16
Tried SOC-as-a-service vs keeping everything in-house for 6 months
We had a small team of 3 handling our SIEM alerts and it was burning everyone out, so I pushed for a managed SOC trial. Within 2 weeks they found a beaconing IP that our own team had missed for 8 months because we were too swamped. Anyone else switched to a MSSP and seen a big jump in detection speed?
2 comments
Log in to join the discussion
Log In2 Comments
the_nathan4d ago
...and here I was thinking our SIEM was just being 'mature' by not catching things. Turns out it was just catching dust while we were catching up on tickets. My team of 3 was basically playing whack-a-mole with alerts, and I'm pretty sure one of our analysts was just flagging 'suspicious' anything that pinged after 3 PM. The beaconing thing hits close to home, we had a similar one that was apparently pinging home for like 10 months before we noticed. Makes you wonder what else we're missing when you're too busy being on fire to look at the actual fire.
0
foster.ruby3d ago
10 months is brutal but honestly not surprising when you're drowning in alerts like that. We had a box that was beaconing out to some sketchy IP for over a year and nobody caught it because our SIEM was just so noisy with false positives that everyone learned to ignore it. The whole "whack a mole" thing is so real, its like you're just trying to survive the day and anything that doesnt scream loud enough gets lost in the noise. I swear our analysts had a rule that anything after 4 PM was probably fine because nobody wanted to stay late digging into it. Makes me wonder how many other things are sitting quiet in our logs right now that we just haven't had time to look at.
7