24/7 threat protection – running a Security Operations Centre
Written by Joseph Poppy & Andy Smith on 28/02/2020
What is a managed SOC?
A managed SOC is an external Security Operations Centre that monitors environments on behalf of other businesses. Often referred to as an outsourced SOC service, businesses will pay a simple, affordable monthly retainer fee rather than build their own SOC. It is sometimes referred to as a SOC as a service SOCaaS.
Managed SOC versus Dedicated SOC
A managed SOC is an outsourced SOC option that gives you access to 24/7 security monitoring along with a whole security team. These are best suited for businesses that don’t yet have a monitoring strategy. A managed SOC is often quick to set up and is usually sold as a software as a service (SaaS) model, meaning it can expand with your business.
A dedicated SOC provides organisations with dedicated teams made up of experienced analysts to complement existing security strategies. These are best suited for businesses that have their own security technology but are struggling to find the staff to cover 24/7 monitoring.
What tools are used in a Security Operations Centre
The hardware involved will vary, but a SOC will be using a complex SIEM system to correlate and analyse logs before flagging security events to analysts for investigation.
SIEM stands for Security Incident and Event Management and encompasses the technology aspect of a SOC. What goes into a SIEM can differ depending on the product but will often include cyber defences such as:
- Intrusion detection systems (IDS)
- Intrusion protection systems (IPS
- File integrity monitoring (FIM)
- Web application firewalls (WAF)
- Data loss prevention
- Vulnerability scanning
A log collector will pass the log data onto the SIEM which will correlate them into meaningful groups. There will often be some behavioural analysis involved and activity will be compared to a set of rules unique to each environment.
Outsourcing your SOC
Increasingly, organisations are following the trend of outsourcing SOC obligations. There are many benefits to this model, with, cost being the biggest one. Paying a monthly fee to a reputable vendor will give you access to the latest tech along with the skilled staff needed to monitor and investigate alerts. The difficulty here is that there is a huge shortage in qualified cyber-security experts. There are around 2.93 million unfilled cyber-security positions, and the average salary for a full time SOC analyst (junior) is around £27,000.
With outsourcing you can relax knowing your business is covered by qualified experts 24/7 at a fraction of the cost of hiring in house.
The benefits of outsourcing are:
- Significantly reduced cost
- Access to qualified and experienced staff
- Wider range of threat data
- Any upgrades will usually be applied to your service automatically
CSIRT versus SOC
CSIRT and SOC often come up within similar contexts, but they are in fact different teams. A SOC, as we have established, is the Security Operations Centre. The go to analogy is to think of the SOC as the brain of a cyber security team. A CSIRT (Computer Security Incident Response Team) is a department that may work with a SOC, but who are responsible for responding to security events, coordinating strategies and forensics investigations.
Both teams seek to detect and respond to security events, but a SOC tends to focus more on the ongoing monitoring of staff, systems and applications where as the CSIRT team tends to take prompt action to minimise damage in the event of a security incident.
The SOC Lifestyle
The threat landscape is always changing, so SOCs need to be too. A good SOC will constantly undergo reconfigurations to better suit a business’s activity and reduce false positives. Up-do-date threat information should be fed into a SOC to catch the latest evolving attacks. This is known as the SOC lifecycle. SOCs should always be adapting and evolving. Again, unless you’ve chosen the outsourced or managed option, this can incur significant cost in time and resources.
If outsourcing, it’s also essential that any relevant procedures are established, such as initiating change requests and maintenance alerts. Failing to do this could lead to alerts being raised unnecessarily.
It’s important for businesses to understand:
- Outsourced SOC teams will (usually) not be able to make changes on your environment
- Precisely what’s on offer, especially if the vendor provides tiered services
- Is the vendor reliant on other third parties?
Other elements, such as KPIs, SLAs and escalation processes will need to be established at the start of any working relationship and tweaked where necessary.
|Self-Managed SIEM||Open source Log management platform (without Scanning, FIM,HIDS,IDS)||Bulletproof Proactive monitoring|
|SIEM appliance (minimal spend)||£200,000||£34,000|
|End-user training - 5 days minimum training - 4 days minimum deployment||£9,450||£9,450|
|Intelligence feed minimum costs||£9,450||£9,450|
|Intelligence engineering time||£3,500||£3,500|
|Machine learning - (3 node/year)||n/a||£18,000|
|Vendor health checks and maintenance||£2,100||n/a **||Complete Service Cost|
|Maintenance and support contract||£6,000||£6,000|
|Device support assistance||£5,250||n/a **|
|Minimal employee costs Junior only (24/7/365)||£210,000||£210,000|
|Training (7 days) per head||£6,000||£6,000|
|Total cost Year 1||£466,300||£310,950||£50,000|
- ** requires self training and fault finding
Best Practices for running a SOC
Running a SOC is complicated and relies on having a strong and knowledgeable team. However, a few key best practices are:
- Conduct an asset audit beforehand
- If you have exposed services that shouldn’t be, make them private
- Create and test an escalation procedure
- Start defining rules to establish normal behaviour
- Define normal user behaviour
- Ensure 24/7 coverage – hackers can strike at any time
Monitor, investigate and protect
A Security Operations Centre is a vital part of any successful security strategy. Unfortunately, building an in-house, dedicated SOC is beyond the means of most businesses. But on the bright side, outsourced services are extremely effective whilst also being affordable. Monitoring your business environment, investigating threats and conducting ongoing threat hunting will help keep your information safe from cyber criminals.
ISO 27001 and 9001 certified
Tigerscheme qualified testers
PCI DSS v3.2 Level 1
24/7 on-site Security
Get a quote today
If you’re interested in our services, get a free, no obligation quote today by filling out the form below.