A severe cybersecurity incident is the most dangerous risk most companies face. It is the greatest threat to a company’s ability to deliver for its customers, and so it’s value. This is the sixth in a series of posts about cybersecurity risk, and how you can reduce it to give customers and investors confidence.
Cyber attacks happen at all times of the day and night, so a 24/7 SOC (Security Operations Centre) is a necessary investment as soon as budgets allow. Not only does a SOC give you peace of mind as your security alerts are being reviewed by skilled professionals, but a properly setup SOC is also a goldmine of data about the real world threats facing your organisation. This helps you prioritise security hardening investments and compounds the value of your SOC investment.
A 24/7 SOC can be a huge investment, or a lower cost than many of your existing systems, depending on the operating model you choose. It is critically important to think through how you want it to operate before investing, to make sure you optimise for the specific needs of your organisation.
Before going any further lets explain how a SOC works. Essentially, a SIEM (Security Information and Event Management) tool is connected to your systems and ingests all of the logs that are generated by user and machine activity. Analytic rules are then used to spot anything suspicious or risky, and create an incident for a security analyst to investigate. Most of these rules are pre-defined out of the box by the SIEM tool vendors, but custom rules can usually be added if you are looking for specific behaviours. Once an incident is created it will often be augmented by AI (depending on your tools and licenses) with a human reviewer in the loop to take action, which can be anything from locking out users or devices to isolating servers and/or calling key stakeholders. That last 'take action' step is a critical factor in what SOC operating model you choose.
The first thing to think through when deciding on how to put in place a SOC is what is the business risk you are worried about, and what is it you need to protect the most? Do you just need to protect users and corporate devices and data? Or do you have a product or service infrastructure that needs protecting too? When there is an incident who is going to respond and how? What access do those responders need?
The answers to these questions, and the scale of your organisation, will drive you towards one of three models:
Fully In-House SOC: You hire, train, and staff your own team, managing all shifts. Maximum control but also maximum headache (think of recruitment, retention, and burnout).
Hybrid Model: Your internal team covers core hours, and a third-party provider monitors after hours, weekends, and holidays. This can balance control and coverage but needs strong handover processes and trust.
Fully Managed Service: An external vendor manages everything, ideally integrating seamlessly with your processes and tools. Simple, but with some important caveats.
Unless there is significant infrastructure to monitor, it will often not be to be cost effective for most organisations below about 300 - 400 FTE to even consider the first two options so this post will focus on the fully managed service model, which can work well from around 30 FTE upwards. Many of the considerations are however universal.
Where possible it is advisable to procure a fully managed SOC in such a way that it can be later transitioned into a hybrid SOC and then an in house SOC with minimal disruption as your organisation grows. This is going to influence a number of considerations.
Cost driver management. The fundamental cost drivers of a SOC are people, technology (tooling licensing and log ingestion costs) and SOC efficiency. Whichever solution you choose you need to be able to tightly manage those cost drivers, which will only be possible with full transparency.
Transparency. Beware the 'managed security' offerings with a shiny dashboard and an API connection, but little visibility into what is actually causing incidents and what you need to do to respond to them. These services often show you just enough information to inspire confidence, but not enough to diagnose or remediate root cause issues. An easy way to avoid these vendors is to only look at vendors who use established market tooling and will grant you access to what they can see.
Tooling. Many vendors will use an established third party SIEM tool such as Splunk so they can standardise their operations. Whilst you should still be able to get suitable transparency into incidents by being granted access, you may still have issues later due to analytics rules and other config which would need migrating should you move to your own tool. The ideal scenario is to control the SIEM tool yourself so that it ends up configured best for your organisation and you have control of all the log data. Although there are a number of third party SIEM tools on the market, it is always recommended that you start with your native options (Microsoft Sentinel or Google SecOps) before exploring too far, as these will often be the most cost effective and broadly supported options.
Taking action. The most critical aspect of managing a security incident is the immediate actions taken. How is the SOC team going to be able to shut down the attack? In practice this is where SOCs based on native tools (particularly MS Sentinel) have a head start as it is often easier to grant them privileges to take more extensive actions immediately. When the SOC analyst, who is responding to the incident in under 10 minutes despite it being midnight, also has the ability to disable user accounts and revoke authentication methods, forcing the real user to reestablish access, your defences are that much more robust!
A 24/7 SOC can seem like an indulgent expense, but can be setup much more cost effectively that you might expect if you hunt around for the right partner, use the right tooling and actively manage your cost drivers. The reality is that in today's contested environment they are a necessity and should be implemented as soon as possible. The benefits they bring in terms of helping you identify and drive security improvements are also worth their weight in gold!
If you are navigating some of these challenges at the moment we can help. Our mission is to help you reduce your cyber risk, and so our help can be in whatever form is most helpful to you, from conducting an assessment of your current setup, to advising on system architecture and config, introducing trusted partners, training up staff or helping with op model development or hiring. Please reach out below 👇