10:27 PM
Connect Directly

Tech Insight: Building A SOC, From Outsourcing To DIY

Building blocks for developing the most effective security operations center

Today's security professionals need to have accurate information accessible to them at a moment's notice. That accessibility is critical in order for them to respond to security incidents efficiently and effectively. Pulling all of that information together can be difficult since it has to be collected from all corners of the enterprise. Yet, difficult or not, it's necessary so that triage can be performed quickly.

Unfortunately, we see research like Verizon's Data Breach Investigation Report that shows us this isn't happening in a large percentage of cases. Instead, it's months, even years, before a breach gets noticed. There are a handful of key issues that make this difficult. They revolve around a lack of trained and skilled personnel, the tools to provide them with accurate, actionable information, and the processes to enable them to do their jobs effectively.

To combat these issues, some organizations have built a security operations center (SOC) to become the hub of all security operations, streamline the incident-handling process, and enable ease of collaboration among security personnel. It sounds great, right? The reality is that assembling a SOC is no easy task, and it can be expensive, which is one of the primary reasons companies decide to outsource security operations.

To make the decision about whether to build a SOC, outsource it, or take a hybrid approach by mixing on-site security personnel with managed security services, let's look at some of the key features and decisions in the making of a successful SOC.

First and foremost, a SOC requires highly skilled security professionals to investigate security incidents, perform incident response and forensics, and help keep an organization afloat amid a data breach. These security pros are responsible for providing accurate information to management so the business can make sound decisions, such as whether critical systems need to be shut down for analysis or to stop data exfiltration.

An enterprise looking to build a SOC needs to evaluate whether it has the expertise in-house, what types of training might be necessary to get current staff to the level they need to be, and whether it needs to recruit additional personnel. Recruiting internally can be a good choice since the candidates will know the business and systems well. Also, current systems and network administrators are best because they have hands-on experience with the systems they will be investigating and are already likely to have good troubleshooting skills.

Where to house the SOC is another decision that can help or hinder the success of the team. Large enterprises can choose a standalone facility separate from the primary corporate buildings, but that won't work for budget-strapped organizations. Choosing to house the SOC within an existing network operations center (NOC) or the datacenter can help cut costs. It's important that SOC staff is kept together to help promote collaboration, cross-training, and general morale.

There's more than just people and location, though. To have a successful SOC, there needs to be processes to follow and a supporting budget to keep it running. The processes will be based in policies, as expected, but the budget needs to be allocated from management. Without a large enough budget, it will be difficult to keep talented staff, purchase the necessary tools, and meet the needs of the business. And that's a tough issue that needs to be worked out prior to building a SOC internally.

The SOC will need access to logs from intrusion-detection systems, firewalls, servers, network devices, and just about anything else that generates logs. To analyze the breadth and volume of logs from all of those systems effectively, a security information and event management (SIEM) solution makes the most sense, but it doesn't come cheap when considering related hardware/software purchases, implementation, and training. Companies strapped for budget may have to live with homegrown tools for a while, or may consider outsourcing some analysis to a managed security service provider (MSSP).

Does outsourcing make sense? It does when expertise is not available in-house, or when budget does not allow for the large capital expenditures needed to staff, house, and train, or purchase the tools necessary to support SOC operations. Thanks to the many different offerings from MSSPs like Dell SecureWorks, Trustwave, and Accuvant, companies can choose to outsource just the log analysis activities to supplement existing security personnel or outsource all security-related activities.

Outsourcing can also make sense if there's a need for round-the-clock monitoring. It's possible to build a SOC and house it in a different time zone, possibly overseas, but choosing to have 24x7x365 MSSP analysts available could be more economical.

The decision to build a SOC shouldn't be taken lightly. Building a self-contained, well-staffed center can be cost-prohibitive for many. A compromise might be to start small by bringing together all of the security personnel in one location, supplementing them with services from a MSSP, and growing the team and their responsibilities over time. Or the costs of outsourcing all aspects of security may work best for your company. Either way, having a well-designed SOC can mean the difference between a small security incident and a data breach that makes the headlines; however, the costs and benefits need to be weighed carefully to figure out which design best meets your company's needs.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Email This  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
1/23/2012 | 4:21:07 PM
re: Tech Insight: Building A SOC, From Outsourcing To DIY
Very timely & interesting article. I'm currently restructuring my computer lab to better simulate the components that exist in the cash-strapped SMB world, with the purpose of architecting a more secure, more monitorable, and more defendable LAN/WAN deployment. The heart of this re-architecture is going to be a hybrid smbSOC that features a customized security appliance-in-house that forwards critical alerts to a remote MSSP for further analysis and remediation. Few SMB's have any real meaningful visibility into their network traffic, and you can't defend against an enemy you can't even see. This market needs affordable solutions that probably utilize Open Source because commercial offerings are simply too expensive and only care about profiteering. The reality is that all of our businesses, large & small, are under persistent attack by highly skilled professional infiltrators, and it should be every concerned citizen's focus to assist with widespread defensive measures. Yeah, make money off the big guys, but do what you can to help the little guy too.
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
All Videos
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-07-10
Multiple cross-site scripting (XSS) vulnerabilities in group/control_panel/manage in Liferay Portal 6.1.2 CE GA3, 6.1.X EE, and 6.2.X EE allow remote attackers to inject arbitrary web script or HTML via the (1) _2_firstName, (2) _2_lastName, or (3) _2_middleName parameter.

Published: 2014-07-10
The File Transfer feature in WebEx Meetings Client in Cisco WebEx Meetings Server and WebEx Meeting Center does not verify that a requested file was an offered file, which allows remote attackers to read arbitrary files via a modified request, aka Bug IDs CSCup62442 and CSCup58463.

Published: 2014-07-10
Heap-based buffer overflow in the file-sharing feature in WebEx Meetings Client in Cisco WebEx Meetings Server and WebEx Meeting Center allows remote attackers to execute arbitrary code via crafted data, aka Bug IDs CSCup62463 and CSCup58467.

Published: 2014-07-10
Cross-site scripting (XSS) vulnerability in in the Dialed Number Analyzer (DNA) component in Cisco Unified Communications Manager allows remote attackers to inject arbitrary web script or HTML via an unspecified parameter, aka Bug ID CSCup76308.

Published: 2014-07-10
The Multiple Analyzer in the Dialed Number Analyzer (DNA) component in Cisco Unified Communications Manager allows remote authenticated users to bypass intended upload restrictions via a crafted parameter, aka Bug ID CSCup76297.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.