Tech Insight: Building A SOC, From Outsourcing To DIY

Building blocks for developing the most effective security operations center

Todays security professionals need to have accurate information accessible to them at a moments notice. That accessibility is critical in order for them to respond to security incidents efficiently and effectively. Pulling all of that information together can be difficult since it has to be collected from all corners of the enterprise. Yet, difficult or not, its necessary so that triage can be performed quickly.
Unfortunately, we see research like Verizons Data Breach Investigation Report that shows us this isnt happening in a large percentage of cases. Instead, its months, even years, before a breach gets noticed. There are a handful of key issues that make this difficult. They revolve around a lack of trained and skilled personnel, the tools to provide them with accurate, actionable information, and the processes to enable them to do their jobs effectively.
To combat these issues, some organizations have built a security operations center (SOC) to become the hub of all security operations, streamline the incident-handling process, and enable ease of collaboration among security personnel. It sounds great, right? The reality is that assembling a SOC is no easy task, and it can be expensive, which is one of the primary reasons companies decide to outsource security operations.
To make the decision about whether to build a SOC, outsource it, or take a hybrid approach by mixing on-site security personnel with managed security services, lets look at some of the key features and decisions in the making of a successful SOC.
First and foremost, a SOC requires highly skilled security professionals to investigate security incidents, perform incident response and forensics, and help keep an organization afloat amid a data breach. These security pros are responsible for providing accurate information to management so the business can make sound decisions, such as whether critical systems need to be shut down for analysis or to stop data exfiltration.
An enterprise looking to build a SOC needs to evaluate whether it has the expertise in-house, what types of training might be necessary to get current staff to the level they need to be, and whether it needs to recruit additional personnel. Recruiting internally can be a good choice since the candidates will know the business and systems well. Also, current systems and network administrators are best because they have hands-on experience with the systems they will be investigating and are already likely to have good troubleshooting skills.
Where to house the SOC is another decision that can help or hinder the success of the team. Large enterprises can choose a standalone facility separate from the primary corporate buildings, but that wont work for budget-strapped organizations. Choosing to house the SOC within an existing network operations center (NOC) or the datacenter can help cut costs. Its important that SOC staff is kept together to help promote collaboration, cross-training, and general morale.
Theres more than just people and location, though. To have a successful SOC, there needs to be processes to follow and a supporting budget to keep it running. The processes will be based in policies, as expected, but the budget needs to be allocated from management. Without a large enough budget, it will be difficult to keep talented staff, purchase the necessary tools, and meet the needs of the business. And thats a tough issue that needs to be worked out prior to building a SOC internally.
The SOC will need access to logs from intrusion-detection systems, firewalls, servers, network devices, and just about anything else that generates logs. To analyze the breadth and volume of logs from all of those systems effectively, a security information and event management (SIEM) solution makes the most sense, but it doesnt come cheap when considering related hardware/software purchases, implementation, and training. Companies strapped for budget may have to live with homegrown tools for a while, or may consider outsourcing some analysis to a managed security service provider (MSSP).
Does outsourcing make sense? It does when expertise is not available in-house, or when budget does not allow for the large capital expenditures needed to staff, house, and train, or purchase the tools necessary to support SOC operations. Thanks to the many different offerings from MSSPs like Dell SecureWorks, Trustwave, and Accuvant, companies can choose to outsource just the log analysis activities to supplement existing security personnel or outsource all security-related activities.
Outsourcing can also make sense if theres a need for round-the-clock monitoring. Its possible to build a SOC and house it in a different time zone, possibly overseas, but choosing to have 24x7x365 MSSP analysts available could be more economical.
The decision to build a SOC shouldnt be taken lightly. Building a self-contained, well-staffed center can be cost-prohibitive for many. A compromise might be to start small by bringing together all of the security personnel in one location, supplementing them with services from a MSSP, and growing the team and their responsibilities over time. Or the costs of outsourcing all aspects of security may work best for your company. Either way, having a well-designed SOC can mean the difference between a small security incident and a data breach that makes the headlines; however, the costs and benefits need to be weighed carefully to figure out which design best meets your companys needs.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Tech Insight: Building A SOC, From Outsourcing To DIY