SOC on a budget
The Primary Models:
Building an internal in-house SOC is recommended for large-sized organizations who are mature from an IT and IT security perspective. Organizations who tend to build internal SOCs have the budget to support an investment that includes 24×7 around-the-clock effort and tends to deal with lots of moving parts in and around their network infrastructure.One of the more essential advantages that building an internal SOC has includes having the most visibility across the network (internally). The team is dedicated internally and will have the capability to monitor the environment and all of its log sources, providing a complete picture of where the organization stands from a threat landscape perspective. Some significant disadvantages include: possible misses in detection, a struggle to recruit and retain talent, and high upfront investment costs. In addition, this model typically takes a considerable amount of time to build at an effective and efficient level.
An advanced version of this model is referred to as a “fusion center”, which incorporates detection, response, threat hunting, intel sharing, and data science together to support a center’s mission in protecting the organization.
Selecting a virtual SOC is recommended for the majority of organizations who seek assistance from an outside firm to perform highly-skilled monitoring and detection duties. Some organizations may be mature in nature from an IT and IT security perspective, however budget constraints and limited expertise may hinder the ability to build a fully functional internal 24 x 7 SOC. Conversely, some organizations may fall under the very immature stages of protecting the organization and require expertise to step-in quickly to handle monitoring and detection efforts.Advantages of this model include: quickest, simplest, most scalable, and cost-effective to implement. In this model, since there are a wide variety of clients and industries that MSS (managed security services) typically support on a daily-basis, the expertise and wealth of additional intel can be invaluable for an organization. While this seems to be an attractive model for most, some disadvantages to consider include: the organization having reduced visibility of where they stand from a threat landscape perspective (at a granular level), some data is handled by a third party, and longer escalation times since the MSS wouldn’t nearly be as familiar with the organization as compared to dedicated internal employees.
Hybrid – Small Internal & Virtual SOC
A hybrid model brings out the best of both worlds; in-house staff complemented with third-party experts, offering the most secure approach from a monitoring and detection standpoint as there are supplementary pairs of eyes and double checking (of alerts) that takes place. Most organizations at this level are large enough to build a small team of their own, however lack the capability to build a fully functional internal 24 x 7 SOC because of budget constraints, expertise, lack of resources, and so on.Advantages include: most secure from a monitoring and detection perspective, quick detection & response time, low backlog as there are additional analysts (internally & externally) working through low, medium, and high priority findings. Additionally, this model offers the best learning combination for an organization and its employees in gathering and cross-training knowledge from the experts of an MSS. Significant disadvantages include: setting up additional hardware, data handled through a third party, and can be costly to sustain long-term.
There are multiple ways of envisioning the best approach in selecting a SOC model. The choice will highly depend on how the organization can handle existing threats.
For instance, you may want to ask, does your organization have the bandwidth and skill set to support monitoring and detection efforts after business hours? If the team cannot support this effort on a 24 x 7 basis, a hybrid solution may be considered in one instance where an MSS can examine lower priority finds (typically low-level alerts), and the internal team can handle higher priority concerns. There are many other instances where a hybrid solution can be effective depending on the needs of the organization, and better yet, any of these models can be effective as long as they are implemented to accommodate future growth of the organization and anticipate the next challenges the industry as a whole faces in combating cyber threats.