Build or Buy SOC
In today’s digital landscape, the significance of robust cybersecurity measures cannot be overstated. Among the critical components of cybersecurity infrastructure, Security Operations Centres (SOCs) play a pivotal role. However, the concept of a SOC can vary widely across organisations. For some, it might simply be a Security Information and Event Management (SIEM) system that collects logs. For others, it extends to the monitoring of these logs, alerting another IT team, and even further, to a team that not only monitors logs for suspicious events but also actively hunts for malware and implements cyber protections. In this discussion, we’ll focus primarily on the aspects of log collection in a SIEM and the monitoring of these logs within the SOC framework.
Before delving into whether to build or purchase a SOC, it’s crucial to understand what it entails and the demands it places on an organisation.
Defining a SOC
A Security Operations Centre (SOC) is an organised and highly skilled team or service whose primary function is to continuously monitor for preventing, detecting, analysing, and responding to cybersecurity incidents. A SOC typically involves a sophisticated setup that includes SIEM for log collection, tools for monitoring these logs, and a team of cybersecurity experts who can interpret the data, identify threats, and take appropriate actions.
Building Your Own SOC: Pros and Cons
Pros:
- Customisation: Building your own SOC allows for customisation that aligns with specific organisational needs and threat landscapes.
- Control: It offers complete control over the security operations, including prioritisation of alerts and direct oversight of security policies.
Cons:
- Resource Intensive: Establishing a 24/7 SOC operation requires a significant investment in human resources. More than five full-time employees on rotating shifts are essential to ensure continuous monitoring.
- Expertise Shortage: The necessity for a team member with extensive SOC experience is paramount, and in the current market, such expertise is not only scarce but also expensive.
- High Turnover Rate: The cybersecurity field is experiencing a trend where experts stay in their roles for an average of only about a year, leading to continuous recruitment challenges.
- Specialised Skills: Without a team of experts possessing years of experience, the likelihood of missing cyber attacks increases, undermining the investment in the SOC.
Purchasing SOC Services: Pros and Cons
Pros:
- Expertise on Demand: Outsourcing to a SOC provider gives access to a team of experts with specialised skills and experience.
- Cost Efficiency: External SOC providers can offer economies of scale by serving multiple clients, making it a cost-effective solution, especially for small to medium-sized enterprises.
- Focus on Core Business: Outsourcing allows organisations to focus on their core operations without the distraction of managing a complex cybersecurity infrastructure.
Cons:
- Less Control: Relying on an external service provider may result in less control over specific security operations and responses.
- Potential for Generic Solutions: There’s a risk that the outsourced SOC may offer a one-size-fits-all approach that might not be entirely tailored to an organisation’s unique needs.
Ideal Approach: A Blend of Internal and External SOCs
In an ideal world, an organisation would benefit from having both an internally managed SOC and an externally monitored one. This dual approach ensures an independent and specialist check from the outside while allowing for internal verifications as a double layer of security. However, due to the substantial financial commitment, this model is typically feasible only for large enterprises.
Recommendation: Starting with an Outsourced SOC
Given the complexities and challenges associated with building and maintaining an in-house SOC, coupled with the current market conditions, starting with an outsourced SOC is advisable. This approach not only mitigates the initial hurdles of setting up a SOC but also leverages the expertise and efficiencies offered by specialised cybersecurity firms. It represents a strategic step towards strengthening an organisation’s cybersecurity posture while allowing for scalability and adaptability as needs evolve.
In summary, while the allure of having complete control over a dedicated SOC is understandable, the practicalities of achieving and maintaining such a setup effectively are fraught with challenges. Outsourcing emerges as a pragmatic initial step, offering a blend of expertise, efficiency, and flexibility, crucial for navigating the complex cybersecurity landscape of today.
Even though we provide SOC as a service (outsourced SOC), this post is based on our experience with some of the largest organisations and their Internal SOC, our own SOC and the many businesses we help. As an example we haven’t even included the comparison of licencing costs for most SIEMs (FYI Our SIEM is internally built so there is no extra licencing fee). If you want to discuss further feel free to contact Vertex about our SOC options.
