Aware of the dangers and probability of suffering a data breach, organizations are rethinking their security posture. They realize that the traditional prevention-based security model, based on signature-based perimeter tools, is no longer effective against advanced cyber threats. To avoid being the next victim of a high-profile data breach, organizations are seeking advanced and post-breach threat detection and response.

This is where a Security Operations Center (SOC) can help. According to Gartner[1], organizations are embracing the SOC approach and predict that by 2019, 50% of security operations work will be conducted from a SOC.

If your organization is planning to upgrade its traditional SOC or build a new advanced SOC from scratch, you can get an in-depth analysis of the various options available and their relative costs in our new white paper: The Real Costs of Building an Advanced Cyber Security Operations Center.

SOC 101

So what does a SOC look like? A SOC can be defined as an organizational unit that integrates people, processes and technologies to provide situational awareness through prediction, prevention, detection and remediation of cyber threats.

In terms of functionality (i.e., technologies), the SOC monitors networks, endpoints, machine data and traffic to identify a possible cyber attack, confirms whether or not it is a real threat or incident, and analyzes its business impact. In the event of a breach, the SOC manages incident response efforts, ensuring they are properly identified, analyzed, communicated, investigated, reported, contained and remediated.

In terms of staffing, setting up a SOC requires the hiring, training and ongoing development of analysts and managers at differing levels of expertise. The third key ingredient is to implement the processes needed to ensure an effective security operation – from defining standard workflows to conducting audits and integrating existing security and IT tools with the SOC platform.

More Than One Way to Build a SOC

Gartner states that “security operations centers must be architected for intelligence, embracing an adaptive security architecture to become context-aware and intelligence-driven.”[2]

Organizations that want to move from a traditional prevention-based SOC to an advanced intelligence-driven SOC based on detection and response basically have three options:

  • Cherry-picking siloed approach – adding advanced detection tools on top of the traditional SOC for enhanced attack chain coverage
  • Unified, holistic SOC approach – based on a pre-integrated platform designed specifically to mitigate advanced cyber attacks
  • Outsourced SOC approach – subscribing to premium services for advanced detection and response (all operations are managed by an external service provider for a monthly charge)

Bottom Line

Total cost of operation for the above options can be measured using three parameters: operational efficiency (i.e., analyst productivity), staffing costs and security effectiveness (i.e., avoiding the costs and damages associated with a breach).

In a head-to-head comparison, our analysis shows that building a SOC using the unified approach can result in overall savings of up to 60% as compared to the cherry-picking approach. Deploying a unified SOC allows organizations to reduce the number of point tools being purchased, integrated and maintained. Moreover, it provides complete threat visibility across the operation, reduces staffing requirements and accelerates time to response.

To learn more about the real costs you need to consider when building an advanced SOC, read our new white paper: The Real Costs of Building an Advanced Cyber Security Operations Center.

[1] Gartner, How to Plan, Design, Operate and Evolve a SOC, October 2016

[2] Gartner, The Five Characteristics of an Intelligence-Driven Security Operations Center, November 2015