5 things you should know about SOC

before you decide to invest in it

 

We want to build our own SOC! This is usually first sentence I hear from customers when I ask them about the purpose of the meeting. The more I speak to them the more I have a feeling that they want to have SOC on one click, fully capable from tomorrow and with belief that their employees can do the job together with their current roles. Honor to the exceptions, but as a see SOC becomes trendy buzzword, lot of companies has the feeling that they need to be part of it, no matter what it means and what it costs.

I could be more than happy with this trend and approach. Being a SOC consultant during those days is pretty comfortable, but there is always a dark side of the moon. Customers have non-realistic expectations, we are trying to speed up the delivery as much as possible spending the days and nights on the customer side and the result is that at the end we are super tired, the SOC staff is angry to spend so many overtimes with us, they are usually unable to adopt new methodology in such a short time. At the end customer spends a lot of money and the outcome is some kind of mutated combination of our methodology and customer SOC staff habits and belief. This is usually far from what we had presented before and what customer expected.  

So, if you are considering building your own SOC or to bring some new capabilities into current one, let me share a few words and answer some questions that will help you to better understand the effort needed and align the expectations with reality.

What is SOC? You can find general terms like: “SOC detects, prevents and responds to cybersecurity threats that matter. SOC has the technology, processes, organization and governance needed to detect, prevent and respond to a wide range of cybersecurity threats.” But for me SOC is the last piece that help us to “close the security circle”. You can constantly control organizational policies and processes that is otherwise controlled only during audits. You can detect and respond early to an insider threats, effectively monitor your administrators and many more. In one sentence, SOC is a way how to make security better, smarter, detect faster and respond accurately.

Bellow you can find answers to the questions I usually receive when I talk with executives.

How long does it take to build basic capabilities? Well it differs from organization to organization and industry to industry, but usually it is from 6 to 12 months. We should mention what we consider basic capabilities. From the job roles it is L1, L2, L3 analysts (sometimes L1, L2+ ), Security intelligence and governance. From technology we count SIEM, ticketing system and some kind of use case library (usually Excel sheet at the beginning). And then use case development and incident response processes. One can argue that 12 months seems pretty long, because ticketing system is usually within the company and you can deploy the SIEM within a day. But the most important are people. If you have them they still need to adopt and adapt to new processes. Not only learn them but also gain experience. Analysts needs to undergo few offenses/incidents to understand what is expected from them. Security intelligence guys has to develop quite a lot of use cases for different technologies and applications so they can assign right urgency, priority and develop really valuable organization specific use cases.

If you want to know more about roles in mature SOC roles, please see the article in here: Does it make sense to build my own SOC

How much does it cost? A lot. But in case you are not able to detect incidents, it will cost you even more. To answer how much it cost you need to know your environment. If we start with the bare minimum that we mentioned above, we have 6-10 people (not 24/7 operations) and SIEM. Let’s do not count the cost of ticketing system to achieve better results :-). Calculate the monthly cost for a security professional in your country and the costs for a SIEM. In that case you need to know the expected number of EPS, FPM or number of indexed data to estimate the costs. If you don’t want to stop with the basic capabilities, you should count some more security professionals and tools like incident response and big data platform, automation tools, cognitive analytics, etc. In that case it is better to ask somebody who has made the calculation before.

Is it worth it? You have to decide if you take the risk or you try the SOC journey. But once you start the things will start to make sense and the “security circle closes”. All your policies and settings can be monitored, permanently and online, not once a year during audit. You will unveil “suspicious admin behavior”, configuration mistakes and many more. Over all it will help you to come up with better solutions, understand your complex environment thoroughly and create policies and security settings that make sense, are applicable and enforceable.

My own, outsourced or hybrid? There is no silver bullet or universal answer for this question. It depends if you are able to find the right people or not. How fast you need to start, which roles you want to keep in house and which you can outsource, but I quite like the hybrid solution. If you are able to define your use cases and describe the incident response steps that should be performed, you can outsource L1 analysts. If you are struggling with use case development bring some professionals from outside and help your people grow. If you have no experience and idea, start with fully outsourced SOC and observe what you don’t like and then bring the key roles and responsibilities in house. But to answer this question it is always better asking somebody with the experience to help with the strategy and roadmap.

When can I have mature and fully capable SOC? I don’t want to scare you too much, but in a standard organization it is not sooner than 3 years. To consider SOC mature you should use information about vulnerabilities and risks, network forensics, big data analytics and processing unstructured data, fraud management, predictive threat management and many more.  In fact, SOC is never ending story. If you have optimizing SOC, you are continuously looking for improvement in processes, new metrics, dashboards that will help you to decide, manage and respond to a threat. Also, the threat landscape is and will be evolving so once you start you will be never done. But is an amazing and exciting journey.