Buy, Rent, or Uber Your Security Operations Center

Monday, November 05, 2018

A. N. Ananth

A4c42684a8889958a83ecca5d2fe59e5

We all know that data breaches cost a lot—an average of $3.6M per organization.

For cyber criminals, everyone’s a target—and perfect prevention isn’t practical. We must assume that, at some point, every organization’s IT infrastructure will be breached. That’s why we need to continuously monitor, investigate and respond to cyber threats 24/365 if we are to avoid costly breaches and the potential impact to reputation, revenue and customer confidence.

What better way to provide continuous monitoring and analysis than through a security operations center (SOC)? With the people, processes and platform to continuously look across the entire organization’s networks, servers, endpoints, applications and databases, a SOC applies expert knowledge to detect and dig into potential threats. One of the key benefits of a SOC is preventing the devastating impact of a breach by reducing the dwell time (the time between when an attacker compromises a network—minutes—and when the organization discovers the threat—typically months!)

Cost and complexity are roadblocks

Any way you look at it, a SOC is complex and expensive. It requires a lot of specialized hardware and software to generate events and alerts, which must be examined by highly skilled security analysts who can determine which ones represent real threats.

The platform is costly.

You need a well-tuned SIEM (security information and event management) to provide the visibility foundation, along with firewalls, IPS/IDS, vulnerability assessment tools, endpoint monitoring solutions and more. All of this must be fed by threat intelligence that is specific to your organization’s goals and risk tolerance, and the results need to be augmented by machine learning and fine-tuned by human experts.

Processes are costly as well.

Detailed organization-specific playbooks need to be written, spelling out what should happen when ransomware, malware infections, distributed denial of service attacks or other threats are seen. They specify how to investigate, what evidence to gather and when and how to escalate.

Perhaps the most expensive component is people.

It’s difficult enough to hire a team of highly skilled security analysts with the bandwidth and expertise to perform continuous monitoring, while we are experiencing a worldwide shortage. It’s even harder to retain them in the face of stiff competition for scarce talent.

The Complete SOC: Platform. People. Process.

/uploads/remoteimg/c01aefaee2df8a03a902e5bd99a156ab.jpg

Finding the best route

Reaching the goal of continuous coverage is not a simple make/buy decision: it’s more of a buy/rent/co-manage decision: should you build your own SOC, outsource your SIEM (or SOC) platform, or leverage a co-managed SOC solution.

1. Building your own SOC is akin to buying a car to get from Point A to Point B.

You incur all the platform, process and people costs – but you are in total control over where you are going and how to get there (i.e. what your organization sees as risks, threats, and responses). Of course, the cost and complexity could be prohibitive.

2. Outsourcing your SIEM or SOC platform is like renting a car.

You don’t have to make the capital outlay for hardware, but you still need to carry out all the processes—and you must hire, train and retain your own SOC team. It’s less expensive than building your own SOC, but still quite pricy.

3. Leveraging a co-managed SOC solution is like using Uber to get to your destination.

You augment your own internal team with seasoned security experts with mature processes driving a powerful SIEM platform, yet you remain in control of the ultimate destination. A co-managed SOC ensures that the collective team is operating in concert to reach your organization-specific goals.

Uber your way to a SOC

The goal is to get from Point A (your organization’s current security and compliance posture) to Point B (stronger security posture, compliance confidence and incident readiness). Clearly, the most cost-effective way to reach that goal is via a co-managed SOC – the Uber approach. You get the best of both worlds: the best people, processes and platform, at the lowest cost. Not only do you avoid the people and process costs, you retain control over the aspects that are specific to your organization: your risk tolerance, your market realities and your definition of what’s most important to you.

About the author: A. N. Ananth is a co-founder and CEO of EventTracker, Ananth was one of the architects of the EventTracker SIEM solution. With an extensive background in product development and operations for telecom network management, he has consulted for many companies on their compliance strategy, audit policy and automated reporting processes.

Possibly Related Articles:
11754
Infosec Island Enterprise Security Security Awareness
SIEM SOC Prevention security operations center security information and event management
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.