Any enterprise of mid-market size or greater needs dedicated cybersecurity professionals on their staff. This truth is simple and yet easily neglected. Furthermore, these professionals can’t be left to their own devices. They must be unified in their purpose, under clear policies and with the resources to investigate digital threats, in order to optimally protect their enterprises. In other words, you need to organize your cybersecurity professionals into a security operations center or SOC.
However, your enterprise shouldn’t rush into building a SOC. Like everything in cybersecurity, moving too quickly without serious thought or investment can lead to even more cyber perils. Your enterprise needs to evaluate its needs and its resources beforehand to determine the best course of action and the best solution.
Here are a few questions to guide your thinking, gleaned from the Frost & Sullivan “Practitioner’s Guide to Building a Security Operations Center (SOC)” provided by SIEM solution provider AlienVault.
What Can a Security Operations Center (SOC) Offer My Enterprise?
The first question when making any cybersecurity decision—whether choosing a SIEM solution or building a SOC—is to ask what you expect to gain by deploying the solution. Do you understand the problem you are looking to solve? And do you know that your selection will solve the problem?
Indeed, cybersecurity is a diverse field, with many moving parts and priorities. Enterprises often find it challenging to assess what an individual solution or capability should affect. In the spirit of clarity, here are a few things a SOC should offer your enterprise:
Improved Network Visibility
Criminals love the dark, whether they are breaking into a house or breaking into a network. Digital darkness, as it turns out, is much harder to illuminate. Detection programs might miss certain endpoints while others are never associated with an enterprise’s infrastructure at all. Having a SOC constantly investigating your network means discovering these missing endpoints and scanning them for potential threats. It all leads to a safer network.
Regardless of your cybersecurity platform and incorporated solutions—SIEM, identity management, or endpoint detection and response—you will receive security event alerts and alarms. However, not all alarms indicate your network is compromised. Some are false positives, conflating an ordinary business process or an approved exception with a threat. In other cases, the alert does not accurately portray the events actually taking place on the network. Furthermore, alerts may be redundancies clogging up the feed. Of course, some of the alarms are in fact quite real. These need to dealt with before they spread and dwell.
Your SOC is built to deal with all these alerts—sorting them, determining the false positive from the legitimate, and taking action when they find a legitimate threat. Such investigations are the most popular reason to build a SOC, and it’s no surprise.
Your enterprise needs a well-known and practiced incident response plan to deal with potential cybersecurity threats the moment they are discovered. Your security operations center should be the heart of your incident response plans. The SOC will serve as the main point of contact for your employees if they suspect a hack, data breach, or another digital security event. In turn, your security operations center team should have the capabilities to start mitigating the threat as well as the communication channels to relevant post-breach departments (legal, public relations, finances, etc.). Your incident response plan can’t begin and end with the SOC, but they should be responsible for, or at least directly involved, in the creation of these plans.
How Much Will Building a SOC Cost Us?
The costs of building a SOC can basically be divided into two separate categories: technology and human analysts. The former concerns both the acquisition and maintenance of hardware and software, while the latter concerns the salary of the dedicated analysts. How much they cost depends largely on the size and scale of your business—how many endpoints need to be monitored, the industry your enterprise works in, your physical location(s), etc.
Frost & Sullivan estimate that the price of a SIEM solution for a midsized enterprise average between $25,000 to $40,000 annually, although many of the costs apply only to the front end of implementation. A non-SIEM-integrated User and Entity Behavioral Analysis (UEBA) solution can cost between $15,000 to $20,000.
Meanwhile, the starting salary for a mid-market enterprise SOC analyst averages at $75,000, not including benefits. A dedicated, experienced SOC professional could cost as much as $135,000 in salary and benefits. Keep in mind, no security operations center can function at the enterprise-level with just one professional on staff—it will require a team of them.
All in all, the first year cost of building a SOC can run as high as $291,000, not including maintenance and technological upkeep. This seems a chilling price on the surface. On the other hand, the costs of a data breach have been calculated to cost well over $3 million. And that doesn’t include the intangible costs of lost customer trust and reduced business in the wake of a breach.
In the short term, building a SOC can seem daunting and expensive. However, the long-term saving cannot be denied: the benefits outweigh the costs nearly 18 times over!
What Else Do I Need to Think About While Building a SOC?
Besides the implementation and maintenance of an optimal SOC, there are other questions you must answer.
- How will you handle the 24/7 demands of network security without stressing your personnel?
- How will you design your SOC to best fit with your own individual needs?
- How will you facilitate threat intelligence and data analytics collection and use?
To get a handle on these questions and more, we recommend downloading the full Frost & Sullivan: Practitioner’s Guide to Building a Security Operations Center report, provided for free courtesy of AlienVault.
Latest posts by Ben Canner (see all)
- Top Ten LinkedIn Groups for SIEM and Security Analytics Professionals - October 18, 2018
- New Deloitte Poll Suggests Incident Response Plan Ignorance - October 16, 2018
- Solutions Review Releases SIEM Vendor Map To Assist Enterprise Decision-Makers - October 15, 2018