Cyber attacks have become ever more frequent, targeted and sophisticated. Millions of warnings are produced by platforms, applications and numerous point solutions like antivirus (AV), intrusion detection system (IDS)/ intrusion prevention system (IPS) and firewalls. Quality and speed of the response are essential to limit the impact on your organization. Unfortunately, the trend is going in the opposite direction. Due to the increased complexity of the attacks, companies are forced to employ more and more resources to detect and eliminate a threat. A professionally designed Security Operations Center (SOC) can be a vital line of defense against unauthorized, malicious activity in real time. This requires employing the right people, technology and processes. But what other aspects have to be taken into account when investing in your SOC?
The SOC, in essence a team of well-equipped security analysts, is organized to prevent and report on cybersecurity risks but even more to detect, analyze and respond to incidents. It is a vital node in charge of a company’s issues related to cybersecurity. However, the decision of whether to build, share or use a SOC as-a-Service (aaS) needs to be taken carefully. This article will outline different characteristics of these solutions.
Build a SOC
One of the biggest advantages of building your own SOC is the dedication and expertise of your staff who probably know your organization and its environment better than anyone else. They are familiar with the interdependencies between different departments and can interact locally with their assigned contact points. In addition to that, solutions are in general easier to customize and highly specific requirements can be addressed most efficiently.
However, the up-front investment is considerably higher compared to a shared or aaS SOC. In addition to that, you should be aware that a SOC needs about 18 months to be built and experienced SOC analysts or managers are hard to find. Do you have the expertise to assess whether the analysts who operate, as well as the staff who build and manage the SOC, do have the appropriate skills and knowledge?
Share a SOC
A shared SOC is a hybrid solution between an in-house and an SOC aaS. Synergies in terms of staff, processes, technology and facilities can be leveraged between participating companies and result in cost savings. However, these savings will likely not be as large in scale as for an aaS SOC.
While your built SOC allows exclusive control over your project, in a shared SOC you have to implement processes and technology to ensure confidentiality and accountability towards your partners. You will have to be in agreement with them for all decisions relating to your shared SOC. Depending on the individual goals and relationships, this can be a difficult task.
Therefore, it is important to find the right and trusted associate business that shares the same objectives and motivation. In order to reduce the risk of industrial espionage, it should be considered to choose a partner which is not in the same industry but shares most requirements. Apart from internal policies there might be regulatory compliance requirements like payment card industry data security standard (PCI DSS), Sarbanes Oxley, health insurance portability and accountability act (HIPPA), … to cope with. The highest level of trust and congruence between you and your partners should be achieved.
If you choose to operate a SOC as-a-Service, it is essential to choose the right service provider. Questions you might want to consider are: What is its reputation, who are its reference customers? How is the data being protected, what is the level of security at their SOC? Is the staff experienced, are background checks performed on a regular basis?
The main advantages for a SOC aaS are cost savings and a highly professional SOC team. The SOC provider can leverage staff, processes, technology and facilities across multiple clients. An experienced partner has an efficient SOC management, skilled analyst as well as all other required staff, at the right time in the right place for you. As a result, the costs should be lower than for the built or shared solution while the level of professionalism might be highest.
Another advantage is the shorter time to get the SOC operational. The provider of a SOC aaS is experienced to onboard new clients and can tailor current solution offerings quickly and reliably to new needs.
Nevertheless, a potential disadvantage could be that log data is accessed or stored outside your company. In addition to that, you allow a third party to be aware of your cyber vulnerabilities and attacks. However, this is only a potential disadvantage. The selection of a trusted service provider, non-disclosure agreements (NDA) and well-defined Service Level Agreements (SLAs) can remedy the issue.
Once the right solution has been identified, there should be very limited need to take care of the SOC operations and management. A good service partner provides a SOC at known costs and enables your company to focus on its core business.
The decision to build your own, share or use a SOC aaS is a critical step that ought to be evaluated very carefully in order to reflect the many internal and external factors involved. If there is no appropriate expertise in-house it should be considered to consult an external partner who can assess the requirements and provide necessary support during the decision making process. Preferably, this should be a trusted partner with experience in other related services such as Security Event and Incident Management (SIEM) or Risk Management. If the option of additionally outsourcing other security services is being considered, your partner should be a well-established provider for Managed Security Services (MSS). Choosing a SOC is not only about the implementation of a single solution. It is about the implementation of the right services for your individual requirements and business objectives that fit in the overall business and IT strategy.