Selecting cost effective protective monitoring services - Part 2

9 minute read

This is the second of three part series that provides advice to organisations looking to procure managed security monitoring, protective monitoring (PM) and/or Security Operations Centre (SOC) services.

When can Protective Monitoring become expensive?

There are a few different underlying reasons that fall into the following categories:

Licensing costs become expensive

  • License models based on number of IP addresses covered, events per second, GB of storage used, etc. can become expensive and the true cost of these licenses only becomes evident once the solution is rolled out

The equipment required to run the service becomes expensive

  • In order to provide coverage more and more expensive appliances and collectors are required, more storage and more bandwidth are required, etc. Warranty, support and maintenance costs grow quickly and the customer is constantly purchasing new equipment to keep up with business demand or capacity

The effort required to run the service becomes expensive

  • More logs, more data means more maintenance effort as well as more analyst time. Keeping all the kit healthy and monitored becomes a big job requiring dedicated ops staff. More analysts are needed as the correlation rules, etc prove to be ineffective and gradually the security operation grinds to a halt

In order for the overall service to be effective more technology is needed (i.e.. solutions based on log monitoring alone do not provide the functionality needed – see this excellent SANS whitepaper . For example:

  • Typically log monitoring alone delivers compliance, not security. Most PM solutions based on Log monitoring alone will have no way of knowing about a genuine security problem and even if a log indicator alerts an analyst to some suspect activity the analyst doesn’t have the situation awareness or the technology available to triage the problem. The analyst is rather like a mechanic with no tools; they can see evidence of the problem but has no way of finding the root cause or fixing the problem
  • To provide the real tools required can be expensive – packet capture, IDS and analysis tools can be very expensive to buy, deploy and service

Lack of deployment flexibility leads to expensive workarounds or supplemental technologies

  • When it comes to deploying the kit it becomes clear that the customers environment requires more kit to make the deployment work – more collectors for examples due to the customer having multiple security zones or other customer specific limitation that were missed in procurement
  • The customer may need to either provide or host additional virtual machines or physical appliances such as network taps and aggregation devices

Lack of Situational Awareness

  • Most Log Monitoring or Threat Monitoring systems and services only understand IP addresses. They don’t understand which systems are important or critical to the business or which users are involved. This makes identification of a real incident difficult and time consuming and furthermore it makes it really difficult to determine the best and quickest way to respond

You pay for a service or services you don’t need or that don’t match your risk appetite or threat profile

  • Off-the-shelf offerings can be ‘’one size fits all’’ and lack any flexibility in service levels or scale up/scale down

How do e2e protective monitoring services address these issues?

Licensing costs become expensive

  • We have three levels of service (Baseline, Enhanced, Premium) that provide different PM SLA’s. These allow organisations to choose a service level that meets their threat appetite and risk profile (not a one-size-fits-all offering).
  • We then price per protected asset. An asset is something that the service has found and has been classified and prioritised as something to include in the service. This process ensures that we charge for actual objects that need protecting, not everything we find. The process also eliminates duplications – such as DHCP addresses being counted up, multiple interface firewalls being counted up, etc. We believe this is the fairest method and it is also the most flexible.
  • We can allow organisations to flex their service level up and down – to cover dangerous times such as migrations, etc.
  • Crucially you are paying for a service, not a product. You get outcomes from the service – this is the value of the service. We have designed our services to provide all the technology and service items you need to benefit from a full features PM Service and a SOC service combined – and taken away complex and often misleading licensing arrangements.
  • e2e can provide you with a fixed price for whatever scale you require over whatever term you require – this enables you to understand the true cost of scaling up.

The equipment required to run the service becomes expensive

  • We don’t charge for GB stored, or EPS. We provide all the kit required to provide the quoted service level and we allow for flexibility in how this technology is deployed – but without charging more.
  • Where there is a custom requirement to meet – such as a prescribed data retention period we will offer to provide additional kit to do this but if the customer wants to provide the VM or physical hosting to do this we can accommodate it.

The effort required to run the service becomes expensive

  • In a service based model this is our problem; not yours. This benefits the customer in two ways. Firstly the customer doesn’t have to scale the resource up and down, provide training, etc (a standard service model outcome).
  • Secondly we are highly motivated to make the service operate as efficiently as possible as we are the ones running it.
  • There is no such incentive for product based offerings – in fact it’s the opposite as the supplier will want to sell more kit and more services (more product).

In order for the overall service to be effective more technology is needed (typically this is where the realisation fits in that services based on log monitoring alone do not provide the coverage needed)

  • Our service comes with all the technology needed – it is much more than just a log monitoring solution;
  • Monitors remote and mobile users and devices
  • Integrated endpoint scanning reduced exposure to threat
  • Noise reduction: Targeted threat analysis and detection based upon your business priorities
  • Visibility and validation of encryption and cipher strength and usage to ensure data-in-transit integrity
  • Packet capture, Intrusion Detection, Blacklist monitoring
  • Traffic Analysis, Deep Packet Protocol Inspections and analysis tools
  • Provides Privileged User monitoring
  • Consumes latest Threat Intelligence from over 100 open and commercial sources, tailored to your line of business
  • IP Abuse and Reputational Monitoring and alerts for all endpoints (when your IP addresses are doing things they shouldn’t)
  • Provides integrated vulnerability scanning and monitoring of all external & internal IPs as required (key for compliance) with alerting
  • Provides event analysis, triage and incident response services
  • Crucially all the above is built into and provided with our service – all you need to do is choose the number of protected assets and the service level. In the rare case that we identify a need to augment your service with additional technology we can do so at an extremely cost effective one off charge for the additional device. This only applies to additional physical equipment above that included in the service level. Additional VMS are not items we charge for.

Lack of deployment flexibility leads to expensive workarounds or supplemental technologies

  • Crucially all the kit needed is built into and provided with our service – all you need to do is choose the number of protected assets and the service level. In the rare case that we identify a need to augment your service with additional technology we can do so at an extremely cost effective one off charge for the additional device. This only applies to additional physical equipment above that included in the service level. Additional VMS are not items we charge for.

Lack of Situational Awareness

  • Our services provides asset identification, classification and management. It revolves around a business led risk and threat model that is used to ensure the service is optimised to protect the most valuable assets from the most likely threats

You pay for a service or services you don’t need or that don’t match your risk appetite or threat profile

  • All our services are designed with flexible terms and we include threat and risk workshops into the on boarding
  • Our services support the creation of and integration with risk and threat models so we know what’s important and what to look out for – this ensures we have tailored the service to meet your unique requirements

Some real world examples…

We have seen…

PM deployments halt one year in due to them costing 10x the original quoted (bid winning) price.

Log monitoring solutions fail to deliver any value and instead simply become an expensive burden/overhead.

Organisations selecting PM services based on cost per IP address with no way of comparing the features of the quoted service and with no real idea of how many IP addresses they needed to cover or how many additional PM devices they needed to deploy to their environment. The end result suits nobody – the service is ineffective, expensive and the customer regrets their decision.

Typically we pick up customers who have had similar experiences to the above – this is also whey we advise using g-cloud to procure these services if possible (see our other g-cloud articles). Whether you are a G-Cloud buyer or not, we offer the following advice:

  • Ensure you create a comparison matrix to compare features
  • Ensure you create a comparison matrix to compare prices that includes how the service would be scaled up and down
  • Look for the flexibility to scale up and down (look for flexible service levels that can change month-by-month or even day-by-day)
  • If you can whittle down the list of potential suppliers to those that provide true SOC services then ask the following questions:
    • How will you integrate with and support our existing technology?
    • How will you integrate and support our existing processes?
    • How will you co-operate the service with our existing team?
  • Look for suppliers who offer services, not particular products as the service aspects are what counts and compare the features and benefits of these services
  • Look at the outcomes of the services offered; don’t focus entirely on the technical aspects (i.e. assessing events per second, etc); instead decide on what outcomes need to be achieved and determine which service addresses them the best
  • Assess the scope of the service – is it just a log monitoring and alerting service or does the supplier offer more (both in terms of technical security items as well as service related items such as triage and incident response)
  • Always choose suppliers with up to date, valid Cyber Essentials Plus (CES+) and ISO27001:2013 certifications – and ensure that these are scoped correctly (cover the services they are supplying to you).

Next time…

The final article in the three part series will focus on how e2e have designed their services in this area and how we have fully embraced the ‘as a service’ delivery model, and provides examples of how different sized organisations with different security maturity can benefit from our services.

Updated: