Selecting cost effective protective monitoring services - Part 3

4 minute read

This is the third article of a three part series that provides advice to organisations looking to procure managed security monitoring, protective monitoring (PM) and/or Security Operations Centre (SOC) services. This article explains e2e’s approach to delivering protective monitoring services.

The approach differs depending on the customer. We have designed this flexibility into our services in order to accommodate different levels of customer requirements. We provide services not products, these services are pay as you go, scalable and flexible enough to cover any size organisation.

Deployment and service

The examples below provide some further insight into this but the message is that we have built flexibility, elasticity and agility into our service so that it works with any type of customer.

Typical small customer with no existing PM or SOC services

  • e2e provide the full end to end service and all software and services to deliver a complete SOC and PM service (with a service level/SLA to match their requirement)

Medium customer with a small security team and some existing security devices such as IDS

  • e2e provide the log management/SIEM solution and integrate with their existing IDS.
  • e2e provide cost effective service expansion and triage, analysis and incident management.
  • e2e provide all the other security tools (fill the gaps)
  • Customers’ team can share the SOC services (co-operate the service with e2e) or choose to use their limited resource to analyse tickets raised to a certain severity, etc

Large customer with an existing SOC and in house PM service with existing investments in a Logging solution’s or SIEM solution

  • e2e services and technology are integrated with the existing technology and services (typically we integrate and utilise the existing SIEM as our services will work with most of the common SIEM and log management solutions).
  • Typically the SOC is co-operated with e2e picking up the majority of the first level work and the customer’s resource is then used to provide the expert local knowledge – as an escalation point in the triage process
  • e2e and the customer work to create the playbooks and workflows needed for the shared SOC to operate effectively
  • e2e provide cost effective service expansion and triage, analysis and incident management.
  • e2e provide all the other security tools (fill the gaps)

Advanced customer with an existing SIEM as well as many other security tools and an advanced in house SOC service, forensic analysis team, etc

  • This situation is similar to 3 but due to the advanced nature of the existing services e2e provide the first level responses as well as value added intelligence and situation awareness services and other higher end security services
  • These customers are either concerned with expanding coverage cost effectively or want to leverage the latest technology and services provided by e2e
  • e2e will typically lead deployment and tuning exercises as well as first level response so that the existing team can be utilised as effectively as possible

What happens at the end of the service (how do we off board)?

This varies depending on the type of customer

Typical small customer with no existing PM or SOC services

  • We migrate all of the data into the new service and forensically wipe any of their data held anywhere
  • We can also offer to dual run the services to ease transition on a month by month basis (fade out)

Medium customer with a small security team and some existing security devices such as IDS

  • As 1 above but we can offer to provide support for the value added services we provide such as the IDS, packet capture kit, etc that we deploy. This allows the customer to keep these devices but use a different PM/SOC provider

Large customer with an existing SOC and in house PM service with existing investments in a Logging solution’s or SIEM solution

  • As 1 and 2 above but as part of the fixed off boarding fee we can leave the existing datastores/logs/databases as they are and provide instructions on how they can be used with the new service (i.e. we leave all the kit in place and provide root level accounts, instructions, etc so the customer can do what they want with it – we hand over the keys and all the data)
  • We can also offer to provide just support and maintenance of the kit so it can be operated by the customer or another supplier

Advanced customer with an existing SIEM as well as many other security tools and an advanced in house SOC service, forensic analysis team, etc

  • As above but we can break down our service into chunks of value add that they may wish to keep or co-develop further with us. These are typically the services that we provide that the new supplier doesn’t – we keep the gaps filled by only charging for the bits of the service they now use

Summary

As a general rule we are as easy to join and as easy to leave as possible. We think we provide more and do it better than everyone else – therefore we don’t need to tie you in. In fact we guarantee not to tie you in – by providing fixed on and off boarding that covers this and by offering flexibility as outlined above.

Always choose suppliers with up to date, valid Cyber Essentials Plus (CES+) and ISO27001:2013 certifications – and ensure that these are scoped correctly (cover the services they are supplying to you).

Updated: