Five factors to consider when establishing a Security Operations Centre

by James Carder, Chief Information Security Officer at LogRhythm

With the number of serious cyber threats on the rise, many businesses are evaluating the benefits of having a dedicated security operations centre (SOC).

When properly designed and established, a SOC can serve as a critical centre in which to mitigate cyber risk. It can support a range of tasks from the comprehensive monitoring of IT infrastructure to delivering a rapid response when incidents occur.

When an organisation is looking to establish a SOC, there are five key factors that need to be considered. They are:

1. Build v outsource v hybrid

There are three approaches that can be taken when establishing a SOC.  It can be built internally, it can be outsourced to a third party, or it can be created using a blend of the two.

Building an effective SOC can require a large capital investment, especially if it needs to run on a 24x7 basis, as there are significant costs associated with people, processes and technology. It also needs to be integrated into the main business so it can provide the level of protection required.

A key benefit of the build approach is that the organisation will have dedicated staff focused solely on protecting the organisation and with a deep understanding of the business. They will be well placed to take appropriate action as soon as it is required.

On the other hand, outsourcing a SOC can be very cost-effective. Hardware and software does not have to be purchased and deployed, and staff will not have to be hired and managed. An appropriate Managed Security Services Provider (MSSP) can handle everything, from monitoring infrastructure health to responding to incidents. It should be remembered, however, that a third-party provider has multiple customers and your organisation won't be their only priority.

A third option is to take a hybrid approach. Under this strategy, a company operates its own SOC during business hours but, outside these times, hands responsibility to an outsourced MSSP.

With this hybrid approach, the MSSP will focus on triaging events after hours with full-time staff responding to or investigating incidents during normal business hours. This hybrid model is being used more and more, because it balances cost with necessary coverage at the right levels of risk.

2. Finding Qualified Staff

A lack of experienced and qualified people in the IT security space can make staffing a new SOC somewhat of a challenge. Companies end up competing not just with other companies but also with vendors and service providers. As a result, companies may find it necessary to offer higher salaries and other benefits to attract and retain the best people.

It is also important to find the right mix of personnel when building a SOC. The classic tiered model is recommended where you have more junior staff at the entry level or Tier 1, mid-tier staff at a Tier 2, and a select few experts in Tier 3.

With this model, the available technical personnel budget can be spread out and provide growth and training opportunities up and down the tiers.

3. Attracting a strong security architect

When building a new SOC. it's important to have a strong security architect on staff. They should both understand the needs of the SOC and how it interacts with all the various stakeholders in the business.

If it's not possible to find such a person, it's worth bringing in a third-party consultant who can act in an advisory role. Any money spent on advisory consulting services will be of long-term benefit to the organisation.

4. Selecting the right technologies

To establish an effective new SOC, technologies must be identified that align with the program being built, the skills of staff, and the processes being put in place. Often an organisation will purchase technology before the people and processes are in place, however this can have a negative impact on effectiveness.

It is also important to take a platform approach. This involves looking at best-of-breed technologies and making sure they seamlessly integrate to create a SOC platform.

The bottom line is that it's foolish to simply buy everything that appears in the relevant Gartner Magic Quadrant.  Instead, ensure a strategy is developed that matches specific business requirements.

5. Remember governance, risk, and compliance

It is also important to consider the impact a new SOC will have on an organisation's overall governance, risk, and compliance (GRC) program.  

In reality, a SOC should be a powerful ally of the GRC. Staff should have visibility of all things in an IT environment and should know the overall business goals, policies, and associated risks.

If a SOC is provided with everything it needs, GRC can then obtain every answer from it. For example, if you need to know whether the organisation is complying with a specific regulation, the SOC will have visibility of the data. It can even help to continuously monitor, in real time, whether the organisation is staying in or falling out of compliance.  It can even tell you which people or systems are in violation of certain governance and policies.

Paying attention to each of these factors will ensure that a new SOC will deliver the required protection without causing unnecessary disruption or cost blow outs. The result will be a better protected and functioning business.