24/7 threat protection – running a Security Operations Centre

Written by Joseph Poppy & Andy Smith on 28/02/2020

Why is a Security Operations Centre important?

A modern dynamic business needs to be proactive about their cyber security. A data breach can be costly, with latest estimates said to be (on average) £3.18 million, and reputational damage can be even harder to recover from. Hackers can strike at anytime from anywhere in the world, which means businesses have to be on guard 24/7.

This is where the Security Operations Centre (SOC) comes in. A SOC and the trained analysts behind it are integral to maintaining good security and stopping threats before they cause damage to the business they are monitoring.

A Security Operations Centre or SOC is a central unit that oversees a company’s security through the use of people, procedures and technology. The idea is to detect and protect against cyber threats by collecting data in one central location, processing it with the latest technology and having trained security analysts conduct investigations on any alerts and anomalies raised.

Organisations of any size are open to cyber threats, and with cyber criminals using more sophisticated hacking software, protection has become an increasingly challenging task.

As a consequence, businesses are exploring new programmes and services to defend themselves against cyber attacks, and the integration with a security operation centre is becoming increasingly popular.

Hackers can strike at any time from anywhere in the world, which means businesses have to be on guard 24/7

What does a SOC do?

A SOC protects a corporate network by combining technologies and incorporating a variety of internal and external threat intelligence data. The SOC (or rather the SIEM technology used by the SOC - but more on that later) will detect threats via log analysis taken from a variety of endpoints across the business. These threats will be raised according to predefined rules which can be configured to suit any organisation.

These events can then be investigated by a trained security analyst to determine the true cause and extent of the problem.

Our Security Operations Centre
Our Security Operations Centre protects hundreds of customer per month

What is a managed SOC?

A managed SOC is an external Security Operations Centre that monitors environments on behalf of other businesses. Often referred to as an outsourced SOC service, businesses will pay a simple, affordable monthly retainer fee rather than build their own SOC. It is sometimes referred to as a SOC as a service SOCaaS.

SOCs must monitor 24/7 to be effective
SOCs must monitor 24/7 to be effective

Managed SOC versus Dedicated SOC

A managed SOC is an outsourced SOC option that gives you access to 24/7 security monitoring along with a whole security team. These are best suited for businesses that don’t yet have a monitoring strategy. A managed SOC is often quick to set up and is usually sold as a software as a service (SaaS) model, meaning it can expand with your business.

A dedicated SOC provides organisations with dedicated teams made up of experienced analysts to complement existing security strategies. These are best suited for businesses that have their own security technology but are struggling to find the staff to cover 24/7 monitoring.

Managed SOC is an outsourced SOC option that gives you access to 24/7/365 security monitoring along with a whole security team

Why do you need a Security Operations Centre?

A Security Operations Centre is vital to maintaining a strong security posture. Loaded with powerful SIEM software, a SOC will help monitor and protect against threats. Cyber criminals are active at all times everywhere in the world, and a fully staffed SOC will help prevent hackers from compromising your environment.

More and more compliance packages are making some form of log monitoring mandatory. It’s an essential part of PCI DSS for instance. Without a SOC gathering the right information, it will be difficult to tell if you are under attack or worse, have been breached. Dwell time, the time it takes to detect a breach, is a serious issue, and the right monitoring helps keep it to a minimum.

If you are breached, investigating the root cause will be difficult if you haven’t been without gathering the right data. A SOC that has archived logs appropriately means all evidence and indicators of compromise will be preserved for digital forensic analysis.

What tools are used in a Security Operations Centre

The hardware involved will vary, but a SOC will be using a complex SIEM system to correlate and analyse logs before flagging security events to analysts for investigation.

SIEM stands for Security Incident and Event Management and encompasses the technology aspect of a SOC. What goes into a SIEM can differ depending on the product but will often include cyber defences such as:

  • Intrusion detection systems (IDS)
  • Intrusion protection systems (IPS
  • File integrity monitoring (FIM)
  • Web application firewalls (WAF)
  • Data loss prevention
  • Vulnerability scanning

A log collector will pass the log data onto the SIEM which will correlate them into meaningful groups. There will often be some behavioural analysis involved and activity will be compared to a set of rules unique to each environment.

The hardware involved will vary, but a SOC will be using a complex SIEM system to correlate and analyse logs

Should I build my own SOC?

Building a SOC is time consuming and expensive. Even if using off the shelf software and hardware, the most basic SOC will requiring a large budget. Plus there are staffing costs to consider. A worthwhile SOC will be staffed 24/7, so you will need to hire enough staff to cover round-the-clock shifts, whilst also taking holiday and sick pay into account.

The difficulty here is that there is a huge shortage in qualified cyber-security experts with nearly 3 million cyber-security roles looking to be filled. Trained analysts with the skills to effectively investigate alerts are expensive assets. This means that in-house SOCs are typically the preserve of large multi-national corporations only.

There are benefits to building your own SOC though. Such as:

  • Dedicated to your organisation (analysts will be focussing purely on your environment)
  • Analysts will work for you and be able to take immediate and direct action
  • Software can be designed for your environment (if built yourself)
  • May be an easier process to make configurations directly
  • Not reliant on third parties

Outsourcing your SOC

Increasingly, organisations are following the trend of outsourcing SOC obligations. There are many benefits to this model, with, cost being the biggest one. Paying a monthly fee to a reputable vendor will give you access to the latest tech along with the skilled staff needed to monitor and investigate alerts. The difficulty here is that there is a huge shortage in qualified cyber-security experts. There are around 2.93 million unfilled cyber-security positions, and the average salary for a full time SOC analyst (junior) is around £27,000.

With outsourcing you can relax knowing your business is covered by qualified experts 24/7 at a fraction of the cost of hiring in house.

The benefits of outsourcing are:

  • Significantly reduced cost
  • Access to qualified and experienced staff
  • Wider range of threat data
  • Any upgrades will usually be applied to your service automatically
Increasingly, organisations are following the trend of outsourcing SOC obligations

What is the difference between a NOC and SOC?

EA NOC (Network Operations Centre) and a SOC (Security Operations Centre) can be seen as complementary, but they are fundamentally different services. A NOC is concerned with responding to incidents that affect the availability and performance of services, a SOC is concerned with the protection and integrity of information. Put simply, a NOC responds to technical faults and events that risk downtime and a SOC responds to events regarding security.

Now, for a section that will definitely get lost in the edit, I present the Dr Seuss version:

A NOC keeps sites going around the clock. But if it’s hackers you wish to block, you will definitely need a SOC. If the day presents numerous technical events, take stock! You good sir need a NOC. If day and night, you want oversight of all your digital assets; if you want to see where hackers flock, you want a SOC and all its facets.

A CSIRT responding to a security event... they might not always look this cool
A CSIRT responding to a security event... they might not always look this cool

CSIRT versus SOC

CSIRT and SOC often come up within similar contexts, but they are in fact different teams. A SOC, as we have established, is the Security Operations Centre. The go to analogy is to think of the SOC as the brain of a cyber security team. A CSIRT (Computer Security Incident Response Team) is a department that may work with a SOC, but who are responsible for responding to security events, coordinating strategies and forensics investigations.

Both teams seek to detect and respond to security events, but a SOC tends to focus more on the ongoing monitoring of staff, systems and applications where as the CSIRT team tends to take prompt action to minimise damage in the event of a security incident.

The SOC Lifestyle

The threat landscape is always changing, so SOCs need to be too. A good SOC will constantly undergo reconfigurations to better suit a business’s activity and reduce false positives. Up-do-date threat information should be fed into a SOC to catch the latest evolving attacks. This is known as the SOC lifecycle. SOCs should always be adapting and evolving. Again, unless you’ve chosen the outsourced or managed option, this can incur significant cost in time and resources.

There are numerous benefits to outsourcing your SOC obligations, cost being the biggest one

Start-up and requirements capture

When setting up a SOC, either in house or outsourced, it’s important that you understand what you are buying and that your provider understands your requirements. In the beginning, it’s integral that your provider/designer knows:

  • Your core business objectives
  • Your infrastructure/environment
  • Expected traffic (e.g. do you communicate regularly overseas?)
  • Data retention requirements.
  • What assets are most important
A good SOC team will work with you to understand your businesses requirements
A good SOC team will work with you to understand your businesses requirements

If outsourcing, it’s also essential that any relevant procedures are established, such as initiating change requests and maintenance alerts. Failing to do this could lead to alerts being raised unnecessarily.

It’s important for businesses to understand:

  • Outsourced SOC teams will (usually) not be able to make changes on your environment
  • Precisely what’s on offer, especially if the vendor provides tiered services
  • Is the vendor reliant on other third parties?

Other elements, such as KPIs, SLAs and escalation processes will need to be established at the start of any working relationship and tweaked where necessary.

How much does a Security Operations Centre cost?

The cost of a SOC can vary, depending on what you choose to put into it.

Here’s a price comparison of some options you can choose from if you decide to purchase an off-the-shelf SIEM, an open source product or you opt to outsource the SOC entirely to an external supplier.

Security Operations Centre costs
Self-Managed SIEM Open source Log management platform (without Scanning, FIM,HIDS,IDS) Bulletproof Proactive monitoring
SIEM appliance (minimal spend) £200,000 £34,000
End-user training - 5 days minimum training - 4 days minimum deployment £9,450 £9,450
Intelligence feed minimum costs £9,450 £9,450
Intelligence engineering time £3,500 £3,500
Machine learning - (3 node/year) n/a £18,000
Vendor health checks and maintenance £2,100 n/a ** Complete Service Cost
Maintenance and support contract £6,000 £6,000
Device support assistance £5,250 n/a **
Minimal employee costs Junior only (24/7/365) £210,000 £210,000
Training (7 days) per head £6,000 £6,000
Total cost Year 1 £466,300 £310,950 £50,000
  • ** requires self training and fault finding
Security best practices are fundamental to a good SOC
Security best practices are fundamental to a good SOC

Best Practices for running a SOC

Running a SOC is complicated and relies on having a strong and knowledgeable team. However, a few key best practices are:

  • Conduct an asset audit beforehand
    • If you have exposed services that shouldn’t be, make them private
  • Create and test an escalation procedure
  • Start defining rules to establish normal behaviour
  • Define normal user behaviour
  • Ensure 24/7 coverage – hackers can strike at any time

Monitor, investigate and protect

A Security Operations Centre is a vital part of any successful security strategy. Unfortunately, building an in-house, dedicated SOC is beyond the means of most businesses. But on the bright side, outsourced services are extremely effective whilst also being affordable. Monitoring your business environment, investigating threats and conducting ongoing threat hunting will help keep your information safe from cyber criminals.

  • Bulletproof are CREST approved

    CREST approved

  • Bulletproof are ISO 27001 and 9001 certified

    ISO 27001 and 9001 certified

  • Bulletproof are Tigerscheme qualified testers

    Tigerscheme qualified testers

  • Bulletproof are a PCI DSS v3.2 Level 1 service provider

    PCI DSS v3.2 Level 1
    service provider

  • Bulletproof have 24/7 on-site Security Operations Centre

    24/7 on-site Security
    Operations Centre

Get a quote today

If you’re interested in our services, get a free, no obligation quote today by filling out the form below.

By submitting this form, I agree to the Bulletproof privacy policy.