before you decide to invest in it
We want to build our own SOC! This is
usually first sentence I hear from customers when I ask them about the purpose
of the meeting. The more I speak to them the more I have a feeling that they
want to have SOC on one click, fully capable from tomorrow and with belief that
their employees can do the job together with their current roles. Honor to the
exceptions, but as a see SOC becomes trendy buzzword, lot of companies has the
feeling that they need to be part of it, no matter what it means and what it
costs.
I could be more than happy with this trend
and approach. Being a SOC consultant during those days is pretty comfortable,
but there is always a dark side of the moon. Customers have non-realistic
expectations, we are trying to speed up the delivery as much as possible
spending the days and nights on the customer side and the result is that at the
end we are super tired, the SOC staff is angry to spend so many overtimes with
us, they are usually unable to adopt new methodology in such a short time. At
the end customer spends a lot of money and the outcome is some kind of mutated
combination of our methodology and customer SOC staff habits and belief. This
is usually far from what we had presented before and what customer expected.
So, if you are considering building your
own SOC or to bring some new capabilities into current one, let me share a few
words and answer some questions that will help you to better understand the
effort needed and align the expectations with reality.
What is SOC? You can find general terms
like: “SOC detects, prevents and responds to cybersecurity threats that matter.
SOC has the technology, processes, organization and governance needed to
detect, prevent and respond to a wide range of cybersecurity threats.” But for
me SOC is the last piece that help us to “close the security circle”. You can
constantly control organizational policies and processes that is otherwise
controlled only during audits. You can detect and respond early to an insider
threats, effectively monitor your administrators and many more. In one
sentence, SOC is a way how to make security better, smarter, detect faster and
respond accurately.
Bellow you can find answers to the
questions I usually receive when I talk with executives.
How
long does it take to build basic capabilities? Well
it differs from organization to organization and industry to industry, but
usually it is from 6 to 12 months. We should mention what we consider basic
capabilities. From the job roles it is L1, L2, L3 analysts (sometimes L1, L2+
), Security intelligence and governance. From technology we count SIEM, ticketing
system and some kind of use case library (usually Excel sheet at the
beginning). And then use case development and incident response processes. One
can argue that 12 months seems pretty long, because ticketing system is usually
within the company and you can deploy the SIEM within a day. But the most
important are people. If you have them they still need to adopt and adapt to
new processes. Not only learn them but also gain experience. Analysts needs to
undergo few offenses/incidents to understand what is expected from them.
Security intelligence guys has to develop quite a lot of use cases for
different technologies and applications so they can assign right urgency,
priority and develop really valuable organization specific use cases.
If you want to know more about roles in mature SOC roles, please see
the article in here: Does it make sense to build my own SOC
How
much does it cost? A lot. But in case you are not
able to detect incidents, it will cost you even more. To answer how much it
cost you need to know your environment. If we start with the bare minimum that
we mentioned above, we have 6-10 people (not
24/7 operations) and SIEM. Let’s do not count the cost of ticketing system to
achieve better results :-). Calculate the monthly cost for a security
professional in your country and the costs for a SIEM. In that case you need to
know the expected number of EPS, FPM or number of indexed data to estimate the
costs. If you don’t want to stop with the basic capabilities, you should count
some more security professionals and tools like incident response and big data
platform, automation tools, cognitive analytics, etc. In that case it is better
to ask somebody who has made the calculation before.
Is
it worth it? You have to decide if you take the
risk or you try the SOC journey. But once you start the things will start to
make sense and the “security circle closes”. All your policies and settings can
be monitored, permanently and online, not once a year during audit. You will
unveil “suspicious admin behavior”, configuration mistakes and many more. Over
all it will help you to come up with better solutions, understand your complex
environment thoroughly and create policies and security settings that make
sense, are applicable and enforceable.
My
own, outsourced or hybrid? There is no silver
bullet or universal answer for this question. It depends if you are able to
find the right people or not. How fast you need to start, which roles you want
to keep in house and which you can outsource, but I quite like the hybrid
solution. If you are able to define your use cases and describe the incident
response steps that should be performed, you can outsource L1 analysts. If you are
struggling with use case development bring some professionals from outside and
help your people grow. If you have no experience and idea, start with fully
outsourced SOC and observe what you don’t like and then bring the key roles and
responsibilities in house. But to answer this question it is always better
asking somebody with the experience to help with the strategy and roadmap.
When
can I have mature and fully capable SOC? I don’t
want to scare you too much, but in a standard organization it is not sooner
than 3 years. To consider SOC mature you should use information about
vulnerabilities and risks, network forensics, big data analytics and processing
unstructured data, fraud management, predictive threat management and many
more. In fact, SOC is never ending
story. If you have optimizing SOC, you are continuously looking for improvement
in processes, new metrics, dashboards that will help you to decide, manage and
respond to a threat. Also, the threat landscape is and will be evolving so once
you start you will be never done. But is an amazing and exciting journey.
Žádné komentáře:
Okomentovat
Poznámka: Komentáře mohou přidávat pouze členové tohoto blogu.