Analytics
1/22/2012
10:27 PM
Connect Directly
RSS
E-Mail
50%
50%
Repost This

Tech Insight: Building A SOC, From Outsourcing To DIY

Building blocks for developing the most effective security operations center

Today's security professionals need to have accurate information accessible to them at a moment's notice. That accessibility is critical in order for them to respond to security incidents efficiently and effectively. Pulling all of that information together can be difficult since it has to be collected from all corners of the enterprise. Yet, difficult or not, it's necessary so that triage can be performed quickly.

Unfortunately, we see research like Verizon's Data Breach Investigation Report that shows us this isn't happening in a large percentage of cases. Instead, it's months, even years, before a breach gets noticed. There are a handful of key issues that make this difficult. They revolve around a lack of trained and skilled personnel, the tools to provide them with accurate, actionable information, and the processes to enable them to do their jobs effectively.

To combat these issues, some organizations have built a security operations center (SOC) to become the hub of all security operations, streamline the incident-handling process, and enable ease of collaboration among security personnel. It sounds great, right? The reality is that assembling a SOC is no easy task, and it can be expensive, which is one of the primary reasons companies decide to outsource security operations.

To make the decision about whether to build a SOC, outsource it, or take a hybrid approach by mixing on-site security personnel with managed security services, let's look at some of the key features and decisions in the making of a successful SOC.

First and foremost, a SOC requires highly skilled security professionals to investigate security incidents, perform incident response and forensics, and help keep an organization afloat amid a data breach. These security pros are responsible for providing accurate information to management so the business can make sound decisions, such as whether critical systems need to be shut down for analysis or to stop data exfiltration.

An enterprise looking to build a SOC needs to evaluate whether it has the expertise in-house, what types of training might be necessary to get current staff to the level they need to be, and whether it needs to recruit additional personnel. Recruiting internally can be a good choice since the candidates will know the business and systems well. Also, current systems and network administrators are best because they have hands-on experience with the systems they will be investigating and are already likely to have good troubleshooting skills.

Where to house the SOC is another decision that can help or hinder the success of the team. Large enterprises can choose a standalone facility separate from the primary corporate buildings, but that won't work for budget-strapped organizations. Choosing to house the SOC within an existing network operations center (NOC) or the datacenter can help cut costs. It's important that SOC staff is kept together to help promote collaboration, cross-training, and general morale.

There's more than just people and location, though. To have a successful SOC, there needs to be processes to follow and a supporting budget to keep it running. The processes will be based in policies, as expected, but the budget needs to be allocated from management. Without a large enough budget, it will be difficult to keep talented staff, purchase the necessary tools, and meet the needs of the business. And that's a tough issue that needs to be worked out prior to building a SOC internally.

The SOC will need access to logs from intrusion-detection systems, firewalls, servers, network devices, and just about anything else that generates logs. To analyze the breadth and volume of logs from all of those systems effectively, a security information and event management (SIEM) solution makes the most sense, but it doesn't come cheap when considering related hardware/software purchases, implementation, and training. Companies strapped for budget may have to live with homegrown tools for a while, or may consider outsourcing some analysis to a managed security service provider (MSSP).

Does outsourcing make sense? It does when expertise is not available in-house, or when budget does not allow for the large capital expenditures needed to staff, house, and train, or purchase the tools necessary to support SOC operations. Thanks to the many different offerings from MSSPs like Dell SecureWorks, Trustwave, and Accuvant, companies can choose to outsource just the log analysis activities to supplement existing security personnel or outsource all security-related activities.

Outsourcing can also make sense if there's a need for round-the-clock monitoring. It's possible to build a SOC and house it in a different time zone, possibly overseas, but choosing to have 24x7x365 MSSP analysts available could be more economical.

The decision to build a SOC shouldn't be taken lightly. Building a self-contained, well-staffed center can be cost-prohibitive for many. A compromise might be to start small by bringing together all of the security personnel in one location, supplementing them with services from a MSSP, and growing the team and their responsibilities over time. Or the costs of outsourcing all aspects of security may work best for your company. Either way, having a well-designed SOC can mean the difference between a small security incident and a data breach that makes the headlines; however, the costs and benefits need to be weighed carefully to figure out which design best meets your company's needs.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Email This  | 
Print  | 
RSS
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
lancop
50%
50%
lancop,
User Rank: Apprentice
1/23/2012 | 4:21:07 PM
re: Tech Insight: Building A SOC, From Outsourcing To DIY
Very timely & interesting article. I'm currently restructuring my computer lab to better simulate the components that exist in the cash-strapped SMB world, with the purpose of architecting a more secure, more monitorable, and more defendable LAN/WAN deployment. The heart of this re-architecture is going to be a hybrid smbSOC that features a customized security appliance-áin-house that forwards critical alerts to a remote MSSP for further analysis and remediation. Few SMB's have any real meaningful visibility into their network traffic, and you can't defend against an enemy you can't even see. This market needs affordable solutions that probably utilize Open Source because commercial offerings are simply too expensive and only care about profiteering. The reality is that all of our businesses, large & small, are under persistent attack by highly skilled professional infiltrators, and it should be every concerned citizen's focus to assist with widespread defensive measures. Yeah, make money off the big guys, but do what you can to help the little guy too.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Video
All Videos
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-0360
Published: 2014-04-23
Memory leak in Cisco IOS before 15.1(1)SY, when IKEv2 debugging is enabled, allows remote attackers to cause a denial of service (memory consumption) via crafted packets, aka Bug ID CSCtn22376.

CVE-2012-1317
Published: 2014-04-23
The multicast implementation in Cisco IOS before 15.1(1)SY allows remote attackers to cause a denial of service (Route Processor crash) by sending packets at a high rate, aka Bug ID CSCts37717.

CVE-2012-1366
Published: 2014-04-23
Cisco IOS before 15.1(1)SY on ASR 1000 devices, when Multicast Listener Discovery (MLD) tracking is enabled for IPv6, allows remote attackers to cause a denial of service (device reload) via crafted MLD packets, aka Bug ID CSCtz28544.

CVE-2012-3062
Published: 2014-04-23
Cisco IOS before 15.1(1)SY, when Multicast Listener Discovery (MLD) snooping is enabled, allows remote attackers to cause a denial of service (CPU consumption or device crash) via MLD packets on a network that contains many IPv6 hosts, aka Bug ID CSCtr88193.

CVE-2012-3918
Published: 2014-04-23
Cisco IOS before 15.3(1)T on Cisco 2900 devices, when a VWIC2-2MFT-T1/E1 card is configured for TDM/HDLC mode, allows remote attackers to cause a denial of service (serial-interface outage) via certain Frame Relay traffic, aka Bug ID CSCub13317.

Best of the Web