Organizations have a significant cybersecurity problem these days. Traditional methods of incident remediation, as most SOC (Security Operations Center) teams follow, can be inadequate.
The current state of cybersecurity
Here are some stats to keep in mind:
- The global cybersecurity market is projected to reach $248.3 billion by 2023, growing at a CAGR (Compound Annual Growth Rate) of 10 percent.
- As of 2017 over 1,339 total breaches reportedly exposed 174.4 million records.
- The AV-TEST Institute registers over 350,000 new malicious programs (malware) and potentially unwanted applications (PUA) every day.
These trends point to a steady demand for cybersecurity talent. Has this demand been balanced by an equivalent supply of talent?
- 44 percent of security operations managers see more than 5000 security alerts per day and can only investigate 56 percent of them.
- Cybersecurity skill gaps leave 1 in 4 organizations exposed to inefficient operations for 6 months or longer.
Timing—and context—are everything
Security breaches and network failures can be a recurring reality for modern cybersecurity ops teams, and a burden on a company’s resources and processes. A lack of actionable intelligence and situational awareness keeps security teams from acting quickly to prevent devastating breaches. As much as CISOs want tools like Splunk, SIEM (Security Information and Event Management), and Behavioral Analytics to be magic bullets, tools alone are not enough.
Many enterprises can benefit from adopting a SOC-as-a-Service approach.
SOC-as-a-Service addresses two major challenges:
#1: SIEMs are not enough
There is no denying that SIEMs are crucial to maintaining overall organizational well-being. However, they need a lot of admin and management and must be fine–tuned to service your organization properly. You need to remember that a SIEM will not automatically understand your policies and business context.
Normal day-to-day operations alone will create a flood of alerts with 1,000+ suspicious events per 50M log events per day. The rules and use cases defining the SIEM need to be stated clearly by your security team. However, even the best–tuned SIEM will generate 50 suspicious alerts per 50M log events per day.
But even a good security analyst can only investigate about 15 suspicious alerts per day to discover 1-2 actionable alerts per shift. Safe to say it takes a dedicated team to monitor and drive contextual conclusions from your SIEM consistently.
#2: SOC isn’t so easy
Maintaining a dynamic SOC team is hard, and your security team already handles a wide variety of tasks that leaves little time for business-critical needs. This exhaustive list of tasks includes:
- Maintaining your SIEM.
- Use case analytics.
- Threat Intel research.
- Continually searching for errors on your attack surface.
- Multiple event investigation process workflows.
- Escalation workflow and run book.
- Helpdesk process and workflows.
A good SOC also requires substantial investment in experienced people to take care of administrative and analytic duties:
Administrative roles (1-2 FTE)
- Dedicated SIEM admin.
- Authors that dictate and form the SIEM rules.
- Health and performance monitoring and remediation.
SOC Analysts (6-12 FTE)
- Security analysts and engineers.
- Incident response triage manager.
- Threat research analysts.
- 24 X 7 X 365 operations help desk.
SOC-as-a-Service Strikes the Right Balance
Keeping a SOC running efficiently 24/7 stands to grow even more challenging for the foreseeable future. Adopting your ideal variation on SOC-as-a-Service meets some of the CISO and SecOps team’s greatest challenges, like SIEMs not working to their highest levels, rising tool complexity and traffic loads, and perennial skills gaps and shortages.
Netenrich’s SOC-as-a-Service brings extensive resources and expertise across threat hunting, log analysis, and other activities to complement your existing operations. Our team of 80+ analysts and admins have decades of experience working across vertical industries and can efficiently onboard and scale services.
We have successfully evolved our SIEM to solve for a variety of use cases such as securing data in public clouds, applying user behavior analytics, and deflecting malware, APTs, phishing, and brute-force attacks.
Along with a world-class, cross-platform SOC, we have also succeeded in SaaSifying our enterprise, on-prem SIEM tool. Baking in our newly launched Knowledge NOW (KNOW) threat intel platform adds even greater value in solving for SecOps challenges and attack surface management (ASM) [Read more about that here].
See It in Action
To learn how enterprises are gaining greater security efficiencies, hear from leading experts on SOC-as-a-Service in an upcoming SANS webinar entitled “To build or not to build: Can SOC-aaS bridge your security skills gap?” August 27, 1 PM EDT. Sign up here.