At Cisco, we are often asked to take a vendor agnostic approach when developing a Security Operations Center (SOC) strategy, and as such, we must consider the importance of distinguishing between the various types of SOC models in today’s demanding security needs. However, before explaining the various models that exist for today’s need of monitoring and detecting the latest cyber threats, we must first understand, “What is the purpose of a SOC and what organizational goals would implementing a SOC achieve for the greater good of the organization?”
The purpose of a SOC is two-fold: provide central monitoring capabilities to detect, identify, and respond to security incidents that may impact the organization’s infrastructure, services, and customers. The SOC aims to detect and contain attacks and intrusions in the shortest possible timeframe, limiting the potential impact and/or damage that an incident may have by providing real-time monitoring and analysis of suspicious events. If a SOC can halt an attack in action, it already has saved the organization time, money and possibly data exfiltration and brand reputational damages that may have been endured depending on the extent of the attack.
There are multiple models in which understanding the key differences becomes an invaluable measurement to the path an organization chooses to take when securing their daily operations from a monitoring and detection perspective. It is important to note that no two organizations are alike and the model that is chosen will highly depend on the following criteria, but not limited to: the size of the organization, the budget within IT Security, the skillset amongst IT personnel, previous incidents the organization has encountered in the past, the type of industry the organization is in, along with the data that the organization handles day-in and day-out. All have a strategic impact in the way you will shape, design, and architect your SOC.
The Primary Models:
Internal SOC
Building an internal in-house SOC is recommended for large-sized organizations who are mature from an IT and IT security perspective. Organizations who tend to build internal SOCs have the budget to support an investment that includes 24×7 around-the-clock effort and tends to deal with lots of moving parts in and around their network infrastructure.One of the more essential advantages that building an internal SOC has includes having the most visibility across the network (internally). The team is dedicated internally and will have the capability to monitor the environment and all of its log sources, providing a complete picture of where the organization stands from a threat landscape perspective. Some significant disadvantages include: possible misses in detection, a struggle to recruit and retain talent, and high upfront investment costs. In addition, this model typically takes a considerable amount of time to build at an effective and efficient level.
An advanced version of this model is referred to as a “fusion center”, which incorporates detection, response, threat hunting, intel sharing, and data science together to support a center’s mission in protecting the organization.
Virtual SOC
Selecting a virtual SOC is recommended for the majority of organizations who seek assistance from an outside firm to perform highly-skilled monitoring and detection duties. Some organizations may be mature in nature from an IT and IT security perspective, however budget constraints and limited expertise may hinder the ability to build a fully functional internal 24 x 7 SOC. Conversely, some organizations may fall under the very immature stages of protecting the organization and require expertise to step-in quickly to handle monitoring and detection efforts.Advantages of this model include: quickest, simplest, most scalable, and cost-effective to implement. In this model, since there are a wide variety of clients and industries that MSS (managed security services) typically support on a daily-basis, the expertise and wealth of additional intel can be invaluable for an organization. While this seems to be an attractive model for most, some disadvantages to consider include: the organization having reduced visibility of where they stand from a threat landscape perspective (at a granular level), some data is handled by a third party, and longer escalation times since the MSS wouldn’t nearly be as familiar with the organization as compared to dedicated internal employees.
Hybrid – Small Internal & Virtual SOC
A hybrid model brings out the best of both worlds; in-house staff complemented with third-party experts, offering the most secure approach from a monitoring and detection standpoint as there are supplementary pairs of eyes and double checking (of alerts) that takes place. Most organizations at this level are large enough to build a small team of their own, however lack the capability to build a fully functional internal 24 x 7 SOC because of budget constraints, expertise, lack of resources, and so on.Advantages include: most secure from a monitoring and detection perspective, quick detection & response time, low backlog as there are additional analysts (internally & externally) working through low, medium, and high priority findings. Additionally, this model offers the best learning combination for an organization and its employees in gathering and cross-training knowledge from the experts of an MSS. Significant disadvantages include: setting up additional hardware, data handled through a third party, and can be costly to sustain long-term.
There are multiple ways of envisioning the best approach in selecting a SOC model. The choice will highly depend on how the organization can handle existing threats.
For instance, you may want to ask, does your organization have the bandwidth and skill set to support monitoring and detection efforts after business hours? If the team cannot support this effort on a 24 x 7 basis, a hybrid solution may be considered in one instance where an MSS can examine lower priority finds (typically low-level alerts), and the internal team can handle higher priority concerns. There are many other instances where a hybrid solution can be effective depending on the needs of the organization, and better yet, any of these models can be effective as long as they are implemented to accommodate future growth of the organization and anticipate the next challenges the industry as a whole faces in combating cyber threats.
Have questions about your specific situation? Leave a comment for me here or visit our Security Advisory Services for Threat Management page to learn about our services.
If you’re attending Cisco Live Berlin this week, stop by World of Solution Hall 3.2 where we’ll have experts on hand in the Security and Security Services Zones to discuss best practices for building and running a SOC.
Having studied low level security I would appreciate your thoughts on the proposition that a SOG should be consist of multi industry security hardware to provide better protection. Naturally enough here on a Cisco site there would only be Cisco security solutions.
Hi Peter,
Thanks for your question. You may be interested in reading our 2017 Annual Cybersecurity Report (http://b2me.cisco.com/en-us-annual-cybersecurity-report-2017) which highlights your question more in depth. In our report, the majority of organizations surveyed, had more than five security vendors and products in their environment; with 55% of security professionals using at least six vendors. To your point, organizations are looking at ways to make themselves more secure, however in a way that covers a multitude of avenues, which may require the presence in relying on a wide variety of solutions from a number of vendors. Adding too many vendors, adds complexity and confusion in securing networks as the Internet continues to grow in terms of: connected devices, traffic, and speed. Depending on the organization’s needs, simplicity and integration is key to an effective Security Operations Center. Over 4 out of 10 security alerts are never investigated and this very well could be one of the more prevalent reasons why such may be the case, as the lack of integration can allow gaps of time and space, obfuscating in assembling a seamless defense.