Business

What to consider before launching a security operations center

There are different ways to launch a security operations center (SOC) – insourcing, outsourcing or a combination of both. What’s the best approach for your business?

Share article

inhouse vs outsource SOC balls boat

You have some big decisions to make if you’re thinking about launching a security operations center (SOC). Some you can easily scope out in advance, but others need further thought. Let me take you through the process and highlight the potential outcomes.

How does a security operations center differ from a network operations center?

First, you should understand the difference between a SOC and a traditional NOC (network operations center.) NOCs are mostly concerned with keeping the packets flowing through the digital pipes and finding and removing blockages. SOCs extend this basic “plumbing” and ensure that the right packets end up in the right places, and look for inappropriate situations. For example, A NOC would be concerned about abnormal network latency reports, while a SOC might see a rogue endpoint obtain elevated access rights and use lots of network resources that could be causing poor latency. A SOC and a NOC may display a different response to seeing a false positive: Within a NOC, it isn’t usually triggered as an issue as its purpose is to send alerts about whether the network is working or not. With a SOC, it could show your infrastructure has been penetrated.

Decide whether to build or outsource your SOC

The biggest decision in launching a SOC is to decide whether to buy or outsource. Both scenarios have lots of complexities in the decision process and eventual outcome. To build, you can create a physical SOC that sits inside your facilities. For buying, you can use a SOC-as-a-service (SOCaaS) vendor.

Sitting in between these two positions is the option to use a managed security solution provider (MSSP). Some MSSPs provide equipment for you to install on-site, others manage everything from their SOC using cloud services. This middle ground could be a good starting place to evaluate your experience before transitioning entirely into a SOCaaS. This can be a good option as you may not understand the entirety of what you have to outsource. Having an MSSP can give you a “SOC-lite” with some managed services and some feedback on security issues without having to completely outsource everything from the start. If you don’t yet know the right questions to ask, the MSSP route can give you more context.

As you work out what’s right for your business, ask yourself: what security services do we need? What equipment is monitored, and how can staff from our service providers interact with our servers, network infrastructure and staff?

The origins of SoCaaS vendors

Part of the reason for the complex picture: SOCaaS isn’t defined consistently from vendor to vendor. It’s partly because of the different origins of these vendors: some started as MSSPs, others as specialized managed detection and response vendors, or event or endpoint management providers. Some SOC vendors began life as the services group and subsidiary for a major computing firm or telecoms company selling managed NOCs (e.g HP, IBM and Dell) before moving into the SOC world. In other cases, cybersecurity consultants and solutions providers are developing SOC-like services and frameworks.

These origin stories matter because they create an expectation as to the strengths and proprietary technologies that each vendor uses, and also for you to characterize them when you start shopping around. And shop you must – it’s a highly fragmented market. Gartner reports that the top MSSPs are IBM, AT&T/AlienVault, Atos, Dell Secureworks and DXC Technology – yet none of them have greater than five percent market share.

How to evaluate SOC-aaS vendors

The first question you need to define is also the hardest – what are your requirements? From this you can work out your budget and what you will need to purchase first.

It’s hard, partly because the cloud-based providers always have complex usage-based cost calculations (think pricing an AWS server.) And many of them don’t provide any details on their pricing before you engage them for services, or at least sign a non-disclosure agreement. Some of the smaller vendors have fixed monthly fee contracts based on the number of services you consume.

When I reviewed a collection of providers, estimates were all over the place, differing by several orders of magnitude. Vendors should be more transparent on costs up front. If you are considering building your own SOC, first compare what the outsourcers will charge, then see if you can make a business case for using that investment to host your SOC in house.

Part of the pricing problem: you might not know how many servers or endpoints (or whatever you’re protecting) you will initially need with your SOC vendor. You could start small, with a proof-of-concept, and see how the vendor produces reports and interacts with your staff on problems or traffic issues.

Planning what services you need

Once you get beyond the fee calculation, your next issue is understanding your resources, including the people and tools they need to do their jobs to manage your security and the SOC itself. You might not have the skilled staff to handle incident response, threat hunting and operations management. This might tip the scales towards having a SOCaaS rather than building your own.

You’ll also want to understand what kind of coverage you’ll need. If you operate a global online business, you’ll need 24/7 monitoring, and you’ll also have to have your staff available at all hours too. You might want a vendor that has multiple physical SOCs on different continents so you can ensure there will be someone somewhere in the world who will be watching your networks from different parts of the world. This multi-zone approach can also expose difficulties that may be faced with latency or accessing your website.

Part of your resource evaluation is also in understanding who is staffing the outsourced SOC? What kind of training is required to work there? How many people are on duty on the overnight shifts? Do you have a lead analyst at your provider that you can contact in case of an emergency? Is the vendor’s staff managing alerts or are they doing the actual nuts-and-bolts security analysis and providing recommendations on your response and remediation? You’ll also want to consider what you’re trying to accomplish: Do you want timely breach notifications? Are you deciding to forgo any full-time staff hires or trying to save on new capital equipment?

Then comes geography. Where is your equipment, staff, and the actual SOC physically located? If your offices are mainly in a metropolitan area, you may want a SOCaaS vendor who has a secondary office located elsewhere in case of a major disaster (like earthquakes, hurricanes or a tsunami) that could take down your local area’s connectivity.

Finally, you’ll want to define the various component services for your SOC, such as security event management or threat monitoring and detection. Log analysis, vulnerability management and incident response are all necessary and you’ll need them eventually, so plan accordingly to be able to scale.

Look out for these warning signs

It’s a good idea to do a proof-of-concept before a full rollout of your SOC. Before you choose your vendor, be alert to these warning signs from a study about improving the effectiveness of SOCs.

No similar customers

The vendor isn’t aligned with your business or doesn’t have other customers of similar size, market penetration or type of business.

Incompatibility

Your legacy event management and service desk systems are compatible with what your SOC vendor provides, and you have to switch to some other system.

No visibility

You don’t have visibility or control over your essential network functions and conditions.

Staff frustrations

You have high turnover with your security staff and low job satisfaction and high-stress levels.

False positives

Your SOC is chasing too many false positives and not closing these cases.

How to get started

With increasing volume and severity of threats on the doorstep of companies of all sizes, now is the time to start planning if your current NOC is going to be enough or if it’s time to upgrade to a SOC.

According to Artem Karasev from Kaspersky:

Establishing an internal SOC can be a challenge for any company. It requires significant investments in expertise, processes and technologies. It is often difficult for security leaders to justify such initiatives. At the same time outsourcing some SOC capabilities can provide a cost effective solution. The most important thing is to ensure that the provider is able to comply with your existing requirements.

Artem Karasev

Senior Product Manager for Security Operations Center, Kaspersky

Good luck with establishing your SOC!

Launch your Security Operations Center

Find out how to launch a SOC in the Kaspersky for Security Operations Center brochure.

About authors

David Strom is an experienced computer industry journalist with a body of work that includes two computer networking books and running the US editions of Network Computing and Tom’s Hardware magazines. He currently curates the Inside Security newsletter and writes for CSOonline.com