In today’s blog, we’ll explain what a Security Operations Center (SOC) is, and help you determine if a SOC-as-a-Service (SOCaaS) solution is right for your organization.
Just because you’re tasked with managing cyber security for your company, it doesn’t mean your company is in business to do cyber security. Unless you’re a cyber security provider, your core business could be practically anything else. But proper cyber security is critical to allowing your business to grow. You know that having the right cyber security skills available at the right time is critical to your success, but you have no idea when that time will be.
Choosing the right technology, people, and processes to build a modern security operations function is one of the biggest challenges for today’s Chief Information Officer (CIO) and Chief Information Security Officer (CISO).
Approaches to Consider with SOCaaS
- Leverage a SOCaaS provider (or traditional managed security service provider)
- Use a hybrid model with some of the advantages and capabilities of each
- Build, manage, and staff your own SOC
What is a SOC and What Can it Do for You?
A SOC will accomplish the following functions for you:
- Plan, Configure, and Maintain Security Infrastructure – Configure the technology stack (endpoint, SaaS applications, cloud infrastructure, network) to identify relevant activity and tune out unnecessary data. Monitor data sources to ensure the ecosystem is always connected.
- Detect and Respond – Monitor incoming alert activity. Investigate alerts to determine if it is a true security incident or false alarm. If something is a legitimate security concern, assess the breadth of the situation and perform response actions. Document the situation for communication.
- Hunt for Threats – Review event activity to determine if there are any signs of compromise that may have evaded automated controls. The most common scenario is to review history of an IP address or file that is now determined to be malicious.
- Log Storage for Forensics – Collect and securely store log files, typically for a year but up to seven years in some environments for compliance. The team will need to provide this critical forensic data when a security situation arises.
- Track KPIs for Execs and Boards – Measure and report key performance indicators (KPIs) that demonstrate to the executive team how well the SOC is performing.
Why is Building a SOC so Challenging?
- Finding, training, and retaining cyber security talent is expensive.
The talent you need to handle cyber security tasks is in high demand. Unfortunately, the shortage is going to get worse before it gets better. According to the International Certification Organization (ISC)2, the number of unfilled positions worldwide is now more than 4 million professionals, up from nearly three million this time last year.
Training staff with a broader IT background in cyber security skills is an option, but retaining these people is expensive. Replacing them when they are recruited away starts the cycle all over. It usually ends up being more expensive than planned.
Additionally, the individuals who do well in this area usually want to explore new topics and take on new challenges. You will need to find other, related projects or roles to rotate SOC staff through to keep them engaged. This also helps build their skills, so they are ready to respond and act when needed.
- Cyber security is a team sport. It’s important to have a diverse set of skills and a team that works well together.
Security threats evolve quickly, and proper investigation and response requires people who understand endpoints, networks, cloud applications, and more. You’re often a SOC manager, a system administrator, and a threat hunter, depending on what day it is and what’s happening in your environment. This means you need a team that is always learning so they have the right skills when you need them. People who do well in this area thrive in a team setting where they can learn from and challenge each other. To do this, you need scale that brings several SOC analysts together regularly.
Think of it this way. You wouldn’t put a football team on the field that hasn’t practiced together. Your SOC team is going up against an adversary that plays together every day. To be successful, you need a SOC that has lots of game-time experience to build their skills in their position and as a team. A SOC function that does not see regular practice is not going to be ready when hit with the full force of a well-practiced adversary. It’s difficult to get this experience in a small organization.
- 24×7 coverage is no longer optional. It’s a necessity.
Leaving an adversary free to plant seeds for hours, days, or weeks makes it infinitely harder to contain and remove threats. The adversary knows they have limited time to do as much damage as possible, as in the case of ransomware, or to set back doors, as in the case of data exfiltration. You have the best chance of recovery if you can investigate and respond within minutes, so a solution that provides 24×7 coverage is crucial.
- Managing vendors and integrating tools is expensive.
Cyber security is complex and the technology evolves quickly. There will always be multiple technologies that need to work together. This requires maintaining skills to implement, update, and configure each component and training your staff on new versions and features. If you run your own SOC, you need to manage these vendor relationships, licensing, and training activity.
The bottom line here is that creating the capability you need is going to require a lot of low-level tasks and extensive day-to-day work. For those organizations that can support it, the effort makes sense. For most organizations, the task is better left to a partner that can provide this as a service, enabling you to get all the benefits of a top-notch SOC without the expense and distraction of building yourself.
Key Takeaways: SOCaaS vs. Build Your Own
If budget isn’t an issue and you have the cycles to properly focus on building out a 24×7 SOC, then it may make sense to go that route. If you are constrained on either of those fronts, then SOCaaS will be a better approach.
In summary, SOCaaS will allow you to:
- Spend time managing security, not technology and vendors
- Have predictable spending – no need for surprise budget requests
- Get security insights from other organizations
- Handle alerts more efficiently and with more predictable results
- Have the agility and keep pace with your ever changing organization’s IT demands
- Stay on top of innovations in today’s security tools.
If you’d like to learn more about Delta Risk’s SOCaaS solutions, get in touch with us for a free, no-obligation consultation or demo.