Ahead of the Gartner Security and Risk management summit in Dubai, Siddharth Deshpande, principal research analyst at Gartner, answered questions on trends for security operations centers and recommendations for security service providers.
Q: What is a security operations center (SOC)?
A: A security operations center (SOC) can be defined both as a team, often operating in shifts around the clock, and a facility dedicated to and organized to prevent, detect, assess and respond to cybersecurity threats and incidents, and to fulfill and assess regulatory compliance.
Q: Is having an in house SOC the only viable way for companies to create a security monitoring capability?
A: Building a SOC — or generally creating some form of internal security operations capabilities — is a costly and time-consuming effort that requires ongoing attention in order to be effective. Indeed, a great number of organizations (including some large organizations) choose not to have a SOC. Instead, they choose other security monitoring options, such as engaging a managed security service provider (MSSP).
CISOs and technology leaders contemplating building their own SOC should be very cognizant of the cost and staffing implications involved in this approach. There are plenty of alternatives to building and staffing an in house SOC, and companies should explore them in addition to the various types of SOC models.
Q: What are the different types of SOC models?
- No dedicated facility
- Part-time team members
- Reactive, activated when a critical alert or incident occurs
- Dedicated facility
- Dedicated team
- Fully in-house
- Dedicated and semi dedicated team members
- Typically 5x8 operations
- When used with an MSSP, it is co-managed
- Coordinates other SOCs
- Provides threat intelligence, situational awareness and additional expertise
- Rarely directly involved in day-to-day operations
Multifunction SOC / network operations center (NOC)
Dedicated facility with a dedicated team performing not just security, but other critical 24/7 IT operations from the same facility to reduce costs
Traditional SOC functions and new ones, such as threat intelligence, computer incident response team (CIRT) and operational technology (OT) functions, are integrated into one SOC facility
In addition to the six models above, where the customer's internal security teams are involved in varying degrees, there is another "fully outsourced" model. In fully outsourced models, a service provider builds and operates the SOC with minimal (or at best, supervisory) involvement from the customer organization.
Q: Why are organizations opting for SOC’s?
A: Organizations are building internal security operations capabilities (even if in a limited sense) because they desire more control over their security monitoring and response process. They also want to have more informed conversations with regulators.
The strategic business impact of a SOC build project makes it a critical initiative for organizations. Organizations that decide to move ahead with an in house SOC allocate both initial and ongoing funds in a structured manner, and expect the project to move with a sense of urgency once approved.
Q: What are your key recommendations for security services providers (i.e. vendors) that are considering offering services that enable customers to build and operate SOCs?
- Focus sales enablement programs on the business value delivered to customers through progressively greater degrees of control. Help customers choose between the available options while reinforcing the message that taking a full, do-it-yourself approach is practically impossible for most organizations.
- Enable buyers to plan budgets for SOC projects by aligning pricing and service catalogs to buyer maturity with the ultimate objective of growing SOC maturity for the buyer in a structured manner.
- Gain a competitive edge by focusing on industry-specific use cases for SOCs and helping customers evolve SOC metrics that are unique to their organization.
Q: What are your key recommendations for CISOs planning to build a SOC capability?
- Perform a realistic cost-benefit analysis of various security operations models before committing to a completely in sourced SOC
- Focus on aligning SOC deliverables with business objectives by developing tightly defined goals and metrics that the SOC needs to deliver against.
- Identify high business value and critical security functions and keep them in-house.
- Consider use of MSSP services to offset the cost of 24/7 SOC operations and to fill coverage gaps.
- Develop a SOC staff retention strategy from the outset.
Gartner Security and Risk Management Summits
Gartner analysts will provide additional analysis on IT security trends at the Gartner Security & Risk Management Summits 2017 taking place in Dubai. Follow news and updates from the events on Twitter at #GartnerSEC.