External, hybrid or in-house. Choosing SOC by ingredients
Recently we interviewed 100+ IT and IS directors of medium and large businesses and found out that 1/3 of companies have faced several types of threats at once over the past year: DDoS attacks, bot traffic, malware, etc. Simply implementing protection tools is no longer enough – there are more and more attacks and they are only becoming more complex. The market has long been looking towards a more comprehensive approach to monitoring and ensuring the cybersecurity of assets. Almost half (43%) of the surveyed organizations said that they already use or plan to implement their own or commercial SOC. At the same time, each Incident Monitoring Center has its own characteristics and a lack of understanding of them complicates the choice of a model for your tasks and capabilities.
Below I have collected all the necessary information in one place. What is SOC? What does it consist of? What types are there? How to choose the most relevant model?
Three pillars of SOC
The most common mistake I encounter in my practice is equating SIEM with SOC. Many are sure that if they have installed a “boxed” SIEM solution, then they have a working “Monitoring Center” and everything is fine. However, SOC is not just technology, it is a full-fledged system consisting of three equally important components.
SOC is based on three components: people, technology and processes.
Technological solutions must be competently implemented by someone, then managed, configured, weak points found, work audited, etc. Even the best specialists with powerful equipment need competent rules and well-established interaction processes. At the same time, capacities are required both for the main work and for testing. And processes cannot be configured once and for all – they must be constantly improved.
Our three foundations — people, technologies, and processes — in turn consist of a certain set of elements (solutions, specialists, etc.). There is no universal option for each company. Everything depends on the size and goals of the organization, the model of the selected SOC (I will talk about this later in the text) and many other factors. In the picture below, I made a diagram of one of the possible compositions of an effective Incident Monitoring Center.
People
In a SOC, a team of specialists monitors the flow of events and notifications coming from information security monitoring systems. Experts distinguish false positives from real attacks, connect disparate events, and decide on the start of a response.
The different stages of this process involve:
Analysts and experts of various levels. They develop and optimize correlation and normalization rules, process events and incidents.
Architects and engineers: configure systems, connect event sources, and monitor their operation.
Service managers who supervise the project ensure that the customer meets the requirements of the contract.
Forensic experts. They examine artifacts left over from incidents and attribute malware.
Technologies
When working with cyber incidents, specialists rely on data collection and analysis systems. Most often, the following:
SIEM (Security information and event management) are security information management systems that automatically collect events and identify information security incidents.
IRP (Incident Response Platform) — platforms for responding to information security incidents.
SOAR (Security Orchestration, Automation and Response) — systems for managing, automating and responding to information security incidents.
Vulnerability Scanner is a class of solutions for automatically detecting known vulnerabilities in infrastructure.
EDR\XDR (Endpoint Detection & Response\Extended Detection & Response) — detection and response solutions for the endpoint and infrastructure as a whole. Allows you to identify abnormal activity, report it and respond manually and/or automatically according to the selected scenario.
NTA (Network Traffic Analysis) is a system for analyzing network traffic and identifying anomalies and traces of intruder/malicious software activity.
It is worth noting that SIEM is a single window and technical base for SOC, but its efficiency depends on the quality of data received from connected sources. Such sources can be compatible NTA, EDR, sandboxes, as well as AM and VM systems.
Processes
This is a set of organizational and technical procedures for maintaining effective SOC operation: infrastructure support, monitoring information security events, handling incidents and team development, and many others.
The described and regulated processes also help to choose the right algorithm of actions in communication with customers or when interacting with IT and IS teams. Or, for example, they determine the order of actions in the response process. To ensure flexibility, these rules have to be constantly updated and improved.
Our survey showedthat only 20% of companies have all three components of SOC in place. Most often, problems arise with processes (security management, assets, resources, incidents) and personnel (lack of qualified employees). This again proves that most rely on technology, which is a big mistake.
SOC instead of fines
Among the recent pleasant discoveries: 91% of Russian companies consider real protection from cyber threats a priority and only 7% implement SOC for formal compliance with regulator requirements.
At the same time, we certainly cannot ignore regular innovations and tightening of cybersecurity legislation requirements. With a systemic approach, SOC, as a comprehensive tool, allows reducing the likelihood of sanctions, as it significantly enhances the management of information security events and incidents. In particular, it increases the level of personal data protection, implements requirements for responding to information security events and incidents for subjects of critical information infrastructure and GIS.
SOC Typing
Another misconception is that all SOCs are the same: they provide the same services, use the same technologies and processes. In fact, there are several approaches to typification. Some of them are shown in the picture below.
We will consider the types of SOC from the point of view of distribution of responsibility for the main components: technologies, people and processes. This approach allows you to clearly assess which model will suit you specifically, as it takes into account the most important things: the speed of receiving the service, the budget size, the necessary human resources for the implementation and maintenance of the technology stack and IT infrastructure, labor costs for finding and pumping up employees.
SOC Models: Who and What Suits You
Own SOC
The in-house format is primarily suitable for large companies with an extensive network of departments. An in-house SOC is an expensive solution that requires constant attention and development. It cannot be built by simply implementing technological solutions, such as SIEM and IRP, once.
Generally, only large companies have sufficient technological and human resources to support sufficient capacity and a variety of processes required for a fully functioning internal SOC. This path requires significant and regular investments not only in technology, but also in people.
The benefits of an in-house SOC include full control over processes and data, the ability to fine-tune to the specific needs of the company, and a high degree of integration with the existing infrastructure. However, these benefits come with significant costs for hardware, software, and highly qualified personnel.
Before launching a SOC, it is necessary to find and train personnel, build work processes and implement information systems. Particular attention should be paid to the SIEM system, which requires powerful computing resources and large volumes of data storage.
The task of creating a SOC can be delegated to an integrator, but even after the successful implementation of the designed systems, companies often face problems:
Personnel shortage. To operate effectively, a SOC requires a permanent team of at least seven people. However, specialists often do not stay in an in-house SOC due to the lack of professional challenges and monotony of tasks.
Processes require continuous improvement. Changes in the team, technology, organizational structure and infrastructure require regular adaptation of processes, including updating dashboards and work approaches.
Technological base. The rules of correlation and normalization in the SIEM system require constant development. Additionally, vulnerability scanners are being implemented. Over time, the need for SOAR and TI platforms arises.
An unexpected challenge may be resistance from IT administrators and architects in the initial stages of SOC implementation. This is due to the additional control and burden that the new system brings.
External SOC as a Service (MSSP)
SOC based on the Managed Security Service Provider (MSSP) model is suitable for companies seeking a ready-made solution with a predictable budget. These can be both large organizations wishing to receive a turnkey service, and small enterprises that do not have their own team or sufficient resources.
Over the past year, there has been a 20% increase in demand for MSSP services. The key factor in choosing this type of service is the ability to delegate software and hardware support. Companies are also attracted by the reduced capital costs and ease of scaling external monitoring and response centers.
This model has significant advantages:
the client receives a guaranteed service level (SLA);
risks associated with equipment management are delegated to the provider;
the customer is freed from the need to manage a team of specialists;
This model ensures optimal operating expenses (OPEX).
The disadvantages of SOC as a service include the fact that information security incident management extends beyond the organization's perimeter. A mistake in choosing a provider threatens its insufficient immersion in your company's processes in the future.
That's why choosing the right contractor comes to the fore here. Reliable SOC providers usually help clients create a suitable service package based on business needs. They explain how each function solves specific problems. In addition to standard packages, many of them offer a selection of services depending on specific parameters or create individual solutions.
When choosing an external SOC, it is worth paying attention to the volume of resources and the SIEM system used by the provider. A significant factor is the provider's willingness to help the customer build internal processes, as well as the availability of certificates of compliance with the requirements of GOST R 27001, GOST R 20000, GOST R 9001, confirming the quality of the information security and IT service management systems operating in the SOC.
Hybrid SOC model
This is a format that is becoming increasingly popular, in which the customer and the provider share areas of responsibility between themselves. This approach is often chosen in situations where the company's internal resources are insufficient for the full functioning of the SOC, but there is a desire to maintain a certain level of control.
In addition, this format is relevant when an already implemented SIEM system does not cope with the company's tasks. An “out-of-the-box” solution may require fine-tuning in accordance with specific processes and business tasks. In such cases, the expertise of an external provider can help improve the efficiency of SIEM.
The main advantages of a hybrid SOC include a guaranteed service level (SLA), the ability to delegate management to a team of information security specialists, and relative speed of implementation. In this case, SIEM usually becomes the customer's concern, and the provider is responsible for IRP and most of the expertise.
However, it is important to consider that in this model, the management of information security capacities and incidents, as well as the purchase of licenses, go beyond the organization's perimeter. These aspects are divided between the customer and the provider. SIEM remains with the customer, IRP – with the provider. The company must be prepared to invest in infrastructure, which can be significant. As a result, such a SOC may even be more expensive than an internal one.
Given these factors, choosing a hybrid model requires a conscious and considered approach from the business. The company needs to carefully assess its needs, resources and risks. It is essential to establish an open dialogue with the service provider. This will help to clearly define the boundaries of responsibility, agree on interaction processes and ensure transparency in security management.
Conclusion
In today's environment, characterized by the growth in the number and complexity of cyberattacks, we see a trend towards increased awareness of information security issues. Companies are increasingly striving to comply not only with formal “paper” requirements, but are paying attention to the real state of information security and practical security. According to the results of our survey, 43% of small and medium-sized businesses have already switched to comprehensive cybersecurity monitoring by implementing their own or commercial SOCs. However, creating your own SOC is a lengthy process. 71% of respondents estimated the time frame for its creation at 2-4 years.
While the number of incidents is growing and legal requirements are becoming more stringent, this is too long. Therefore, 58% of respondents either already use or plan to choose an external SOC based on the MSSP model, which can be deployed in a period of one month. However, when choosing an external information security monitoring center, it is important to consider the key components: technology, processes and people.
Ultimately, choosing a SOC model, selecting a team, and launching a monitoring center are strategic decisions that should take into account not only current security needs but also business development prospects. It is important to remember that effective protection against cyber threats is not a one-time event, but an ongoing process that requires constant attention and adaptation to changing conditions.
