Ask any security analyst what would make their life easier and the answer is likely to be “more.” More time, more help, more and better data and analytics, maybe even more tools. And always, more budget.
Right-sizing SOConomics hinges on figuring out what, when, and how much of everything you need, and what do to first. We can think of this in terms of three distinct phases.
Phase I: Baseline / Define Goals
The key to successfully investing in SOC is asking the right questions to understand key measures, outcomes, and budget. In other words, lay a solid foundation of expectations going in.
How much do you need? How do you get there? How much can and should you spend? What should you expect to get for your SOC investment? What does success look like and in what timeframe?
Start with known goals and issues like reducing noise, false positives, critical incidents, and response times. Expand your thinking to include things like addressing digital risk from misconfigurations and domain exposure. To the degree that you can, make a one- to three-year SOC investment plan for steadily enhancing your security posture while normalizing your spend.
Most representations of risk and security readiness in terms of money (i.e., is that a $5 million risk or a $50 million risk?) are not credible and defensible, and even when they are credible, they do not support daily decision making related to priorities and investments in security. ~ Gartner
If you need help defining realistic objectives, planning the SOC is a great time to engage a consultant or friendly security expert to help create a request for proposal (RFP), revise your budget and hiring plans, and negotiate with providers.
Once you capture your goals and available resources, you can transition to Phase II, standing up the SOC, deciding whether to build and run your own facility or engage SOC providers. This critical decision centers around basic SOConomics – costs, impact on resources, and probable outcomes – and culture.
Download eBook | Right-sizing SOConomicsDOWNLOAD
Phase II: Standing up the SOC – “Buy vs. Build”
Based on your findings cleaned during Phase I, is it better to build your own SOC or consume services and if so from whom?
Each organization faces its own unique challenges in evolving its cybersecurity strategy, budget, and expertise. Fortune 100 companies have ample resources and face more stringent compliance needs. These companies may build their own physical or virtual SOC to retain tighter control, clear audit trails, and deep visibility.
That said, recent research sponsored by FireEye shows 77 percent of cyberattacks now target small and mid-size businesses. Here, the “buy” option offers the functionality and flexibility needed without steep upfront expenditures.
Standing up your own SOC means shelling out dollars for office space, utilities, phones, computers, and buying dozens of point products. If you don’t own a Security Incidents and Events Management (SIEM) system, that alone might mean another $250K or more in capital outlay or a hefty annual subscription.
Whether you engage a provider or not, you’ll need to plan to find, train and maintain an internal team with specific cybersecurity skills and tool expertise. You’ll need considerably more analysts in the do-it-yourself (DIY) model, which may be the biggest deciding factor in “buy vs. build.”
As an alternative to a greenfield deployment, engagements with managed security service providers (MSSPs) or SOC-as-a-Service solutions can get up and running within a few weeks, with no major capital outlay or commitment to own and operate equipment. You don’t need to hire, train and retain as many full-time employees (FTEs) to achieve 24/7 coverage, and if solutions disappoint, you can course-correct quickly by opting out.
RELATED READ | Right-Sizing SOConomics Part I: Three Steps to Adopting an Intelligent SOC
Deep cybersecurity skills top most CISO’s wish-lists for 2021. A typical SOC engineer brings proven expertise with tools, incident management, threat intelligence, and other specialized skills. This might include SIEM content development, security engineering, threat research, and round-the-cloud shifts of L1, L2, and L3 security analysts.
If you build your own facility, plan on analyst salaries averaging $110K or more per year in 2021. Time to value comes into play here as well as respondents cite an average of 7 months to recruit and bring analysts up to speed after which many leave within two years.
If you have enough qualified people now, can you afford to hang onto or replace them as the SOC scales? When someone does leave, how long might it take to replace the tribal knowledge that leaves with them? Last but not least, there’s the time and effort required to operationalize investments in technical controls, processes and people.
MSSPs and SOC-as-a-Service providers are better able to hire, upskill, and retain top talent with ongoing training and a clear career path. That said, the greatest potential upside of engaging a provider or platform approach is not that you’ll need fewer new people, but that you’ll be better able to retain and cultivate the talent you have.
With the right partner in place and top-flight teams on either side, your team’s job satisfaction should rise while stress levels and alert fatigue tamp down. Your best analysts advance more quickly, which does mean you may need to pay them more. Even so, the value inherent in preserving skills tribal knowledge, and providing time to continue developing skills within your existing team more than makes up the difference.
More time gets spent on high-value tasks like threat hunting, improving threat modeling and incident response, conducting red/blue/purple team exercises, automation, and applying advanced reporting and analytics. SecOps and analytics improve as your team spends more time investigating vetted threats and events, with sufficient context to take the right actions quickly.
The cost of hiring, training and retaining staff will only increase as the cybersecurity skills shortage continues to grow. A provider- or platform-based approach insulates you from sharp fluctuations to keep budgets predictable and promote more dynamic, outcomes-based scalability.
Running a 24/7 SOC
Once you get up and running, some security service providers say the three-year cost of ownership for a co-managed SOC is roughly half that of an in-house approach. A Ponemon study found the average annual expenditure for self-built SOC to be about $2.86 million. The survey also concluded that running a successful SOC costs nearly twice as much as running one that’s not regarded very highly (and why keep doing that?):
Ongoing efforts include maintaining systems, renewing support contracts, and license fees that can total represent up to 20 percent of your annual operations costs. Then there’s ongoing development of procedural playbooks by which to operate the SOC and respond to incidents.
One target outcome for SOC investments has always been speed, which can be seen as both a function and a component of efficiency. The longer an attacker hangs around inside your infrastructure before being detected the more havoc they can wreak, and the greater your risk of suffering devastating breaches. That means the more time you have to spend validating, contextualizing and acting on events, the greater your risk—and cost.
So, we tend to track SOC efficiency in terms of time:
- Reduced response times
- Reduced noise
- Decreasing false positives to speed qualification and prioritization
- Faster time to detect and escalate
- Reduced consumption of SOC analyst time
Netenrich Intelligent SOC speeds response while also improving qualitative aspects that improve security resolution over time:
- How accurate are criticality ratings and prioritization?
- Are actionable recommendations for remediation provided?
- What percentage of issues get resolved by machines?
- Is threat intelligence well-contextualized to alerts?
Speed and efficiency go hand-in-hand. In a recent IDC report, respondents cited their top reasons for engaging providers, which include streamlining complexity, utilizing new technologies, and enhancing visibility.
Efficiency includes optimizing workflows and communications between various solution sets, a major reason some organizations engage managed service providers. For example, logging and endpoint solutions may both generate alerts, and may or may not both feed directly into a SIEM, but deep expertise and integration is needed to reconcile alert management. Data may be split across multiple systems, making it more complicated to figure out what actually happened, or even where to look first.
An effective, intelligence-driven SOC improves day-to-day issue resolution by applying richer context and better, faster correlation, two capabilities that prove hard to quantify in and of themselves. But we need to go beyond thinking about resolution and value mainly in terms of transactions (alerts, tickets, escalations, man-hours).
Ultimate resolution should address true and ongoing Ops transformation as well as bottom-line business outcomes. We’ll take a closer look at this in Part III, the last post in this series on right-sizing SOConomics which focuses on demonstrating value.
In the meantime, learn more about Intelligent SOC and how we can help right-sizing your security spend and operations.
Subscribe To Our Newsletter!
The best source of information for Security, Networks, Cloud, and ITOps best practices. Join us.
Thank you for subscribing!