The cyber war is a total mismatch, but you already knew that. In one corner, attackers steadily develop ever more sophisticated ways to breach security - breaches that often go unnoticed for months. In the other, many organisations continue to stubbornly cling to traditional perimeter security and log collection tools to contain advanced persistent threats (APTs). Add to this brew the alarming shortage of skilled cyberanalysts, and it’s no wonder that even though companies plan to invest $90 billion annually on cybersecurity, most organisations are still breached.
The need to build an advanced Security Operations Center (SOC) that integrates new security strategies is obvious. What is not so clear are the short- and long-term cost implications to the organisation.
An intelligence-focused SOC - and why every organisation needs it
If you think the traditional prevention-based model using signature-based perimeter tools is just fine for today’s security needs - and an iSOC would just be an extra budget-breaking expense - think again. To adequately protect your company against APTs, you need to:
- Centralise disjointed security efforts or geographically distant operations
- Improve security visibility across the organisation
- Organise and boost the effectiveness of threat detection
- Cope with increasing threat levels from business initiatives that increase threat exposure
- Unify disjointed security controls to better defend against targeted threats
- Meet compliance requirements related to centralised monitoring and operations
Only an effective SOC can increase your preparedness and ability to detect and respond faster to today’s cyber threats. Now, the question becomes, “How do I build a SOC?”
Building your SOC
First, define its functions: A SOC is an organisational unit that integrates people, processes and technologies to provide situational awareness through prediction, prevention, detection and remediation of cyber threats. Specifically, it:
- Monitors networks, endpoints, machine data and traffic to identify possible cyber attacks
- Confirms if these are real threats or incidents
- Analyses their business impact and scope
- Manages incident response efforts - properly identifying, analysing, communicating, investigating, reporting, and remediating them
- Provides continuous security monitoring and management, threat detection, investigations, forensic analysis, incident response, reporting, and security audits
Second, staff, train, and develop employees to become highly trained and experienced analysts and managers at differing levels of expertise:
Tier 1 operators who monitor the incidents queue, triage security alerts and monitor security sensors and endpoints
Tier 2 analysts to perform deep-dive incident analysis and response by investigating data from various sources (forensics); determine if a critical system or data set has been impacted; advise on remediation; and provide new rules and signatures for detecting threats
Tier 3 analysts that proactively hunt cyber incidents based on in-depth knowledge of networks, endpoints, threat intelligence, forensics and malware reverse engineering
SOC managers to supervise personnel, budget, shift scheduling, and technology strategy to meet SLAs, and liaise with senior management
Third, create and implement the processes needed to ensure effective security operations: This means everything from defining standard operating procedures and workflows to conducting audits and simulations. Additionally, it is critical to integrate existing security and IT tools within the SOC platform to support ingestion of alerts - pushing actionable intelligence to third-party security tools, leveraging additional threat intelligence sources, reporting and the like.
SOC alternatives and costs: You can “silo,” unify, or outsource it
It’s already a given: In today’s complex and sophisticated threat environment, organisations must transition from traditional to intelligence-driven SOCs to acquire full network and file visibility needed to detect advanced threats across the entire attack chain without relying on signatures.
With that in mind, organisations have three approaches to choose from when building an advanced intelligence-driven SOC - depending on their requirements, resources, and budget. When deciding, consider such key parameters as security effectiveness, operational efficiency, and total cost of ownership.
Unified vs siloed approach: A unified SOC approach enables organisations to significantly increase security monitoring coverage (100 per cent of alerts investigated as opposed to 4 per cent in the cherry-picked siloed approach). Additionally, by accelerating time to detection and time to investigation, organisations can significantly shrink the damage exposure window.
Staying on the conservative side, a unified SOC approach may well provide at least four times better security effectiveness than a siloed SOC. Given the probability and cost of being hit by a cyberattack, this translates into significant savings in terms of damage avoidance. Overall savings in total cost of ownership compared to a traditional SOC approach - up to 60 per cent. At the same time, a unified approach minimises the risk of costly data breaches through better threat detection and response.
Unified vs outsourced approach: Security outsourcing (giving a third-party access to a company’s sensitive data) obviously increases risk, despite confidentiality agreements. Another drawback is lack of control and visibility, since the tools and processes being used by the service provider are a black box. There’s no way to ensure that your provider is using the most effective security tools, and an SLA will not protect your data in the case of a breach.
Therefore, in terms of security effectiveness, operational efficiency and staffing costs, the unified approach is the most cost-effective, thorough way to build an SOC.
Yitzhak Vager, VP Cyber Product Management & Business Development, Verint Systems
Image Credit: ESB Professional / Shutterstock