In-house SOCs hidden costs and considerations

Security Operations Centres (SOCs) have an important role to play in the large enterprise. But for mid-to-large enterprises, an in-house SOC may come with more cons than pros.ย โ€œNot all organisations need to build their own SOC, and doing so could incur unexpected costs and risk exposure,โ€ notes Martin Potgieter, co-founder & Technical Director at Nclose.ย 

The SOC, responsible for ongoing threat monitoring and analysis, differs from the IT security team,โ€ฏPotgieter explains. โ€œMost organisations have security engineers, who typically manage security infrastructure like firewalls and AV โ€“ but they are not aligned with incident detection and response,โ€ he says.โ€ฏย 

Potgieter says that many organisations assume that they can build and manage their own SOCsย inexpensively and with ease. But the technology is just a part of the overall picture.ย 

โ€œThe time and resources required to build an in-house SOC adds considerable unexpected costs to the project, plus the models used to build a SOC are often based on outdated models and technologies, meaning key building blocks of the SOC may be compromised,โ€ he says.ย 

โ€œOne of the biggest risks in building an in-house SOC is a false sense of security, he adds. โ€œIn the time it takes to mature the model, organisations will have gaps in security in the time it takes to get it right. It could take at least a year to achieve mature methodologies, and usually, the SOC is never finished as there are continuous improvements that will be needed.โ€โ€ฏย 

When considering the viability of an in-house SOC versus a Managed Detection and Response (MDR)โ€ฏservice, organisations should consider:ย 

–ย  The size of the enterprise. โ€œConsidering the resources needed, an in-house SOC only becomes viable in an organisation with over 5000 or 10000 users, or in a particularly high risk mid-sized enterpriseโ€ Potgieter says.ย 

โ€ฏโ€ฏThe skills that will be needed to run the SOC. Typically, these will include SOC security analysts, detection engineers and a SOC manager.ย These skills can be costly, and are scarce in South Africa, says Potgieter.ย ย 

โ€ฏโ€ฏThe challenge of retaining highly skilled SOC staff. โ€ฏโ€œSmall organisations would struggle to keep security people engaged and challenged, and they would in all likeliness have high staff turnover due to this,โ€ Potgieter says.ย 

โ€ฏโ€ฏThe challenge of staying up to date. โ€œIn an in-house SOC, skilled resources would be limited. Due to the team being small, knowledge sharing and industry exposure would be a challenge. And due to the limited number of investigations that the security team will be exposed to, their experience levels will grow at a slower pace and the development of the SOC would take longer,โ€ he notes.ย 

โ€ฏโ€ฏThe costs of vendor Security Information and Event Management (SIEM) solutions, including hardware, licensing and support, which canย amount to hundreds of thousands ofย randsย in a 1000-plus user environment. โ€ฏย 

โ€ฏโ€ฏAn outsourced, MDR service can give organisations access to a world-class, mature SOC even if the organisations have limited skills resources and security budgets. Typically, the costs of an MDR service areย 40% lower than the costs of building and running an in-house SOC.ย โ€ฏย 

โ€œUpfront cost is not everything when it comes to deploying a SOC,โ€ says Potgieter. โ€œOrganisations must carefully assess ongoing running costs, risks and real-world resource challenges to get a realistic understanding of which approach will work for them.โ€ย 

Ncloseย Nviewย is a leading edge MDR solution combining extensive experience in delivering managed security service with a blend of open source and in-house written applications. Is features include regular, scheduled threat hunting by experienced analysts, โ€ฏmonitoring beyond the traditional security software sources to include DNS traffic, application processes and other sources, โ€ฏthe use of honeypots to detect intruders or malware attempting to move laterally in the network, advanced threat intelligence and active mitigation against โ€œalert fatigueโ€ and โ€œdefenseย regression. Nview is available as a hybrid cloud/onsite model to allow clients to make use of data analytics onsite for operations and security.

Need to Mitigate a Cyber Risk?