Sean Tickle, pictured, Head of CyberGuard Technologies and its SOC in Kidderminster, explains why outsourcing security operations may be more effective, and a better return on investment, than an in-house Security Operations Centre (SOC).
While the Security Operations Centre – or SOC – may have only recently become a recognised service for professional security, it has become responsible for monitoring and analysing an organisation’s security position on an ongoing basis, to identify and protect against any potential threats or issues.
An executive’s first instinct will often be to try to do as much as possible in-house to minimise operating expenses and keep internal accountability strong. However, with the cyber landscape changing rapidly, security requirements are expanding too, to the point where they are difficult to manage over multiple departments.
Many medium to large enterprises now have a dedicated cyber security division or Security Operations Centre to detect and respond to security alerts, make the enterprise more resilient to emerging threats, stop internal security-related negligence or compliance failures, and gather information about user behaviour to help identify potential security issues for the business. The question for every business is whether an in-house SOC is really the most effective way to achieve security prevention and resolution goals.
The challenges and limitations faced by in-house SOCs
According to an analyst report by Enterprise Management Associates (EMA), “79 per cent of security teams” feel “overwhelmed by the volume of threat alerts” they receive on a daily basis. Our own Security Operations Centre is seeing clients with lots of disparate security systems receiving thousands of alerts which their internal teams simply cannot handle alone. These include minor alerts that often require no immediate action but which still need to be examined to ensure they are nothing more serious – and those minor alerts are still on the rise.
While in-house SOCs are facing more obstacles to providing effective security response, with the threats growing more severe and critical year on year, serious security threats are easy to lose in this flood of mostly minor issues. In practice, internal SOCs are becoming increasingly overwhelmed by rising security issues so improving the SOC’s ability to quickly identify and respond to the most important alerts is critical to success. But this involves specialist training and tools, which may not be cost-effective for some enterprises.
An in-house SOC’s ability to protect against cyber security threats may also be compromised by the enterprise’s infrastructure, which tends to have the SOC focusing on intrusion detection, while vulnerability patching and damage prevention are handed to a separate department, like IT, to handle.
This just creates a bottleneck that inhibits competent threat response. A more effective response would be in giving the SOC team the authority and ability to respond to threats themselves, immediately, but this requires buy-in from senior management. Where SOC reporting responsibility is concerned, there is sometimes an issue of whether the SOC should report to the CISO or CTO. In either case, the executive will have other divisions and issues to manage, so cannot always afford the SOC as much of their attention as cyber security requires.
Outsourced SOCs versus in-house
Outsourcing the SOC to a managed service provider could be the most effective and cost efficient way to overcome the limitations of in-house SOCs. In-house integrated SOCs may be more effective than allowing a business’ security needs to be spread between non-specialised departments, but the flood of security alerts SOCs handle is being driven by new and emerging threats, which are not as easy to detect, sort through and eliminate.
Enterprise security requirements are also growing and intensifying to the point where in-house teams are limited to detection and, at most, response. However, a truly productive SOC needs to not only detect and accurately triage between major and minor alerts, but also always be on top of the latest security research. Ideally, the SOC should be performing threat research of its own. Security research is generally a burdensome expense completely outside of the business’ scope of operations though.
Outsourcing to a specialised and dedicated SOC provider can move your entire business to a stronger position in terms of research, detection and response, but only if your security service provider offers all three. Most security businesses focus on detection solutions and provide data to the customer’s internal IT teams, for them to isolate and remediate. Truly effective SOC providers offer customers a comprehensive end-to-end solution going beyond just detection services, which are no longer sufficient, to include rapid response too.
Ransomware can propagate in minutes so detection alone is not enough. Rapid response is essential so at CyberGuard, for example, we have been pushing the full potential of managed security services to provide a level of proactivity when responding to security threats, to stay ahead of the latest threat intelligence. This is something that in-house teams cannot match and, by combining this with comprehensive detection, response and remediation, an external, managed SOC proves to be cost efficient.
An outsourced SOC unifies defence against cyber threats across a diversity of enterprises. When a new threat emerges that targets one business, the SOC provider’s entire client business base benefits from the ensuing response. So, if any enterprise is targeted by an emerging threat, the chances are good that the threat has been encountered before and a counterstrategy has already been developed.
Perhaps most beneficial is that external SOCs are also not limited by the operating hours of their clients’ businesses like in-house SOCs are. Security threats do not work on a 9-to-5 basis, with threats coming from different time zones all over the world, so neither should your security team. The most successful security needs to be 24/7 and this is something that our own SOC team knows too well, having experienced a critical security issue on Boxing Day evening. So the question is, if your business had to deal with a security issue during a seasonal holiday or the weekend, would your existing SOC be around to provide the rapid response required?
