This is a continuation from my last article where I will explain the main considerations for an Internal SOC delivery method…
To detect and respond to security incidents, a SOC needs to be able to identify and ingest an immense volume of data, contextualise it and proactively identify security risks. Careful consideration of the organisational context, resourcing implications and operational requirements will help organisations decide whether to build an internal SOC dedicated to performing these duties or to fully outsource the delivery of SOC services to an external party, such as a MSSP or MDR. Alternatively, organisations may choose to adopt a hybrid model to complement the capabilities of an in-house SOC team with the expertise and tools of a third party.
Selection of a delivery method should be informed by a cost-benefit analysis of the relevant options, considering the services to be performed by the SOC and the risks to the organisation. The money that an organisation is willing to spend will be determined in part by the organisation’s risk appetite.
The SOC delivery methods that surveyed LMNTRIX clients opted for are shown in Figure 1.
The differences between these three methods of delivery are explained in the following three articles with reference to the benefits and limitations of each. This discussion reflects an aggregation of my personal experience, client opinion from workshops and online survey.
There are several positives to an internal SOC. A key advantage is that it is staffed by employees, who are familiar with the organisation’s infrastructure, understand its security posture and can develop intimate business knowledge through direct engagement and collaboration with other teams. This deep business knowledge provides security analysts with the requisite context to evaluate the alerts generated and identify potential security incidents quickly and accurately.
“An internal SOC is more motivated – incidents are given the required priority and contained fast.” – Large LMNTRIX client
Building an internal SOC comes at a significant cost and is a complex, long-term undertaking that demands time, effort, expertise, specialist technology and continuous improvement to deliver value to the business.
A decision to build internally therefore needs to be substantiated by a willingness to invest upfront and on an ongoing basis with longevity in mind.
There are various types of internal SOCs:
- Virtual SOC, comprised of employees distributed across different teams who perform SOC-related tasks on an ad hoc or permanent basis.
- Centralised SOC with a dedicated team located in its own segregated area.
- Centralised SOC with distributed element, such as a central team supported by staff located at remote sites.
- Centralised SOC comprised of multiple operating facilities located in different time zones (typically three), each with a dedicated team, who synchronise tasks via shift handovers to provide ‘follow the sun’ services.
- Coordinating or command SOC that facilitates activities performed by subordinate SOCs, which operate as distinct entities (prevalent among organisations that operate as corporate groups or conglomerates).
- SNOC, which combines the functions of a SOC and Network Operations Centre (NOC).
- Fusion Centre that integrates a SOC into a single facility along with several other teams (e.g. the CSIRT, NOC and other functions, such as threat intelligence, fraud, data analytics or operational technology). A Fusion Centre is sometimes known as a Joint Operations Centre (JOC).
An internal SOC is particularly suited to large enterprises that have a mature approach to risk management and information security. Typically, building a SOC in-house appeals to organisations who handle vast volumes of sensitive data, are subject to rigorous compliance requirements or frequently targeted by sophisticated threats with the potential to cause a high business impact (e.g. nation state threats). The benefits and limitations of this model are summarised on the following page.
For large enterprises, it is recommended to prioritise internal development of cyber defense capabilities, provided it is economically viable. Alternatively, seeking guidance from an experienced organisation like LMNTRIX, specialising in cyber defense can be beneficial. By augmenting your Security Operations Center (SOC) with a Managed Detection and Response (MDR) capability such as LMNTRIX, you can derive significant advantages from a “watch the watcher” model. This approach ensures that your internal SOC consistently operates at peak performance, proactively detecting and mitigating potential threats to your organisation.