A security operations center (SOC) is becoming an absolute necessity when defending your organization from damaging cyber-attacks. A SOC is the centerpiece of a company’s security operations, as it serves as a critical IT center in which to mitigate cyber risk. In this post, I’ll discuss what you should consider when looking to establish a SOC and the impact it will have on your organization.
Build Versus Buy
Building a SOC can be a large investment, especially if you’re going to run or need a 24×7 operation. When building your own SOC, there can be significant costs associated with people, process, and technology. From a people perspective, there is a skills shortage in our industry that makes it extremely challenging to find qualified and talented professionals. From a process perspective, you need to build and integrate the SOC into the main business. You can buy playbooks and other materials to drive your SOC but there will always be some level of customization needed, which takes resources. From a technology perspective, the right technology partners and platform can help you by automating or at least optimizing your detection and response capabilities. But understand, implementing a SOC goes well beyond buying technology and putting it in place.
Building your own SOC
From my perspective, the No. 1 benefit of building your own SOC is having dedicated staff that are solely focused on your company and achieving your mission. This team will have a deep understanding of your business. They are going to better understand the overall context around events and will have more knowledge about how you operate than a third-party provider. This knowledge will give your staff the background to determine if an event in your environment is merely suspicious or actually malicious. From there, they’ll be able to take corresponding actions to appropriately remediate. This is extremely valuable and can’t be overlooked as a differentiator.
Buying a SOC
On the other hand, outsourcing a SOC can be very cost-effective. You might not have to directly buy software or hardware, and you won’t have to hire or manage full-time staff. As we mentioned earlier, finding knowledgeable resources can be difficult and you essentially offload that responsibility to the outsourcing partner. Operationally, a Managed Security Provider (MSP) will handle everything for you—from the health of your infrastructure to triaging and responding to incidents. Because you don’t have the technology and personnel costs, the total cost of ownership could end up being lower.
Despite the lower costs, I do have my doubts. The reality is that a third-party provider has multiple customers, and you may not be their only priority. As mentioned earlier, outsourcing security operations introduces some level of risk as the group responsible for your security may not be as knowledgeable on the intricate details of how your business operates and won’t be able to apply business context to alarms and incidents. This could impact their ability to detect and respond in an appropriate and timely manner.
Furthermore, there are a number of outsourced providers that are focused on scaling their operation. One way to achieve this scale is to implement a one-size-fits-all-type of model. They’ll be more focused on generalized security threats and not on the security threats and risks that are specific to your business. This model, while cost effective, can leave an organization with technologies and strategies that don’t fit their needs.
The Hybrid Option
A third option that I’ve seen a lot of is a hybrid approach. Companies will actually staff their own security operations during normal daytime business hours. Then, from when they leave their office until the next morning, they will hand the responsibilities over to an outsourced MSP. With this hybrid approach, the MSP will focus on triaging events after hours, but the full-time staff will respond to the actual incident or investigate incidents during normal business hours. While in some cases, the MSP can also offer a second set of eyes during normal business hours, in essence, doubling your SOC staff during that time frame. I see this hybrid model being used more and more, because it balances out cost while providing the necessary coverage at the right levels of risk.
The Final Word
I know a lot of hard core security practitioners might disagree with me but, ultimately, leadership must look at how critical security is for the business. They need to understand that more control is often accompanied by an increased total cost of ownership. When considering which model is right, ask yourself the following questions:
- How does security and the SOC align with the strategy and mission of the business?
- Do you want to manage a 24×7 operation in house?
- Can the company justify the expense?
- Does your business need increased control that comes with running your own SOC?
- What would happen to the business if it suffered a security breach?
When considering the last question, if the impact is minimal, then I might suggest leaning toward outsourcing. If the impact is significant, then I would lean toward running the SOC in house myself. A SOC is an investment in time, energy, and money. A CISO has to understand how much they and the business are willing to invest and weigh that against the business mission and strategy.
Finding Qualified Staff to Run a SOC
Building a SOC can be pricey if not done correctly. A few mistakes here and there can really cost you, ultimately hurting your ability to meet business objectives.
Constant Competition for Quality Personnel
The lack of experienced talent in the field definitely makes running a SOC in house a bit more challenging. As with any market, there’s a supply and demand. In our current market, we have a shortage of quality experienced security personnel, the supply. The demand is huge as your partners, competitors, and even your friends in the industry are all fighting for the same resources that you are.
Unfortunately, supply and demand now puts employers into a situation where the highest bidder wins—and it’s not just a one-time win and it’s not just about money. You must constantly be the highest bidder as it relates to money, the work, the training, the mission, the company buy in to security, the complete package. As a result, it can be pretty challenging to acquire quality talent and expensive to hire and maintain your own staff.
On another note, when the industry has a personnel problem like this, the people that are considered experts in the field get inflated, and not just in salary. People can get a big head when they are considered to be part of a select few. Having a staff with inflated egos isn’t ideal. Your SOC most likely won’t be as productive as a result. This can derail both your budget from a personnel perspective and the productivity and fit of how your SOC operates.
Finding the Right Mix for Your SOC
You really need the right mix of personnel when building a SOC. The classic tiered model for a SOC is what I have used in the past and always recommend. You have more junior staff at the entry level or Tier 1, mid-tier staff at a Tier 2, and a select few experts in Tier 3. You should strive for the right balance between the tiers. For example, if your Tier 3 makes up more than around 25% of your overall SOC staff, then you’ve probably got the wrong mix.
With this model, you can spread your technical personnel budget out, as well as provide growth and training opportunities up and down the tiers. Someone can be a trainee while someone else can serve as a mentor. I think it’s very rare to have a powerfully functioning SOC when you have nothing but experts on your team, so I’ve always loved the tiered approach for staffing a SOC.
A Strong Security Architect Is a Must When Building Your First SOC
More specifically, when building your first SOC I always recommend having a strong security architect on staff. You should have someone that can come in, understand the needs of a SOC, and how it interacts with all the various stakeholders. A good security architect can gather and develop all your business requirements around the SOC. Then, he or she will also look at the various solutions and associated costs.
If you don’t have a strong architect, bring in a third-party consultant. This consultant can fill an advisory role, but it is important that you trust and feel they understand you and the business. The money you invest in those advisory consulting services, or that you spend to hire someone full-time on staff, will save you in the long run. It is important that you have all your ducks in a row when you build out your SOC.
Selecting the Right Technologies for Your Business and Team
You must identify technologies that align with the program you are trying to build, the skills of your staff, and the processes that you’re putting in place. Often, people will purchase technology before they have the people and process in place. I’ve never been a big fan of that approach, and I have seen it negatively impact the success of a security program and a SOC.
I would also recommend to really look at a platform approach. Buy only what’s necessary, look at best of breed technologies, and make sure it all seamlessly integrates together in a single SOC platform. You want that single pane of glass and the ability to perform all SOC operations out of one platform. The more screens your team has to look through, the more technologies your team has to login to directly, and the more risk scores and algorithms they have to corroborate will ultimately make a more complicated and less successful operation.
My last bit of advice on technology is, to please not just buy everything in the Gartner Magic Quadrant—no matter how much budget you have. Make sure you develop a strategy and an architecture specific to your business and stick with it.
The Impact of a SOC on Your Governance, Risk, and Compliance Program
The impact your SOC will have on your governance, risk, and compliance (GRC) program depends on several questions:
- What industry are you in, are you regulated?
- What line of business are you in?
- Do you have compliance regulations with which you or your customers must comply?
When I look at the GRC program and a SOC, they are best friends. The SOC should be the most powerful ally of the GRC. The SOC is supposed to have visibility to all things on an IT environment: users, the network, systems, applications—all of it. The SOC should also know the overall business goals and needs, policies, and the associated risks. All of that contextual data is necessary to better the SOC’s detection and response capabilities, as well as prioritize their response activities.
If you provide the SOC with everything that it needs, GRC can get every answer from the SOC. For example, suppose you want to know if you’re in compliance with a specific regulation. If your SOC already has visibility to that data and has that context, it can even help you continuously monitor, in real time, whether you are staying in or falling out of compliance. The SOC can even tell you which people or systems are in violation of certain governance and policies.
Looking more broadly, the SOC can even automatically tell you if there’s been an increase in risk or a lowering of risk based on a multitude of factors then alert you of changes in real time.
Ultimately, the GRC group develops and implements controls while the SOC can inform if those controls are being followed. These two organizational functions work side by side.
A SOC’s Role in Meeting Organizational Compliance Requirements
I don’t know very many compliance or regulatory requirements that don’t include some level of audit monitoring and incident response. An in-house SOC will do both of those functions and help you satisfy those requirements. If you work in a regulated industry, a SOC can help you monitor, detect, respond, and meet the governance requirements associated with that industry.
If you outsource your SOC, your MSP should be able to meet your requirements as well. But before you sign the contract with your outsourcing partner, there are several things you need to do. First, make sure that the compliance regulations that you have to comply with are known to your third-party partner. Second, if these compliance regulations require you to perform periodic assessments and generate reports that demonstrate you’re meeting your requirements, make sure that your partner is willing and able to perform the audit and output the necessary reports. Most importantly, once you’ve done all that, make sure all requirements are included in the terms and agreements of the original contract. You need to ensure that your regulatory obligations are transferred to the partner. The transfer isn’t binding unless you have it written down in a contract and have ensured the partner can fulfill those obligations. Ultimately, all of this requires you to do a little bit of legwork upfront.