Security Operations Centres (SOCs) have an important role to play in the large enterprise. But for mid-to-large enterprises, an in-house SOC may come with more cons than pros.
“Not all organisations need to build their own SOC, and doing so could incur unexpected costs and risk exposure,” notes Martin Potgieter, co-founder & Technical Director at Nclose.
The SOC, responsible for ongoing threat monitoring and analysis, differs from the IT security team, Potgieter explains. “Most organisations have security engineers, who typically manage security infrastructure like firewalls and AV – but they are not aligned with incident detection and response,” he says.
Potgieter says that many organisations assume that they can build and manage their own SOCs inexpensively and with ease. But the technology is just a part of the overall picture.
“The time and resources required to build an in-house SOC adds considerable unexpected costs to the project, plus the models used to build a SOC are often based on outdated models and technologies, meaning key building blocks of the SOC may be compromised,” he says.
“One of the biggest risks in building an in-house SOC is a false sense of security, he adds. “In the time it takes to mature the model, organisations will have gaps in security in the time it takes to get it right. It could take at least a year to achieve mature methodologies, and usually, the SOC is never finished as there are continuous improvements that will be needed.”
When determining the viability of an in-house SOC versus a Managed Detection and Response (MDR) service, organisations should consider:
- The size of the enterprise. “Considering the resources needed, an in-house SOC only becomes viable in an organisation with over 5000 or 10000 users, or in a particularly high risk mid-sized enterprise” Potgieter says.
- The skills that will be needed to run the SOC. Typically, these will include SOC security analysts, detection engineers and a SOC manager. These skills can be costly, and are scarce in South Africa, says Potgieter.
- The challenge of retaining highly skilled SOC staff. “Small organisations would struggle to keep security people engaged and challenged, and they would in all likeliness have high staff turnover due to this,” Potgieter says.
- The challenge of staying up to date. “In an in-house SOC, skilled resources would be limited. Due to the team being small, knowledge sharing and industry exposure would be a challenge. And due to the limited number of investigations that the security team will be exposed to, their experience levels will grow at a slower pace and the development of the SOC would take longer,” he notes.
- The costs of vendor Security Information and Event Management (SIEM) solutions, including hardware, licensing and support, which can amount to hundreds of thousands of rands in a 1000-plus user environment.
- An outsourced, MDR service can give organisations access to a world-class, mature SOC even if the organisations have limited skills resources and security budgets. Typically, the costs of an MDR service are 40% lower than the costs of building and running an in-house SOC.
“Upfront cost is not everything when it comes to deploying a SOC,” says Potgieter. “Organisations must carefully assess ongoing running costs, risks and real-world resource challenges to get a realistic understanding of which approach will work for them.”