service provider with a holistic view of security and costing is the first step in adding value to your security systems and company,” he concludes.