Does your SOC Measure Up?

Today’s organization is critically dependent on high speed, always-on external connectivity. It is how we interact with buyers, suppliers, partners, and remote employees. This always-on connectivity demands always-on security monitoring. A Security Operations Center (SOC) with 24/7 visibility and monitoring can offer cybersecurity protection for organizations of any size if equipped and managed correctly. The SOC provides centralized security event monitoring and threat detection along with rapid response capabilities. Perhaps you have security staff and security tools. But do you really have a SOC?

A.N. Ananth, CSO, Netsurion
Author: A.N. Ananth, chief strategy officer, Netsurion.

Historically, SOCs have been internal to only large MSSPs and enterprise organizations, providing consolidated security operations focused on security event monitoring and threat detection/response, usually delivered 24/7. Cyber threats, however, continue to expand and attack organizations of all sizes and security maturity levels. More SOC options are now available to MSSPs and MSPs, detailed in Netsurion’s Managed SIEM and SOC Buyer’s Guide, with effective coverage that is both practical and affordable.

What is a SOC?

Broadly, a SOC is a cybersecurity command center that provides:

  • A strategic focus on threat detection and response.
  • A facility dedicated to the SOC, either physical or virtual.
  • A team operating around-the-clock to provide 24/7 monitoring.
  • A set of processes and workflows that support the SOC’s functions.
  • A suite of tools to help predict, prevent, detect, assess, and respond to security threats and incidents.

A SOC combines people, processes, and technology to detect and respond to advanced threats.

What does a SOC do?

A SOC enhances MSSP capabilities by performing the heavy lifting of cybersecurity coverage with deeper investigation and remediation actions such as:

  1. Security event monitoring, detection, investigation, and alert triaging
  2. Incident response management, including malware analysis and forensic analysis
  3. Threat intelligence ingestion, production, curation, and dissemination
  4. Threat hunting to gain proactive risk visibility and insight
  5. Risk-based vulnerability management such as patching prioritization
  6. Develop data and metrics for compliance reporting and executive leadership

Current threat mitigation is all about comprehensive visibility and the analytics needed for rapid detection and response to stop cyber criminals.

How many people does a 24/7 SOC need?

Operating a 24/7/365 SOC requires eight to twelve full-time employees across three shifts. This number may even be low as it does not fully consider management, specialized skills like malware analysis, training, time off, or staff turnover. Also, it can be hard to retain cybersecurity professionals with intense competition for these scarce resources.

Common roles within the SOC include:

  • Tier 1 and 2 SOC Analysts monitoring events, delivering critical observations reports, and responding to early warning health alarms
  • Tier 3 SOC Analysts performing threat hunting and more advanced incident analysis and response
  • Threat Research Lab Analysts focused on collating indicators of compromise (IOCs) from multiple sources
  • Platform Specialists who routinely administer, tune and optimize the security platform including SIEM (security information and event management) and EDR (endpoint detection and response)

How can we possibly afford a 24/7 SOC?

For MSSPs without a SOC, there are two main paths to standing up a SOC: building a do-it-yourself SOC or taking a managed approach such as SOC-as-a-Service (SOCaaS) from a master MSSP. Some MSSPs start with a DIY approach, only to find that there are too many complex tasks and hidden expenses. SOCaaS optimizes your strong client relationships and handles the heavy lifting of continual monitoring and tuning machine learning-based correlation. SOCaaS avoids reinventing the wheel, takes advantage of economies of scale, and when delivered as a co-managed service, offers all the advantages of an in-house SOC.

What are top SOC-as-a-Service benefits to MSSPs?

Operating a 24/7 SOC is necessary given the current threat landscape and the potential for crippling organizational damage. MSSPs are able to augment their security staff and focus their attention on more pressing issues. Key benefits of SOCaaS:

  • Detect and mitigate threats faster
  • Increase operational efficiency
  • Simplify security and compliance
  • Reduce cybersecurity costs
  • Provide a scalable multi-tenant solution

However, it can be extremely challenging to evaluate which SOC-as-a-Service best addresses your unique organizational goals, budget needs, and resource requirements.

How can you make the best choice for your organization?

Many organizations are finding cybersecurity success with a co-managed SOCaaS approach. Large businesses with an existing SOC as well as IT Service Providers should consider co-sourcing select functions such as tuning and operating a Security Information and Event Management (SIEM) and Endpoint Detection and Response (EDR) platform. Netsurion delivers a highly impactful and cost-efficient SOCaaS by delivering our own unified security platform that converges SIEM, EDR, intrusion detection, and additional security controls all driven by our SOC in a co-managed service. Netsurion provides continuous monitoring for advanced threats without the sizable expenses and time necessary to do it yourself. Learn more about SOC options for MSSPs in the Netsurion Buyer’s Guide.

Author A.N. Ananth is chief strategy officer at Netsurion, which offers the EventTracker security platform. Read more Netsurion guest blogs here.