Introduction
This article is the second part of our series “Unlocking your true Security Potential by deploying a Security Operations Center (SOC)”. In the first part we examined how a SOC enhances an organization's security posture. Now, in this second part we will explore various deployment options for a SOC, discussing their advantages and disadvantages. Ultimately, in the last part of the series we showcase exclusively Senthorus’ capabilities, and what truly establishes it as a next generation SOC amongst its competitors.
In case you missed the first part, we highly recommend you check it out, as there we explain in detail why the deployment of a SOC not only assists in the cyber risk management process but also how it improves an organization’s overall security posture (you can find the article named: ‘How to improve Risk Management by deploying a SOC’ here).
Recap: Why a SOC helps in the Cyber Risk Management Process
Before we take on the different SOC types, we recapitulate: the deployment and operation of a SOC drastically improves the security posture of any organization by guaranteeing the continuity of the risk management process. Further, a SOC offers following benefits:
- Proactive Threat Detection
- Rapid Incident Response
- Enhanced Visibility
- Compliance and Regulatory Alignments
- Stakeholder Confidence
These key points underscore the crucial role of a SOC fortifying organizational defenses. From proactive threat detection to ensuring compliance and bolstering stakeholder confidence, a SOC stands as a cornerstone in safeguarding against evolving cyber threats, enabling businesses to navigate the digital landscape with resilience and assurance.
Which different SOC types exist
1. In-house SOC:
An in-house SOC is operated internally within the organization’s premises, utilizing the organization's own resources, staff, and infrastructure.
Advantages: The control over the SOC operations remains completely within the organization. Through the continuous improvement of the SOC, it gets more and more tailored to meet specific organizational requirements and compliance standards. Further, the internal SOC allows for maximal visibility and alignment with internal security objectives.
Disadvantages: Establishing and operating an internal SOC demands significant resources and proficient workforce, posing both financial hurdles as well as challenges in recruiting skilled security personnel. Another concern could be the workload, especially in smaller organizations this could be the case that once setup, the workload drastically decreases, leading to unutilized manpower. On the other hand, scalability concerns may arise when the SOC faces high workloads.
2. Managed Security Services Provider (MSSP) or Managed SOC:
MSSPs like Senthorus are third party providers, that offer outsourced security monitoring, threat detection, incident response among other capabilities on a 24x7 basis.
Advantages: MSSPs sell their specialized cybersecurity expertise as well as up to date technologies in a subscription model without the need for a first-time investment. The extensive experience of MSSPs ensures a seamless onboarding process without the need to recruit or train staff beforehand. The subscription model provides smaller organizations with a cost-effective alternative to strengthen their resilience, effectively eliminating the concerns from the internal SOC. Another advantage of contracting an MSSP is the high scalability and flexibility they offer, ensuring ongoing protection even when business requirements change over time.
Disadvantages: Organizations may become overly reliant on the MSSP, potentially reducing internal expertise and control. Further, the outsourcing of security operations may pose challenges regarding coordination and communication leading to delays in incident response. Compliance concerns can arise regarding the sovereignty of the client’s data.
3. Co-Managed SOC:
The organization collaborates with the MSSP to augment its internal security capabilities. The MSSP provides additional resources, expertise, or technology to complement the organization’s internal SOC team.
Advantages: This approach combines the capabilities of an internal SOC team together with the benefits an MSSP provides. Furthermore, the company can profit from external support in cases that require a higher scalability and flexibility, while not being solely dependent on the MSSP. The in-house IT team can profit from the expertise of the MSSP, creating the possibility for a future transition to an in-house SOC.
Disadvantages: The coordination and communication between the internal security team and the MSSP require special attention to ensure seamless escalations of security incidents. The integration of internal and external security capabilities may require additional attention. Conflicts can arise as effectively two security operations teams are working closely together, a clear service definition of the MSSP’s tasks is recommended in the Service Level Agreement (SLA).
Factors to consider when choosing a SOC type
Not every of the above presented SOC types is suitable for every organization. There are many factors that play a decisive role. In this section we will discuss the most important ones.
Security needs and requirements
· Scale of operations
An important first step is to define what the scope of the SOC operations should be. Following aspects play an important role: number of endpoints and their geographical distribution, estimated volume of data to be processed, complexity of the organization’s network architecture, existing environment, and ultimately, data storage and backup.
· Compliance requirements
Another important concern are compliance requirements. Regulatory frameworks like the HIPAA (Health Insurance Portability and Accountability Act), the PCI DSS (Payment Card Industry Data Security Standard), or the GDPR (General Data Privacy Regulation), amongst others may apply to any organization worldwide. When choosing a SOC type it is crucial to check for any possible interference with these standards.
Let’s examine an example to deepen our understanding: The PCI DSS mandates any organization storing, or processing cardholder data to implement continuous logging of security events and activities to detect and respond to potential security incidents. Choosing a SOC type that fails to capture critical security incidents in real-time prevents organizations from being PCI DSS compliant. Insufficient compliance may lead to fines ranging from 5’000$ up to 100’000$ per month, legal actions against the company and / or permanent loss of reputation.
While internal SOC teams face challenges in designing a compliant SOC-solution customized to their needs, Managed Security Service Providers (MSSPs) can assist these organizations through their extensive experience, in quickly finding a suitable SOC solution that meets regulatory requirements. In case of a co-managed SOC the MSSP works closely together with the security team of the organization to find an optimal solution based on the existing infrastructure.
Budget and cost considerations
· Initial investment and Operational costs
Choosing the right SOC type depends heavily on the costs involved at the initial stages of the deployment as well as reoccurring costs.
Internal SOC: The deployment of an internal SOC goes hand in hand with a high allocation of resources at initial stages. The enormous first time invest presents a hurdle, especially for smaller organizations. Further the return of invest will show not directly, as the deployed SOC will have to mature over time before really meeting the organization’s needs. Initial costs for an internal SOC usually include, personnel costs, infrastructure costs, consulting costs as well as costs that occur when acquiring the desired soft- and hardware, as well as tools. Important to note is that there may occur hidden costs along the deployment process depending on the complexity of the existing infrastructure and the experience of the team, ultimately, endangering the project by easily exceeding the budget.
Ongoing operation of the internal SOC mainly focuses on salaries to be paid, as well as licenses, subscriptions, maintenance work and training for the SOC analysts. It is important to note that, if the company wants optimal monitoring of their infrastructure, there is no other way than to run a 24x7 shift schedule, which further increases the monthly pay due to weekend surcharges, night shifts and holiday bonuses.
MSSP: Should an organization choose to outsource their security operations by contracting an MSSP, the costs at the initial stage heavily depend on the pricing model of the MSSP. However, in general you can expect initial costs to be low, as the pricing model of MSSPs usually is subscription based. This approach takes away the massive hurdle an organization faces at initial stages, when opting for an internal SOC, hence making security operations easily accessible for middle-sized or smaller companies.
Ongoing operation of the managed SOC includes the subscription to be paid. Additional costs can occur when the company makes use of special services offered by the MSSP such as a forensic investigation or malware analysis.
Co-Managed SOC: Initial costs of a co-managed SOC do not differ too much from the costs via an MSSP. However, the onboarding process may take some extra time due to potential conflicts of interest between the internal and external security teams.
The operational costs of a co-managed SOC are similar to the ones from the managed SOC approach, however, additionally there will be salaries to be paid to the in-house security team, as well as further training costs.
Scalability and flexibility
· Elasticity for seasonal or event-driven demands
A crucial concern for any Security Operations Center is the ability to react and adapt quickly to higher workloads and evolving security demands.
Internal SOC: An in-house SOC is not quite able to respond swiftly to changing workloads. Supposing that the infrastructure is not in the cloud, changing workloads could mean that the infrastructure in its status quo is not able to handle the increased load of alerts. Upgrading the infrastructure costs money and also takes time, while possibly affecting operations due to downtimes.
Further concerns arise regarding the staff, as skilled security personnel is hard to find on the job market. All of the above-mentioned points make the internal SOC over-all slow in reaction time. Slower reaction times not only jeopardize the security posture, but also impede day-to-day SOC operations. Delays in incident detection, analysis and response lead to increased risk exposure and potential damage to an organization.
MSSP: MSSPs have multiple clients, hence their staff as well as the underlying infrastructure are well prepared for higher workloads. Generally speaking, if only one client has a temporarily increased workload e.g., due to an ongoing penetration test, the total workload, the SOC analysts from the MSSP have to handle is not as much impacted. The more clients the MSSP has, the better an increased load of alerts from one client gets balanced out by the rest of the other clients. This allows the
Co-Managed SOC: Differing from a fully managed SOC, in a co-managed SOC setting, the internal security team handles the alerts supported by the SOC analysts from the MSSP. Depending on the contract, usually the MSSP triages the alerts, and in case of a true positive incident, they escalate it to the internal SOC team. Through this approach, the internal SOC team can focus on other tasks (such as endpoint hardening, infrastructure maintenance, etc.) and only in important cases they investigate on an incident.
It is important to define clear procedures and hierarchies between the internal - and external SOC teams, to avoid conflicts of interest, as time progresses.
Generally speaking, it is recommended to transition the existing infrastructure to the cloud. The natural benefits of a cloud-based environment, greatly affect the responsiveness, scalability, and flexibility of a SOC, independent of its type.
Distribution of competences
To avoid dependencies, addressing the distribution of competences is highly important when planning the deployment of a Security Operations Center (SOC).
Internal SOC: In case of an internal SOC, no concerns arise regarding distribution of competences as the complete control over security operations stays within the organization. The downside is that the organization is not able to benefit from the extensive experience an MSSP has to offer.
MSSP: When considering contracting an MSSP, it is important to not completely outsource the IT (security) department. Even though the client greatly profits from the proficient expertise an MSSP has to offer, situations where the client completely depends on the contracted security service provider should be avoided, as this means a massive loss of control over the security operations.
Co-Managed SOC: Taking a look at a co-managed SOC approach, we can denote that no dependencies arise. The client keeps his IT (security) department and actively invests in ongoing training, while at the same time profiting from the expertise of the MSSP. This represents a perfect balance between benefit and control.
Conclusion
The decision of which SOC type to choose is of crucial importance as it greatly impacts the direction in which the security posture of an organization is headed. Each of the presented SOC types offers distinct advantages and disadvantages, so before choosing a SOC type, a careful consideration of the organization’s needs, existing infrastructure, budget, and compliance requirements is indispensable.
Firstly, organizations must assess their security needs and compliance requirements to determine the most suitable SOC type. It is recommended to bring in an external consultant for this step. Addressing factors such as the scale of operations, industry-specific regulations, and data storage considerations play a vital role in this evaluation. Failure to align with regulatory standards can result in severe consequences, including fines, legal actions, and reputational damage.
Secondly, budget and cost considerations are paramount when choosing a SOC type. In-house SOCs require a substantial investments in infrastructure, personnel, and technology, along with the ongoing operational costs. Managed Security Services Providers (MSSP) like Senthorus offer a subscription-based model, presenting a cost-effective alternative, for organizations on a smaller budget.
Thirdly, scalability and flexibility are essential factors in the ever so quickly evolving world of Cybersecurity. Cloud-based solutions offer inherent scalability advantages, allowing organizations to rapidly adjust resources based on their demand. However, both internal SOCs and MSSPs face challenges in this regard, with internal SOCs often struggling to keep pace with temporary workload changes while MSSPs potentially lack the agility to tailor their services to individual needs of their client.
Finally, the distribution of competencies must be considered in order to avoid dependencies whilst maintaining control over security operations. Internal SOCs offer full control but may lack the expertise and resources of MSSPs, especially when considering how scarce well-trained security personnel is on the job market. The co-managed SOC once again offers a good balance between benefitting from the expertise of an MSSP whilst maintaining control over security operations.
After all, finding the right solution highly depends on each organization, its needs, existing infrastructure, budget, risk tolerance, and compliance requirements. By considering these factors, and seeking expert guidance where necessary, the organization can effectively strengthen their security posture in the ever-evolving world of cybersecurity threats.
