Opinion: Five things to ask before building a SOC
Mahmoud Mounir, regional director, Secureworks META, on why in-house SOCs can be an effective choice for organisations
Building a security operations centre (SOC) demands a huge amount of time and resources. You need to staff an operations centre from Monday to Friday, from 9-5 or better, 24x7, 365 days a year; and that is just front-line analysis. An effective SOC must be able to generate and/or consume intelligence about an ever-changing threat landscape and forensic and incident response capabilities that can act in time of crisis without creating more impact to the business than the bad actors did.
However, building a SOC does not have to be all or nothing and may come a time when you have reached a level of internal maturity and business demand that building an internal SOC capability may make sense. Despite the challenges, in-house SOCs can be an effective choice for an organisation. Before deciding whether to bring things in-house, security leaders should consider five key areas.
Where am I in my security maturity journey?
The first thing to assess is how your current security stack measures up to the risk you are trying to mitigate. That involves understanding your core competencies and weaknesses, as well as the kind of risk that concerns you. If you have audit control requirements, your path forward will be different than if you were facing true security concerns. From there, it's important to deeply understand your security architecture and how it relates to achieving the desired outcomes. You should not only consider what you believe to be your cyber key terrain – “your keys to the kingdom” if you will – but also what a potential adversary sees as valuable as a target of opportunity. Is your IP or financial data the target, or are you a potential vector into your own customers or business partners? Are you a gateway through your connections to much larger payoff for the adversary, or are you merely collateral damage?
Do I have the basics down?
In the vast majority of our incident response engagements last year, the primary attack vector was via an exploit where a patch was readily available. It's really a matter of lack of due diligence, lack of security fundamentals, and a lack of understanding of where you are in your architecture.
There are many reasons why this is the case. Mergers and acquisitions often mean you inherit the poor cyber hygiene of another company, and as a CISO or CIO, you must bring some semblance of order from the chaos.
In a complex organisation, patch management is also very difficult. Companies still seek our help in prioritising what they should fix and when because patching everything all the time, is difficult to maintain and can introduce risk if not done methodically.
There are a lot of reasons why the fundamentals aren't being captured, but the reality is you don't have to worry about an adversary's A-game if commodity threats work all the time. You've got to cover the basics before you get to the advanced techniques a SOC requires.
But getting the fundamentals right goes far beyond patching. It is having a firm and real-time understanding of your internal architecture at the physical and logical layers, a firm understanding of vendor software and architecture within your own, and visibility and understanding of systems and services you share with partners. Know thy self! Don't delude yourself!
What skillsets do I need?
A neurologist and a proctologist are both doctors, but you certainly don't want them doing a tag team swap in the middle of the other's respective surgeries. It's the same with security: A person hired to do firewall management is not the same person who can do endpoint forensics. It's important to understand the skillsets you actually need and identify where you want to leverage partnerships or take on the burden yourself.
Even understanding what skillsets, you need can be a challenge. It means an organisation already staffs security leaders who understand the nuances and complexities with building a cohesive security team and how current staff fit into that picture. SOCs include many different roles across many different tiers of operation. You may need a tier 3 incident responder or a tier 1 analyst to look at your SIEM and conduct threat aggregation. If there is confusion regarding those differences, then building an effective SOC will be harder.
Do I have the resources to hire?
Once you've identified the skills you need, you need a pragmatic way to assess the skills of potential employees. I suggest assessing a person's technical skills first, then using a situational-based assessment to check context knowledge and reasoning.
For example, if we were hiring a frontline analyst who's going to do intrusion analyses of frontline network devices, then we would give them some packet captures and ask them to tell us what they're seeing. Even if they don't identify exactly what's going on, they may show sound working logic that could be an asset.
You should also consider each person's personal goals and career path. Frontline analysts typically leave after about 24 months because of the repetitive nature of the job. You need to be ready to accept this level of attrition and find ways to move employees into other positions to retain as much talent as possible. Just as your tech stack is constantly refreshing, so too will your SOC employees.
Could I use a partner?
It's tempting to view an in-house SOC as a way of streamlining your security operation by cutting ties with security services vendors. But these companies can also be SOC enablers by helping you plug the skills gaps that you don't have the time or inclination to try and fill. Maybe you have world-class incident responders on your team but lack the staff to really drill down on cyber hygiene. Or perhaps you don't need a 24x7 SOC analyst but want a security firm to do basic blocking and tackling for you, so that you can free up dollars to hire an incident response team.
Today, automation has all but removed the need for human analysis of packet captures of intrusion detection and protection tools. If you're wondering where you should hire human talent, then endpoint forensics and behavioural analysis of the adversary are worth more attention. Talented professionals in those areas keep you protected from the most damaging forms of intrusion.
The knowledge and skills that partnerships offer can be vital to helping you create a SOC in-house. Expensive data sciences and analytics are a game of scale that most single companies simply don't have the resources to undertake, but many cybersecurity firms are increasingly experts in. Partnerships with vendors that excel in those areas can reduce the number of alerts, the number of false positives and time to detect for your team without requiring massive investments of time and money.