A Security Operations Centre (SOC) is a centralised unit that deals specifically with security issues on behalf of companies, at both an organisational and technical level. Most SOCs comprise of three building blocks: people, processes, and technology designed to manage and enhance an organisation’s security posture.
A SOC’s primary goal is to detect and respond to security alerts and, by doing so, ensure an organisation is resilient to emerging threats. The SOC is also responsible for stopping internal security-related negligence or compliance failures and gathering information about user behaviour to help the business identify any potential security issues. While those responsibilities used to be shared between multiple departments, nowadays enterprises over a certain size have a dedicated cyber security division or Security Operations Centre.
In-house SOC limitations
Some organisations query if outsourcing the SOC to dedicated externally managed security services providers trumps having an in-house SOC. In practice, internal SOCs are more liable to becoming overwhelmed by the sheer volume of security issues that businesses of all sizes need to consider and protect against. A 2018 survey discovered that 27% of IT professionals receive more than one million security alerts every single day. That’s a dizzying amount and it’s probably not going to get any better, or smaller. Between 2015 and 2020, over 70% of organisations reported that the number of daily security alerts had doubled. 24% of businesses said that their daily security alerts had increased by as much as ten times andover 25% of those security alerts are usually false positives.
Our own SOC is seeing clients with lots of disparate security systems receiving hundreds of thousands of alerts, which their internal teams cannot manage.Those hundreds of thousands of alerts include too many minor alerts that often require no immediate action but still need to be examined. As the threats grow more severe and critical year on year, in-house SOCs are facing even more obstacles to providing the best and most effective security response.
Improving a SOC’s ability to pick out, and respond, to the important issues, rather than minor ones, would require specialist training and tools, both of which may not be cost-effective for the company – especially if they are already spending a sizeable chunk of their budget on SOC operations.
There is also a cyber security skills gap within SOCs as 40% of organisations still lack, and struggle to find frontline workers. This could be why less than half (42%) of enterprises believe in the effectiveness of their internal SOCs, citing their inability to trace the source of threats as a prime frustration. But the reasons for that perceived inability may come from the enterprise’s infrastructure – where its SOC focuses on intrusion detection, while vulnerability patching and damage prevention are being handled separately by the IT department.
A truly effective response requires the team detecting a threat to have the authority and ability to respond to that threat immediately themselves. This bottleneck only inhibits effective threat response. But, responsibility cannot be solely placed on the SOC team. To truly empower a SOC’s effectiveness, the organisation’s leadership must support the entire team and here there is a question of who the SOC should report to – the CISO or CTO?
Creating a new executive position just for the SOC is inefficient both structurally and economically, and whether it is the CISO or the CTO the SOC reports to, both executives will have other divisions and issues to manage, so, they won’t offer the SOC their full attention.
Outsourcing the SOC
SOCs need to detect, triage and eliminate new and emerging threats, so the SOC ‘s team has to be on the cutting edge of the very latest security research ‒ and ideally performing threat research of its own. Although in-house integrated SOCs are undeniably more effective than allowing a business’ security needs to be spread between non-specialised departments, in-house teams are usually limited to detection and, at most, response. Enterprise security requirements are growing and intensifying so quickly though that most in-house SOCs cannot keep up the pace required to stay ahead of them.
Outsourcing the SOC to a managed service provider is one answer to this problem. While it may possibly be counter-intuitive for some executives, outsourcing the SOC can overcome the limitations of an in-house SOC. It can also prove to be the more cost-effective and cost-efficient option overall as an outsourced SOC is a specialised business, where the provider can put its entire organisation’s resource into staying on the cutting edge of research, detection and response. The only caveat is that some security service providers do not offer all three of these to their customers.
Most security businesses focus on detection solutions and then provide data to the customer’s own internal IT teams to then isolate and remediate, but we offer a comprehensive end-to-end solution rather than just detection services, as those are no longer sufficient. Ransomware can propagate in minutes so detect alone is not enough – response is key.
Managed security services are full of potential, bringing together all that an outsourced SOC can provide. Drawing from both our own research and a multitude of sources across the wider cyber security industry, we have determined that outsourced SOCs are able to stay ahead of the latest threat intelligence. This allows for a level of proactivity when responding to security threats that in-house SOCs just can’t match. When this benefit is combined with comprehensive detection, response and remediation, it becomes clear just how effective an external, managed SOC can be.
And, as security threats do not present on a 9-to-5 basis, outsourced SOCs can offer 24/7 response while in-house SOCs are limited by the operating hours of their business. With threats coming from all over the world and different time zones, the most effective security is one that is rapid-response, at all times.
Perhaps most significantly of all, an outsourced SOC unifies defence against cyber threats across a diversity of enterprises, so there is a good chance that any threat that arises has already been encountered in the wild, with an effective counterstrategy in place. Finally, when a new threat emerges that targets one business, all of the SOC provider’s client businesses benefit as a result of the response used.
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.