Security Operations Centres (SOCs) have an important role to play in the large enterprise. But for mid-to-large enterprises, an in-house SOC may come with more cons than pros.ย โNot all organisations need to build their own SOC, and doing so could incur unexpected costs and risk exposure,โ notes Martin Potgieter, co-founder & Technical Director at Nclose.ย
The SOC, responsible for ongoing threat monitoring and analysis, differs from the IT security team,โฏPotgieter explains. โMost organisations have security engineers, who typically manage security infrastructure like firewalls and AV โ but they are not aligned with incident detection and response,โ he says.โฏย
Potgieter says that many organisations assume that they can build and manage their own SOCsย inexpensively and with ease. But the technology is just a part of the overall picture.ย
โThe time and resources required to build an in-house SOC adds considerable unexpected costs to the project, plus the models used to build a SOC are often based on outdated models and technologies, meaning key building blocks of the SOC may be compromised,โ he says.ย
โOne of the biggest risks in building an in-house SOC is a false sense of security, he adds. โIn the time it takes to mature the model, organisations will have gaps in security in the time it takes to get it right. It could take at least a year to achieve mature methodologies, and usually, the SOC is never finished as there are continuous improvements that will be needed.โโฏย
When considering the viability of an in-house SOC versus a Managed Detection and Response (MDR)โฏservice, organisations should consider:ย
–ย The size of the enterprise. โConsidering the resources needed, an in-house SOC only becomes viable in an organisation with over 5000 or 10000 users, or in a particularly high risk mid-sized enterpriseโ Potgieter says.ย
–โฏโฏThe skills that will be needed to run the SOC. Typically, these will include SOC security analysts, detection engineers and a SOC manager.ย These skills can be costly, and are scarce in South Africa, says Potgieter.ย ย
–โฏโฏThe challenge of retaining highly skilled SOC staff. โฏโSmall organisations would struggle to keep security people engaged and challenged, and they would in all likeliness have high staff turnover due to this,โ Potgieter says.ย
–โฏโฏThe challenge of staying up to date. โIn an in-house SOC, skilled resources would be limited. Due to the team being small, knowledge sharing and industry exposure would be a challenge. And due to the limited number of investigations that the security team will be exposed to, their experience levels will grow at a slower pace and the development of the SOC would take longer,โ he notes.ย
–โฏโฏThe costs of vendor Security Information and Event Management (SIEM) solutions, including hardware, licensing and support, which canย amount to hundreds of thousands ofย randsย in a 1000-plus user environment. โฏย
–โฏโฏAn outsourced, MDR service can give organisations access to a world-class, mature SOC even if the organisations have limited skills resources and security budgets. Typically, the costs of an MDR service areย 40% lower than the costs of building and running an in-house SOC.ย โฏย
โUpfront cost is not everything when it comes to deploying a SOC,โ says Potgieter. โOrganisations must carefully assess ongoing running costs, risks and real-world resource challenges to get a realistic understanding of which approach will work for them.โย
Ncloseย Nviewย is a leading edge MDR solution combining extensive experience in delivering managed security service with a blend of open source and in-house written applications. Is features include regular, scheduled threat hunting by experienced analysts, โฏmonitoring beyond the traditional security software sources to include DNS traffic, application processes and other sources, โฏthe use of honeypots to detect intruders or malware attempting to move laterally in the network, advanced threat intelligence and active mitigation against โalert fatigueโ and โdefenseย regression. Nview is available as a hybrid cloud/onsite model to allow clients to make use of data analytics onsite for operations and security.