Cyber criminals are evolving into sophisticated organisations with specialised roles working towards one common goal – to attack a business’ IT systems or data, most likely for financial gain.
Over the past year we have witnessed some truly destructive cyber attacks occurring on a global scale. Although cybersecurity teams have tried their best to keep up with the onslaught of activity, threat actors have demonstrated their expertise in how they target and deploy cyber attacks time and time again. From the shift towards using a ransomware-as-a-service model to the use of tactical experts as a result of role differentiation within ransomware groups, cybercrime has evolved significantly.
As a result, many SME owners are already asking themselves whether their cyber security team has the expertise and resources to deal with these highly organised cyber criminals and considering whether they should outsource aspects of their Security Operations Centre (SOC).
There has already been a shift in investment in seeking end-to-end support from Managed Service Providers (MSPs), with a recent study by Analysys Mason revealing that SMB spending through MSPs is expected to grow 11% year-on-year to expand on their existing IT management service with advanced cyber security solutions.
A business should choose to outsource cybersecurity if it determines that it cannot complete certain security tasks because its cybersecurity team lacks the necessary time, experience, bandwidth, or other resources. But how do you do this in the most efficient way possible?
What is a SOC and do you really need one?
A modern Security Operations Center (SOC) is a facility where security analysts utilise forensic tools and threat intelligence to hunt, investigate and respond to cyber threats in real-time. According to Gartner, a modern SOC must have four capabilities: detection engineering, monitoring, incident response, and threat intelligence.
The role of the SOC is to protect an organisation from known and unknown cyber threats that can bypass traditional security technologies. While every organisation should have access to a SOC facility, not many have the resources required to build their own in-house SOC.
So, now you must decide: should you build your own SOC in-house using your own staff, technology, and resources or should you outsource SOC capabilities by enlisting the help of a Managed Detection and Response (MDR) partner?
Are you ready for an in-house SOC?
Building an in-house SOC facility isn’t an overnight decision. In addition to years of commitment into designing the facility, your cybersecurity team must consider the financial investment required to arming it with the best people, processes, and technology.
Considering the up-front and ongoing investment involved with building an internal SOC, a growing number of organisations have turned to a Managed Detection and Response (MDR) provider.
However, if you’re still thinking about building an internal SOC, start by asking these critical questions:
1. What is the annual budget you have allocated toward the SOC?
Is your organisation prepared to spend millions and several years of time investment into building a SOC? The ongoing CapEx and maintenance of an in-house SOC is costly, so you need to have the financial and organisational buy-in for the project.
On the other hand, it is significantly more cost-effective if you use an external SOC provider. So, work with your internal stakeholders to determine budget, responsibilities, and timing prior to making your decision.
2. Can your team of security analysts support 24/7 in-house SOC operations?
Keep in mind that although you need 24/7 coverage, you don’t need 24/7 in-house operations. Depending on your current risk tolerance, staffing a 24/7/365 SOC becomes a costly endeavour.
If you outsource your SOC operations, you have the option of splitting time with your SOC provider (i.e., your security analysts work from 8-5 while the provider covers your team outside of those hours) or simply rely on the provider for full 24/7 operations. The latter option also helps your team get access to expert analysts, so you don’t have to worry about attracting and retaining skilled analysts yourself.
3. Who is going to design the SOC?
Do you have the skilled expertise necessary to design this in-house or the required budget to attract the right person for the role? Considering that building a SOC is a multi-year project, you need to be confident that you can retain the talent needed to see the project through from start to finish.
By leveraging an external SOC provider, your team can access a fully operational 24/7 SOC within weeks of deployment. Plus, you don’t have to plan for attracting and retaining the required expertise – your SOC provider shoulders that responsibility.
4. Who will document SOC processes and procedures?
There are governance, risk, and compliance frameworks you need to consider as you set up your internal SOC. You need to make these considerations prior to scaling your SOC operations, so it’s your responsibility to learn about the regulations facing your business or industry and map out your requirements from the very beginning.
5. How will you interpret and deliver threat intelligence insights?
Detection engineering is a key capability in a modern SOC, which requires that your team is able to innovate at the same pace as cyber attackers. On the other hand, an external SOC provider will afford you the expertise of a Threat Intelligence team to help correlate and enrich intelligence from daily SOC investigations to deliver key insights.
An added benefit of working with an external MDR provider is that you can take advantage of their robust customer base to drive further threat intelligence. Lastly, consider the importance of response times as part of your SOC operations. Without good threat intelligence or reduced SOC operational capacity, it can take several hours (even days) to detect and respond to threats.
Engaging an external MDR provider will drastically impact how fast a potential threat will be detected, investigated, and contained. What’s more is that your team will even get full incident response and remediation support with digital forensics capability.
6. How will you demonstrate value to the executive team and board of directors?
Since setting up a SOC is a multi-year commitment, you need to report on critical KPIs such as the Mean Time to Contain, Mean Time to Detect, number of threats disrupted, and the impact on the overall business is key to justify the investment and demonstrate its value.
On the other hand, if you work with an external SOC and MDR provider, it’s their responsibility to report on the key KPIs and metrics based on your business objectives and priorities so that you can convey the ROI to your executive team and the board of directors.
7. Do you have enough staff to build a SOC team?
Not only must your organisation be able to attract the best security analysts, but it must also be able to retain them year after year and grow the team as your SOC operations scale. Attracting and training this talent may even impact your Time to Value.
However, with an external MDR provider, you have access to elite cybersecurity analysts 24/7. This means SOC deployment will take a few weeks at best compared to a months-long process if you’re building it in-house.
8. How are you going to engineer and deploy the technology required to run and manage the SOC?
Building an internal SOC requires multiple product purchases and vendor contracts. Moreover, your team will also have to integrate all the tools into a single solution. So, assess your tools, people, and skills to determine whether you have the expertise to evaluate and deploy these technologies in-house.
In comparison, an external MDR provider will have all the fully integrated technologies and skilled expertise in place, which can save your team time and resources.
The reality is that regardless of the organisation’s size, the answer to protecting your business 24/7 from cyber threats lies within a SOC. One solution does not fit all. Babble is a security partner that can amplify your in-house IT team, augment your MSSP, or be a full-service security solution. We can support your business’ cyber program with 24/7 Managed Risk Programs, Managed Detection and Response Services, and Incident Response Services – backed up by a complete suite of professional services.
To speak to somebody at Babble about how we can help you with an outsourced SOC strategy, please contact one of our cyber specialists here: Cyber Security Solutions | Services | Babble.
This article has been published in conjunction with cybersecurity partner, eSentire – the Leading Authority in Managed Detection and Response.