#HowTo Cut Costs in the SOC

Written by

If the last month has taught us anything, it’s that we must be able to adapt to change. Many of the changes that will be long-lasting are economic in nature, and those are likely to impact security in every organization. Once we’ve addressed more urgent public health issues and returned to “business as usual,” how can we prepare for the budget tightening that will inevitably follow?

People are the most important element of any security team, so we want to avoid losing our hard-earned and hard-working staff. What can you do in the near-term to reduce costs, minimize impact to your team, and maybe even improve the lives of your analysts in the process?

Review your data strategy and licensing
Most SOCs have two main drivers for data retention: compliance and investigation support. If you’re using your SIEM product to try and meet both requirements, you may be over-spending. Most of the searching, reporting, and visualization features of your security information and event management (SIEM) are designed to support tactical functions like event correlation and investigation.

Consider a two-part strategy that includes an open-source log management or data lake solution for compliance, and more tactical (read: short term) use cases for your SIEM. Understanding common sources of investigations and corollary data is the first step in such a strategy – identify “stale” data sources to make sure you aren’t paying for licenses, integrations, or storage you no longer need. Finally, if your SIEM supports it, periodically check your license usage by index and source data type.

This is also a good opportunity to revisit your packet capture solution, where your spending should be focused on hardware and storage. If you’re paying for expensive software licenses as well, check out open source alternatives like Moloch

Evaluate your third-party service providers
Are you outsourcing security operations functions to an MSSP or an MDR? Security teams often cite lack of transparency as the main issue they have with their Managed Security Services Provider (MSSP) or Managed Detection and Response (MDR) vendor. Consider the division of labor between your team and the vendor, and make sure the value you’re getting is reasonable for the cost.

Do look for tasks performed by the vendor that do not ultimately save you time, resources, or effort, and ask the following questions:

  • How well does the vendor demonstrate understanding of your industry and business in their work products?
  • How well do they know and integrate with your team and toolset? Do they demonstrate knowledge that would be difficult for you to build within your own team?
  • What Key Performance Indicators (KPIs) do you use to measure their performance and course-correct when needed?
  • Is the vendor improving your security posture over time, or merely triaging events and creating investigative backlog?
  • Is your vendor “sticky” because they do a great job meeting your objectives, or because they own parts of your detection infrastructure
  • What is the total cost of the service, including vendor management, duplication of effort, and communication/coordination effort?

This periodic re-evaluation also applies to software-as-a-service (SaaS) and other cloud-based solutions. If your team has changed size and composition in the recent past, be sure to re-evaluate cloud solutions to ensure they’re the right fit versus dedicated, on-premises tools (or vice-versa).

Revisit your paid subscriptions
Subscription services rarely live up to their hype (or their cost). This is particularly true of “intelligence” feeds – lists of indicators published with the intention of keeping you safe from all the known bad out there.

At best, these feeds contain attacker infrastructure which has already been used in past campaigns where the operator(s) has already moved on. At worst, they are full of false positives and lack even basic context. 

If you’re paying for one or more of these feeds, pull some metrics on the number and criticality of detections you’ve had based on the data they contain. If you’re using indicators for data enrichment, try to see how many pivots and investigations they’ve enabled.

In our experience, there is a TON of waste here and you’ll have much better luck focusing on intelligence gained from internal analysis and investigations. If you’re tracking projected loss per incident, grab the incidents discovered via threat feed and see how much you would have been impacted without the feed, and/or if you had to discover the same incidents via alternate method.

Look for open source alternatives
Whether it’s replacing a point security tool or simply augmenting what you have, try to periodically justify the cost of your commercial tools. Open source projects for blue team have come a LONG way in the last few years, and many of them now rival (or, in our opinion, exceed) the capabilities of expensive commercial tools.

Conduct an analysis of alternatives for your big-ticket items on an annual or semi-annual basis. That way, you’ll always have a recent justification for the money you’re spending, and you’ll stay aware of potential challengers. Mitre has posted some guidance on Analyses of Alternatives (AoAs) here. Just keep in mind the total cost – do you have, or can you create, the engineering talent to manage new or open source tools?

Streamline your workflow
Is your expert security team doing expert work? Or are they more of a clearing house for high-level user support, crisis management, spam monitoring, and ticket processing? These kinds of tasks will absolutely result in higher turnover, which means spending more money on recruiting and onboarding.

Do look for tasks within the team that are repetitive or prohibit creativity, like investigating the same alerts over and over or replying to customers with form e-mails. These are great use cases for automation. If they are lower-priority but still important tasks, consider consolidating them and modeling a new workflow – for example, collecting all low priority alerts in a single digest that can be reviewed once a day or once a week versus competing for space in a queue with more important alerts.

Likewise, review high volume alerts in aggregate as candidates for tuning or to address the underlying triggers.

Finally, evaluate the skills of your team. Every group will have individuals operating at different levels, and it’s important to have clear and shared perspective on where everyone is in order to assign tasks and roles effectively.

What’s hot on Infosecurity Magazine?