Building a SOC is not to be taken lightly, and presents a myriad of challenges.…
Why Security Operations Centers Are Important
Building a Security Operations Center or SOC in order to centralize defenses, coordinate and deploy people, processes, and technology is a growing part of the strategy of information security leaders in even small and medium-sized businesses.
It is more important than ever for organizations to escalate their level of protection against cyber-attacks. As we have seen from the Verizon Data Breach Investigations Report and Ponemon’s Cost of a Data Breach Study, not only have the number of attacks increased exponentially over the past years, the cost of these attacks to business has increased as dramatically.
Fortifying your organization’s security posture has become one of the top priorities for businesses across all industries.
What is a Security Operations Center?
A SOC is designed to empower security personnel to deliver continuous prevention, protection, detection and mitigation of threats to company systems. SOC teams also uncover vulnerabilities, respond to threats, and handle incidents that may be in progress on your networks or systems. There are many benefits to having an effective SOC including:
- Speed of response: They can empower analysts to respond swiftly to malware that has the ability to spread quickly, infecting your systems and encrypting, exfiltrating, or otherwise damaging data in mere seconds.
- Recovery: They can help you recover from or stop DDoS attacks, data exfiltration from insiders and other threats in a reasonable amount of time. A Distributed Denial of Service or DDoS attack has become more prevalent recently and is executed when hackers send massive amounts of internet traffic to your site, often leveraging botnets, to slow or bring down your site, as with the Dyn attack which leveraged “smart” devices.
- Monitoring: They can provide real-time monitoring of logs and other system data to quickly formulate a response and mitigate the attack.
- Reporting: They have the ability to keep executives, auditors and security personnel apprised of any security issues or incidents.
- Analysis: They can equip incident responders with the ability to analyze the incident after it has happened to defend against future attacks.
In-house Vs. Outsourced
There are essentially two ways to go with a SOC: In-house SOC or Outsourced MSSP (Managed Security Service Provider); each has their own advantages and disadvantages.
Having an in-house SOC obviously costs more up front because of the employee and technology investment, but having dedicated employees that know the environment and systems better than a third party can be more efficient and solutions are easier to customize to your system. The challenge is that it may be more difficult for them to uncover threats that may be obvious to a company that specializes in identifying malware behavior and more importantly, good SOC analysts are increasingly difficult to find.
An outsourced MSSP initially costs less because you’re using their hardware, software, and experts. They have the advantage of experience with analysts who have monitored other environments, and they generally follow proven processes. Further, MSSP’s provide service level agreements so that the organizations they serve have a clear understanding of what to expect and when to expect it.
Whether in-house or outsourced, it is important to have best in class technology including an antivirus, firewalls, SIEMs, threat detection, endpoint security and more. The standard today is a layered security approach or as it has been called in the past, defense-in-depth, which creates its own complexities.
One of the reasons the most recent PWC Global State of Information Security Survey is tracking a record number of CIOs and CISOs who are searching for outsourcing solutions is because of this complexity. The number of analysts and experts that understand the exploding universe of cyber technologies and how they integrate and work together is dwindling. Further, being versed in incident response, digital forensics, malware research, signature-based tools, behavioral based tools and more is a lot to ask of a small security operations team, however, it is necessary to be protected against the number and sophistication of the attacks we are experiencing.
The most important catalyst for developing SOC capabilities is that over 60% of small businesses that experience a breach are out of business in 6 months or less according to the National Cyber Security Alliance. And as we have seen over the past couple of years, large businesses like Target, Yahoo, Home Depot, PF Chang, and others experience significant customer defections and brand damage. We can all agree that attacks are coming at an increased rate, the malware is more complex, damaging and better distributed, and the technologies built to defend against these attacks are more complex and difficult to integrate. Centralizing people, processes, and technology and improving your security posture is critical whether organizations choose to handle it in-house or partner with an MSSP.
Important Questions to Ask
In deciding between an in-house or outsourced SOC, there are a few questions to be considered.
In-house: how to build a Security Operations Center
Related post: Questions to ask when building a SOC
- Do you have employees with the skills to manage a SOC?
- Will you document the complete processes?
- Will you develop a training program for your staff?
- Who will design your SOC site?
- Will you be able to retain a good staff?
- Do you have an adequate budget for an internal SOC?
Outsourced: how to choose the right SOC
- What is their reputation?
- How do their current customers feel about them?
- How long have they retained those customers?
- What is their rate of customer cancellation?
- What is their staff experience?
- Do they perform background checks on employees upon hiring them?
- Do they use contractors?
- What is the employee turnover rate?
- How long has the company been in business?
- Will they provide you with documentation of their procedures?
- Will the cost be less than that of an in-house SOC?
These answers to these questions should provide you with the foundational information you and your organization needs to make an informed decision. Further, simply going through the process of interviewing MSSPs and thinking through your current capabilities will provide you the insight you need to scope the challenge.