There are many challenges that come with building a SOC in-house, including finding and retaining IT talent. Modern MDR providers can help fill in the gaps by allowing organizations to offload many of these complex components to experts who focus solely on building out exceptional security platforms that scale.
I often put myself in my customers' shoes and think, "What if I was a CISO/security manager and my supervisor asked me to build out a SOC? What would I do? Where would I start?" I imagine this happens all the time. As organizations grow, they realize having a central operation with a pulse on all things security is crucial as threat exposure and security posture can change quickly. What was safe yesterday is no longer secured today because of software updates, misconfigurations, and architectural changes. Having an ongoing evaluation of the security exposure and attacks at any given moment of any given day is essential, and companies see the value of this.
Several major components are the working parts of any SOC:
- The people who run the operation 24X7X365
- The software and systems to make sense of the events and enforce/remediate
- The policies that ensure smooth execution and prioritize and manage incidents
The human element is by far the most critical component of any SOC. Security analysts choose the software and systems to use based on experience and evaluation. They set the policies to ensure things don't fall through the cracks and the operation runs smoothly. Unfortunately, this is also the most challenging component to get right. Security professionals are always some of the highest-paid in technology, and for good reason. Their depth of knowledge across all IT is a must (networking, software development, databases, server administration, cloud, etc.) They then have to understand how to protect those assets since any device on the network or in the cloud is a security device. This breadth of responsibility often leads to two critical challenges for most organizations:
- Finding talented individuals with this skillset
- Retaining the talent they have
I have seen firsthand rock-star security professionals and managers who built out most of the monitoring and enforcement systems/policies get offered a 50% raise to go to another organization. This turnover leads to disruptions to the efficacy of any SOC when it occurs.
Software and Systems
Another essential component of any SOC is the security analysts' software and tools—things like a SIEM, endpoint monitoring and protection agents running on the endpoint, firewalls and network security devices, cloud monitoring SAAS services, ticketing systems, ideally a SOAR solution, etc. Choosing the right combination of tools that work cohesively together or trying to delve your way through making them work together is a challenge in and of itself. Having someone who knows how to use the tools to find threats and administer those systems is another factor to consider. Selecting the right software, configuring it, and ensuring it's working is no small feat. Take SIEM, for instance; the level of effort to stand up a SIEM from getting the agents on all devices that need to pull logging to normalizing the data inflow to building out the correlation rules can take years. This process requires ongoing changes and tuning as software updates occur to logging sources. The terrifying part of this is that if done incorrectly, right then, the deluge of white noise and false positives that analysts will have to filter through will cripple their ability to find the threats that matter. However, it's a game-changer to understand what is happening to an organization's security posture if done correctly.
Policies dictate how we handle incidents (whom we contact, what tickets we open, what protections we put in place, etc.) Policies are living, breathing documents and must be evaluated and updated on an ongoing basis—technology changes and what needs to be secured changes. Having an incident handling policy is a must for any SOC. When an incident occurs, you don't want that to be the first time you test a policy, especially if it's 3 a.m. on a Saturday. This component of a SOC is most often created and ignored until the next audit.
Given the challenges that CISOs and security managers face, they often take another path on their journey to building out a world-class SOC by partnering with a modern MDR provider. This partnership allows them to offload many of these complex components to experts who focus solely on building out exceptional security platforms that scale. Starting a SOC from scratch or building out a partially completed SOC is complicated. Partnering with the right MDR provider will ensure you have access to expert staff, tools, and policies that are tried and true, ultimately giving you peace of mind to approach your supervisor with a well-executed plan for your organization.