Tech Insight: Building A SOC, From Outsourcing To DIY

Today's security professionals need to have accurate information accessible to them at a moment's notice. That accessibility is critical in order for them to respond to security incidents efficiently and effectively. Pulling all of that information together can be difficult since it has to be collected from all corners of the enterprise. Yet, difficult or not, it's necessary so that triage can be performed quickly.

Unfortunately, we see research like Verizon's Data Breach Investigation Report that shows us this isn't happening in a large percentage of cases. Instead, it's months, even years, before a breach gets noticed. There are a handful of key issues that make this difficult. They revolve around a lack of trained and skilled personnel, the tools to provide them with accurate, actionable information, and the processes to enable them to do their jobs effectively.

To combat these issues, some organizations have built a security operations center (SOC) to become the hub of all security operations, streamline the incident-handling process, and enable ease of collaboration among security personnel. It sounds great, right? The reality is that assembling a SOC is no easy task, and it can be expensive, which is one of the primary reasons companies decide to outsource security operations.

To make the decision about whether to build a SOC, outsource it, or take a hybrid approach by mixing on-site security personnel with managed security services, let's look at some of the key features and decisions in the making of a successful SOC.

First and foremost, a SOC requires highly skilled security professionals to investigate security incidents, perform incident response and forensics, and help keep an organization afloat amid a data breach. These security pros are responsible for providing accurate information to management so the business can make sound decisions, such as whether critical systems need to be shut down for analysis or to stop data exfiltration.

An enterprise looking to build a SOC needs to evaluate whether it has the expertise in-house, what types of training might be necessary to get current staff to the level they need to be, and whether it needs to recruit additional personnel. Recruiting internally can be a good choice since the candidates will know the business and systems well. Also, current systems and network administrators are best because they have hands-on experience with the systems they will be investigating and are already likely to have good troubleshooting skills.

Where to house the SOC is another decision that can help or hinder the success of the team. Large enterprises can choose a standalone facility separate from the primary corporate buildings, but that won't work for budget-strapped organizations. Choosing to house the SOC within an existing network operations center (NOC) or the datacenter can help cut costs. It's important that SOC staff is kept together to help promote collaboration, cross-training, and general morale.

There's more than just people and location, though. To have a successful SOC, there needs to be processes to follow and a supporting budget to keep it running. The processes will be based in policies, as expected, but the budget needs to be allocated from management. Without a large enough budget, it will be difficult to keep talented staff, purchase the necessary tools, and meet the needs of the business. And that's a tough issue that needs to be worked out prior to building a SOC internally.

The SOC will need access to logs from intrusion-detection systems, firewalls, servers, network devices, and just about anything else that generates logs. To analyze the breadth and volume of logs from all of those systems effectively, a security information and event management (SIEM) solution makes the most sense, but it doesn't come cheap when considering related hardware/software purchases, implementation, and training. Companies strapped for budget may have to live with homegrown tools for a while, or may consider outsourcing some analysis to a managed security service provider (MSSP).

Does outsourcing make sense? It does when expertise is not available in-house, or when budget does not allow for the large capital expenditures needed to staff, house, and train, or purchase the tools necessary to support SOC operations. Thanks to the many different offerings from MSSPs like Dell SecureWorks, Trustwave, and Accuvant, companies can choose to outsource just the log analysis activities to supplement existing security personnel or outsource all security-related activities.

Outsourcing can also make sense if there's a need for round-the-clock monitoring. It's possible to build a SOC and house it in a different time zone, possibly overseas, but choosing to have 24x7x365 MSSP analysts available could be more economical.

The decision to build a SOC shouldn't be taken lightly. Building a self-contained, well-staffed center can be cost-prohibitive for many. A compromise might be to start small by bringing together all of the security personnel in one location, supplementing them with services from a MSSP, and growing the team and their responsibilities over time. Or the costs of outsourcing all aspects of security may work best for your company. Either way, having a well-designed SOC can mean the difference between a small security incident and a data breach that makes the headlines; however, the costs and benefits need to be weighed carefully to figure out which design best meets your company's needs.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.