The Hedgehog SOC decision has finally landed. We are committing to build it, two analysts come in over the next two months, the office space in Stafford is being kitted out from next week, and the first monitoring engagement starts in August assuming everything else is in place by then. This has been the longest-running deferred decision of the practice and I want to write down what tipped it, what the design constraints are, and what I am explicitly not committing to, because the plan is bounded enough that being honest about its boundaries matters.
The deciding factor was, in the end, the supplier-trust problem I have been writing about since the RSA breach last March. Several of the secondment clients — and most of the Hedgehog clients — outsource their security monitoring either to a managed-services provider or to the in-house IT function, neither of which has either the operational depth or the threat-intelligence reach to detect the Aurora-shaped or Duqu-shaped activity the threat landscape has been showing me through 2011 and 2012. The advisory work I do can identify the gap and recommend remediation, but the actual operational work of doing the detection is something the client either has to build themselves or buy from someone who has built it. My clients have, on the whole, been buying it from organisations whose own operational depth I do not entirely trust. The honest answer when a client asks "where would you go for monitoring if you had to recommend a provider" has, until now, been "I do not have a strong recommendation, because I do not believe most of the providers in the UK SME-and-mid-market space are operationally distinct from each other in quality". That answer is unsatisfactory both as advice and as practitioner-positioning.
Building the capability inside Hedgehog solves the problem I cannot solve through advisory alone. It also exposes me to a different problem, which is that operational SOCs are difficult businesses — labour-intensive, twenty-four-hour operations, high staff churn, low margins, easy to do badly and hard to do well. I have spent the past three months reading every public account I can find of how other UK SOC operations are structured and what their failure modes are, and the conclusion is that the cost of getting it wrong is high enough that it has to be built carefully or not at all. The decision to build is therefore a decision to commit to careful execution and to accept that the first eighteen months will be slower and more expensive than the financial model suggests is reasonable.
The shape of what we are building. Three analysts plus me at the operational end, with eight-hour shifts covering 06:00 to 22:00 on weekdays initially and a 24/7 commitment as the analyst headcount grows. The technical stack will be Splunk for the SIEM (the commercial cost is uncomfortable but the operational maturity of Splunk in 2012 is genuinely better than the open-source alternatives I have evaluated), OSSEC for host-based intrusion detection on client estates that permit agent installation, Snort for network-based detection at the boundary, and Bro IDS for the more sophisticated traffic analysis on the larger client networks. The threat-intelligence layer will be Emerging Threats for the open feeds, and a smaller commercial subscription that I am still evaluating. The detection content — the rules, the correlations, the playbooks — is the part that is harder to buy than the tooling, and is the part I will be writing personally for the first six months because there is no way to delegate the writing of detection logic until I have seen the analysts demonstrate they understand the threat model.
The customer model. The first three monitoring engagements will be with existing Hedgehog clients I trust to work through the inevitable rough edges of a new operation. The pricing is set at roughly two-thirds of what the larger MSSPs charge for equivalent service, which is sustainable on the cost model only because we are starting small and not because I think the market clearing price is wrong. The differentiator is not price but operational competence — the analysts will be writing detection content tailored to each client's environment rather than running generic SIEM rules, the playbooks will be tuned to the client's actual incident response capability, and the briefings will be written in the language the client's CISO actually speaks rather than in vendor marketing. This is not hard to do well; it is hard to do at scale, and I am making the deliberate choice to start small precisely so that the operational quality can be high through the first eighteen months.
The thing I am explicitly not committing to is being a substantial managed-security-services provider in the standard UK market sense. There is a viable business model in being the next IT-Lab or NetCraft for monitoring services, and I am not pursuing it. The reason is that the standard MSSP model commoditises detection content, runs analysts at low headcount per client, and competes on price; the resulting service is, in my view, mostly worth what it costs and not much more. The Hedgehog SOC is intended to operate at a smaller scale and a higher operational density per client. Whether that is a sustainable business shape is something I will know more about in eighteen months. If it is not, the practice continues without it; if it is, the operational capability extends what the advisory side can deliver.
The next few weeks will be the practical work of getting the office, the kit, and the first analysts in place. The first analyst is in the final stages of joining and the second is in conversation. The Splunk licence is being negotiated with the regional partner. There is more to write about as the operation comes together; I will write the next piece when we are running the first monitoring engagement, probably in late August or September.
The next post is probably either Flame, which Crysys and Kaspersky published yesterday and looks substantial, or whatever else lands first. The Flame analysis is the highest-priority technical reading on my desk this week regardless.