The security operations center (SOC) has evolved through the years in line with the threat landscape. Once the preserve of government and military organizations, it is increasingly recommended for enterprises of all sizes, even SMBs. However, building a dedicated team and facility to monitor threats 24/7/365 is not easy. Skills and funds are in short supply. That’s why many companies are handing these responsibilities over to a trusted third party. However, deciding to outsource is just the first step. Next comes the hard part – choosing the right provider.
The truth is that not all managed SOC offerings are created equal. Finding the right partner is a higher stakes game than many realize. Get it wrong, and cyber risk and costs could quickly spiral out of control.
Firms Under Fire
The main drivers for investing in a SOC are fairly predictable. Over recent years, the volume and sophistication of cyber-threats have soared. Nowhere is this more visible than in the ransomware space, where cybercrime innovation has led to the use of ‘as-a-service’ offerings, democratizing attack capabilities to a wide range of affiliate groups. So much so ransomware was labeled as the biggest online threat to people in the UK last year.
Despite major investments in security, which by some estimates surged 60% in the past year, breaches continue to cause significant financial and reputational damage. According to government data, two-fifths (39%) of UK organizations suffered a breach or cyber-attack last year, rising to 59% for medium firms and 72% for large businesses.
With a large pool of breached credentials circulating on the dark web – an estimated 27 billion – threat actors have a fairly straightforward way to access targeted networks without setting off any alarms. Failing that, they could exploit one of 20,000+ vulnerabilities published last year, or many that remain unpatched from previous years. Better still, they could pay an initial access broker to do the hard work for them.
Not all Plain Sailing
This complex threat landscape means prevention-based security has its limits. Facing a determined adversary and tasked with a large corporate attack surface to defend, no organization can be 100% breach-proof. This puts more focus on detection and response: finding and resolving breaches before they become serious incidents. That’s the job of security operations (SecOps) and the SOC.
However, there are persistent challenges. Finding enough talent to operate a SOC is the first. The industry as a whole is short of 2.7 million workers, and SOC analysts are arguably among the hardest to come by. It doesn’t help that many are planning to quit due to the stress and burnout associated with alert overload. This usually comes down to poor tooling spitting out data and false positives with no way to prioritize signals.
This leads to another challenge: the cost of technology investments. Organizations must find the right blend of tools to provide the insight their analysts need. That’s not always easy in a crowded market where vendor hype is sometimes difficult to penetrate. SIEMs can be useful but often require constant tuning to be effective, which many SOC teams don’t have the time or resources for. The financial burden on organizations that choose to do SecOps in-house is growing. According to one study, perceived ROI is dropping in over half of organizations due to management complexity. The same report claims security engineering costs are creeping towards $3m annually, but only 51% rate these efforts as effective.
Why Outsourcing a SOC Makes Sense
Therefore, an increasing number of firms are deciding to outsource their SOC function completely. This enables them to offload the skills problems to a dedicated organization, which has more resources to find the brightest and best talent. It also eliminates the need for expensive up-front investments in equipment and ongoing maintenance, and supports greater operational agility if, for example, the organization decides it needs new detection and response capabilities.
According to one estimate, the market for managed SOCs is set to grow at nearly 11% over the coming five years to reach $10bn by 2027. But in a fast-growing market, there are an increasing number of options, not all of which will be the right fit. It’s important to find a provider that not only has the resource to support its customers as they scale, but has the right set of multi-layered tools to do the job properly.
These should include detection and response tooling like SIEM, EDR, log management, file integrity monitoring and threat hunting. The combined power of such tools is to weed out even covert threats. Often malicious actors use legitimate tools to stay hidden inside networks. By shining a light on these behaviors, SecOps teams can determine with greater clarity when a breach occurred. Additionally, dark web monitoring can provide a useful breach early warning system if data has been stolen and posted there, while vulnerability monitoring can help to block a potent attack vector.
Most importantly, organizations need to find a partner who goes beyond the typical managed SOC commercial relationship, to act more like an extension of the in-house security team. They should offer 24/7/365 protection, dedicated customer service and continuous feedback and reporting. This will not only give customers peace of mind that their operations are secure, but also crucial intelligence that can be used to enhance cyber-resilience for the future.