Why Use a Managed SOC?
The IT infrastructure of a growing business also becomes larger, more complex, and more difficult to secure. Each device produces many different activity and security logs which can provide critical security information, but need to be reviewed by specialists.
Security Operations Centers (SOCs) play a critical role in protecting organizations from cybersecurity attacks by centralizing expertise to service the entire organization.
While there are several implementation models, organizations can often benefit the most from a fully outsourced and managed SOC. To fully understand the benefits of a managed SOC, we must first understand the role of the SOC in managing cybersecurity detection and response.
What is a SOC?
A Security Operations Center (SOC) provides a single point of coordination for security experts to analyze, prioritize, and further investigate security alerts and signs of malicious behavior. The SOC can also provide a single point of coordination and management of other security initiatives.
SOCs can be implemented as a physical location, a virtual team, or acquired as an outsourced resource. SOCs require specialized security tools and highly trained IT security professionals to be effective.
What Does a SOC do?
Sometimes called an Information Security Operations Center, a SOC monitors the entire IT infrastructure of the organization full time – 24 hours a day, 7 days a week, and for all 365 days of the year. SOC teams use tools, processes and their experience to:
- Prioritize security alerts and anomalous behavior
- Analyze alerts as potentially malicious (or false alarms)
- Investigate malicious activity
- Respond to cyberattacks directly or alert managed detection and response (MDR) teams
SOCs collect data and event logs from across the entire IT environment, and can play a pivotal role in identifying, protecting against, and responding to attacks against the organization. Typical threats can include, but certainly will not be limited to phishing, malware, distributed denial of service (DDoS) attacks, ransomware, and unauthorized data exfiltration.
A SOC’s primary purpose is to maintain, monitor, and constantly improve an organization’s cybersecurity technologies and capabilities. Depending upon the needs of the organization, the SOC may also play a role in:
- Anticipating threats (gathering cyber threat intelligence, etc.)
- Managing the centralized log repository (security information and event management (SIEM) tools, security data lake, etc.)
- Managing risk and compliance requirements
- Patches and updates
- Proactive threat hunting and monitoring for attacks that did not trigger alerts
- Recovering lost or stolen data and determining compromised assets
- Security strategy (architecture design, incident response strategy, etc.)
- Tool and alert tuning (reduce false alarms, improve log value, etc.)
- Vulnerability detection, assessment, and mitigation
The exact role of the SOC and where they might receive or handoff alerts for threat investigation depends upon the type of SOC deployed and other security and incident response infrastructure.
Types of SOCs
SOCs tend to mimic Network Operations Centers (NOCs) in structure, but instead of operational efficiency the SOC will focus on security alerts and will also incorporate alerts from servers, endpoints, applications, and cloud resources. We go into more detail in Types of Security Operations Centers, but as a quick summary most organizations will implement one of five general types of SOCs:
- Multifunction SOC / NOC
- Dedicated SOC
- Command SOC
- Co-Managed SOC
- SOC-as-a-Service (SOCaaS)
Multifunction SOC / NOC
Multifunctions SOC / NOC centers combine NOC and SOC functions to monitor network operations and security. These centers can be less expensive to maintain because they share expertise, tools, and alert monitoring.
However, networking concerns often take priority, especially since network improvements are easier to quantify for return on investment (ROI), and security concerns can be easily marginalized. This option is best for small enterprises and often does not survive the growth of the organization without a strong balance.
Dedicated SOCs create a team of internal security experts working as one group either in a single location or virtually. A Dedicated SOC creates great security visibility and centralized expertise for the organization.
However, Dedicated SOCs require at least 5 full time experts to achieve 24/7/365 coverage and expensive tools to manage high volumes of alerts with a smaller staff. This SOC model is best for larger enterprises with few offices.
Command SOCs use a dedicated group of IT experts working as one group to oversee a network of smaller SOCs monitoring specific infrastructure or locations. Centralized command and management of distributed expertise provides the most comprehensive option for in-house SOCs.
However, Command SOCs are incredibly resource intensive. Ironically, Command SOCs can also lead to gaps in responsibility between branch SOCs and the Command SOC unless they are designed and coordinated very carefully.
Only the largest organizations can afford in-house Command SOCs so they don’t tend to exist outside of governments, banks, cloud providers, and other huge enterprises.
Co-Managed SOCs use a combination of local on-site monitoring solutions and staff in addition to external resources. This model provides enormous flexibility for tools and staffing and enables options to outsource either low-end tasks to low-cost resources (overseas offices or vendors) or high-end threat hunting to more experienced staff (consultants, MDR vendors, etc.).
As with Command SOCs, poor implementation can lead to responsibility gaps and missed alerts so this method requires careful coordination and assignment of responsibility (and liability). This option is best for enterprises dedicated to retaining on-site security talent or that wants to supplement existing resources as they grow.
This model fully outsources the SOC to a cloud-based portal managed by an off-site monitoring and event response team. This option is the fastest to implement and typically the least expensive option.
SOCaaS avoids purchasing or implementing expensive security tools or hiring expert IT security engineers. Organizations obtain expertise at a fractional cost, but still need to be careful because different vendors will provide different levels of service.
Organizations without any in-house security expertise may have difficulty identifying quality providers, yet this hurdle can be overcome through testing and interviewing references. This model remains ideal for organizations of all sizes that need low-cost, but highly effective security.
In-House or External SOC
For most organizations, IT security does not directly contribute to the core business mission of the company. Since security is a requirement, but not essential to corporate goals it can be outsourced partially or completely.
Most organizations that hesitate to outsource SOC functions worry about reduced visibility into security processes, loss of control over company data, lack of flexibility for storage or tools, and a vendor’s lack of expertise in industry-specific threats. However, each of these outsource issues apply equally to in-house security teams as well!
To overcome these issues requires coordination, communication, and careful planning. High quality outsourced SOC providers with strong customer service can provide these skills and address an organization’s concerns with adjustments to processes, additional reporting, or other considerations.
For a more thorough exploration of internal or external SOC models consider reading Security Operation Centers: Outsourced or Internal?
SOC Security Infrastructure Integration
A SOC fits into a security architecture and layered security stack that will include other important functions and resources such as:
- Endpoint security (such as Antivirus or Endpoint Detection and Response tools)
- Firewalls (internally or externally managed)
- Network intrusion detection systems and intrusion prevention systems (often managed directly by a SOC)
- Security Incident and Event Management (SIEM) tools
- Managed Detection and Response (MDR) services
How an organization decides to implement a SOC often depends upon how the SOC will fit in with existing security investments, processes, and security talent. Outsourced or managed SOCs have the expertise to bring additional flexibility and options for their clients.
Benefits of a Managed SOC
Well implemented SOCs provide invaluable security insight, but take a lot of time and money to implement. While organizations might be willing to make the investment, another key barrier is the availability of sufficient talent to staff a SOC.
A Managed SOC avoids provides three enormous benefits to the customer:
- On-Demand Expertise
- Saved Time
- Saved Money
A shortage of experienced IT security professionals increases the costs and the difficulty to acquire talent. For any talent that can be hired, an organization then faces the burden of training that talent, keeping them busy with interesting tasks, and finding ways to retain the talent with new opportunities arising constantly.
Opting for a managed SOC allows an organization to access the exact level of security expertise they need, when they need it. There is no hiring pain, no training burden, and no ongoing retention costs – only a simple monthly fee from the Managed SOC vendor.
An organization contracting with a managed SOC avoids the wasted resources of hiring expensive incident response experts only to bore them to death with alert analysis and watch them quit. They also escape the risk of hiring less experienced talent only to find themselves facing an expert adversary before the inexperienced talent can be trained.
A modern SOC may not require a facility, but it still requires time to evaluate and hire staff as well as evaluate, purchase and deploy tools. If the staff does not already have experience with those tools, then training time will be needed before the SOC can even connect those tools with alert feeds and begin protecting the organization.
A managed SOC already has infrastructure in place, tools ready to deploy, and staff already available. The team already has deployment experience that will shorten the time to install any tools, connect those tools with alert feeds, and tune the tools to reduce false positive alerts.
Additionally, the experience and broad customer base of the SOC shortens the time to process alerts and identify attacks because of experience with similar systems. In-house teams may wait weeks or even months between significant attacks, but by managing many different customers, Managed SOC teams see attacks regularly.
Regular attacks mean that managed SOC experts gain more experience in a shorter period of time. After all, the experience of responding to attacks on any one customer immediately becomes experience applied to all customers.
When an organization selects a managed SOC, they save money in two key ways that are distinct and important for any CFO. Saved expenses and saved cash.
A managed SOC reduces the expenses compared to an in-house SOC because the expensive tools and talent is split over multiple customers. In many cases, the monthly cost for a Managed SOC can be even less than the in-house hiring costs for IT security talent alone!
Even better, managed SOC experts use their experience to reduce the number of hours (and hourly expenses) needed to perform most services. This includes time to catch adversaries which can also reduce the potential damages and subsequent costs of remediation related to an attack.
Selecting a managed SOC also saves cash by avoiding Capital Expenditure (CapEX). When purchasing the tools, buying equipment, hiring the staff, and building out SOC capabilities, the company must invest far more money up front which often must be depreciated over several years.
This CapEx expense ties up cash flow and creates much higher on-going expenses to maintain and retain the tools, equipment, and staff. A managed SOC incurs a simple operating expense (OpEx) that can be expensed monthly.
Picking a Managed SOC Solution
A Managed SOC makes security affordable for enterprises of all levels and offers clear cost advantages over in-house SOCs. However, the quality and specifics of the tools and talent will vary from vendor to vendor and from offering to offering.
To evaluate a managed SOC solution, an organization should evaluate the following:
- How much customization is necessary for the organization’s IT?
- How much needed customization can be provided by the vendor?
- Does the vendor send data overseas for evaluation by low-cost security talent?
- Can the vendor use tools that apply artificial intelligence or machine learning?
- How long has the vendor been delivering security services?
- Can the vendor supply references?
- Are there any vendor references available from the same or a comparable industry?
- What other security services or tools can the vendor provide?
Security operations centers provide definite benefits to any organization seeking to improve their security. However, a managed SOC from a quality vendor can improve security faster, with more expertise, and with less costs when compared with an expensive in-house SOC.
Still, organizations need to evaluate their potential security partner carefully. A cut-rate managed SOC solution staffed by overseas talent might be cheaper, but it also introduces additional risks and may not be able to deliver customization or high-end threat hunting expertise.
Organizations need to find vendors with decades of experience, satisfied customers, and a broad security service portfolio. The broad and deep experience ensures that the vendor can recognize issues over a broader range of resources and provide additional support for incident response, resource recovery, compliance, and other related issues.
For more guides to Managed SOCs or other security solutions please see:
- Why Managed SOC is Essential for SMB (whitepaper)
- Key Reasons You Need a Security Operations Center (whitepaper)
- The CFOs Guide to Managed Security (whitepaper)
- Managed Detection and Response (MDR) Evaluator’s Guide (eBook)
- ClearNetwork SOCaaS (product page)
- ClearNetwork Security Services (product page)