The economics of today’s Security Operations Center (SOC) no longer work: rebuilding the SOC so it is efficient and effective means rethinking the roles of people who work in them.
Our research shows that most organizations consider their investments in SOCs to be expensive while yielding mediocre results, but despite the high costs and the lack of satisfaction, most companies view their SOCs as a crucial element of their cybersecurity strategies.
Any SOC is intensely people dependent, but the substantial impact and cost of personnel for SOCs is ultimately not sustainable in the long term. The modern SOC must be more agile and better leverage the substantial investment in personnel. It’s no longer about bums in chairs staring at consoles all day. If you’re to defend, not just protect your organization, your SOC teams needs the bandwidth to be curious, creative and collaborative.
It’s too expensive to get to effective
Running an SOC isn’t cheap, and unlike IT functions, research shows outsourcing it to a Managed Security Services Provider (MSSP) doesn’t save money. Worse still, most organizations are underwhelmed by the effectiveness of their MSSP.
Respond Software’s survey in collaboration with Ponemon Institute of 637 IT and IT security practitioners in organizations with an SOC found they spend an average of $2.86 million annually on their in-house SOC.
Surprisingly, outsourcing to an MSSP increases costs significantly to an average of $4.44 million annually. Either way, barely half of the organization surveyed are satisfied with the effectiveness of their SOC in detecting attacks, even though nearly all of them see their SOC as an essential tool for minimizing false positives and reporting threat intelligence information.
That’s a lot of money to spend for underwhelming results, so where is it going? An effective SOC depends on the expertise of individuals to prevent, detect, analyze and respond to cybersecurity incidents. This expertise doesn’t come cheap, and the costs are always ticking upward—the budget to hire, train and retain employees is high and increasing, and turnover is rampant.
The best performing SOCs have more employees and slightly less turnover but cost significantly more. Most organizations can’t invest in the people and infrastructure to hit a satisfactory performance, so they outsource to an MSSP with less than favorable results—only 17 percent of respondents find their MSSPs to be highly effective.
Even if you can throw more money and people at your SoC, success will be short-lived. You still won’t be able to keep pace with evolution of threats if you stick with the current model.
Defense is a different game than protection
Rebuilding and rethinking the SOC requires a mental switch. While it may seem like an inconsequential delineation to most, we are not protecting ourselves online—we are defending ourselves.
We can’t run security operations like we run IT because there’s a significant difference between the two. IT today is about maturity, availability, performance and scalability, but the SOC must play a completely different game. It’s a chess match with someone across the board from us who’s trying steal something we have.
Today’s SOC is defending against attackers with strong economic incentives that are never going away. These attackers will find a way around any defense because they will continuously adapt. If one tactic fails, they will try another. We need to be able to proactively find these enemies, and that’s not something you do with the production infrastructure and processes of traditional IT.
If we are to defend rather than protect, then we need to change our approach to building and running the SOC.
You need hunters, not console watchers
If the SOC has to be dependent on people, then we need to make sure we’re putting where they need to be and doing the right things.
The reason our survey respondents are less than enthusiastic about the effectiveness of their SOC is because most of them focus on putting people in front on consoles full of data from sensors fed into a variety of technology platforms. Adding more streams of information and putting more people in front of consoles doesn’t work.
Humans are best at managing the bad and working together to manage the bad, but they need the agility to be curious, creative and collaborative. The modern SOC must be structured like a situation center where people are working together and collaborating to manage the bad out of the environment. This collaboration requires creativity and curiosity rather than a dependence on static processes and procedures because the bad guys aren’t bogged down by traditional production IT mindsets.
The modern SOC needs to set up to take the fastest path from initial sensor input to systemic immunity. The most important thing to track is the attack method so it can be remediated once and never pose a threat to the enterprise anywhere again. This requires organizational flexibility, much less formal processes and procedures, and new roles and skills for your team members. Rather than have level one console analysts, you’re going to have hunters and sensor grid engineers. They’re going to be much more engaged with the defense of the organization, and because it’s going to be a better job for them, your turnover is going to be lower.
This is well and good, you say, but how does it provide me with more resources for security? By freeing up people from the traditional operations model and imposing less structure to defend against an agile enemy, the same people have the flexibility and agility to fill roles that are more interesting and more effective.
They're going to be focused on hunting, data science, security automation, and threat intelligence. They’re going to be managing the incidents and getting all the way to systemic remediation. The SOC becomes situation focused rather than operations focused.
The technology platforms are still there, but we’re centered on the bad guys and leveraging skills. It allows for creativity to solve problems, curiosity to seek out the real threats rather than respond to alerts on consoles, and collaboration as co-workers rather than just people using tools.
Machines are still necessary to solve many problems, and we should let them, but machines can't do the three most important things. They can't be curious. They can't be creative, and they can't collaborate. Humans need to be pulling threads, finding novel ways to detect the bad guys, and looking for hyper-current attack methods so the SOC is proactively defending, not protecting. Rethinking the roles of the people in the SOC will make the economics work.