The Present and Future of the SOC

Where does the Security Operations Centre really belong in business?

The Security Operations Centre

While it has only gained widespread recognition over the last few years, the Security Operations Centre is easy to define. A business’ Security Operations Centre – or SOC – can be formed internally or be handled by an external managed service provider. An executive’s first instinct for good business will often be to try to do as much as possible in-house in order to minimise an organisation’s operating expenses and keep internal accountability strong. But as with many things related to cyber security, more careful consideration is needed to determine what’s really best for the business.

According to the NCSC, the SOC’s primary goals are to detect and respond to security alerts, make the enterprise more resilient to emerging threats, stop internal security-related negligence or compliance failures and gather information about user behaviour in order to help the business identify security issues[1]. With the cyber security landscape as it is going forward into the 2020s, these goals can no longer be shared between multiple departments. Nearly all enterprises over a certain size now have a dedicated cyber security division or Security Operations Centre. The question, however, is whether an in-house SOC is really the most effective way to achieve the goals.

SOC struggles and limitations

In practice, internal SOCs are becoming increasingly overwhelmed by rising security issues. In a 2020 Sumo Logic research survey, over half of large companies reported dealing with more than 1,000 security alerts every single day, with 93% of organisations unable to respond to all alerts on the same day. Some enterprises have to contend with over 10,000 daily alerts[2]. Serious security threats are easy to lose in this flood of mostly minor issues. Improving the SOC’s ability to respond to the important issues would require specialist training and tools, which is not cost-effective for most enterprises.

Between 2015 and 2020, over 70% of organisations reported that the number of daily security alerts had doubled. 24% of businesses said that their daily security alerts had increased by as much as ten times. As Sean Tickle, our Security Operations Centre Manager recently commented: “Lots of disparate security systems are generating hundreds of thousands of alerts which internal teams cannot manage.” These minor alerts that often require no immediate action but still need to be examined are not the only thing on the rise. 2020 had the highest recorded level of cyber-attacks in the UK, a 20% increase in attempted breaches from 2019[3]. While in-house SOCs are facing more obstacles to providing effective security response, the threats are growing more severe and critical year on year.

In the 2019 Ponemon Research survey, Improving the Effectiveness of the SOC, it was found that 53% of respondents did not have confidence in an in-house SOC’s ability to trace the source of threats. Only 42% of enterprises believe in the effectiveness of their SOCs. On analysis, the reasons for the limited effectiveness of in-house SOCs appear to come from enterprise infrastructure itself. The SOC tends to focus on intrusion detection, while vulnerability patching and damage prevention are handled by IT as a separate department. A truly effective response requires the team detecting a threat to have the authority and ability to respond immediately. 

This creates a harsh bottleneck that inhibits effective threat response, and the responsibility for these issues cannot be placed entirely on the SOC team. Many companies cite lack of support from leadership as a significant limitation to the SOC’s effectiveness. There is an intractable logistics issue: should the SOC report to the CISO or CTO, for example? In either case, the executive has other divisions and issues to manage, so it is unreasonable to expect the SOC to receive the executive’s full attention. Meanwhile, creating a new executive position just for the SOC is inefficient both structurally and economically.

Outsourcing the SOC

The immense rise in security alerts that SOCs must handle is being driven primarily by new and emerging threats. This means that in order to be fully effective in detecting, triaging and eliminating security threats, a SOC needs to not only detect and report threats, but make sure to always be on the cutting edge of latest security research ‒ and would ideally perform threat research of its own.

In-house integrated SOCs are undeniably more effective than allowing a business’ security needs to be spread between non-specialised departments. However, enterprise security requirements are growing and intensifying at a rate that most in-house SOCs cannot match. In-house teams are usually limited to detection and, at most, response ‒ if, that is, they even have the resources to accurately triage between major and minor alerts. Security research is generally a burdensome expense completely outside of the business’ scope of operations. 

Outsourcing the SOC to a managed service provider, while possibly a counter-intuitive option for some executives, can overcome the limitations of an in-house SOC and be more cost-effective and cost efficient overall.

As a specialised business, a SOC provider can put its entire organisation’s resource into staying on the cutting edge of research, detection and response. The only caveat is that some security service providers do not offer all three of these to their customers. Our SOC Manager explains: “Most security businesses focus on detection solutions and then provide data to the customer’s own internal IT teams to then isolate and remediate, but we offer a comprehensive end-to-end solution rather than just detection services, as those are no longer sufficient. Ransomware can propagate in minutes so detect alone is not enough – response is key.”

CyberGuard has been pushing the full potential of managed security services, bringing together all that an outsourced SOC can provide. Drawing from both its own research and a multitude of sources across the cyber security industry, CyberGuard can stay ahead of the latest threat intelligence. This allows for a level of proactivity when responding to security threats that in-house teams cannot match. Combining this with comprehensive detection, response and remediation shows just how effective an external, managed SOC can be.

In-house SOCs are also limited by the operating hours of their business. Security threats do not work on a 9-to-5 basis. With threats coming from all over the world and different time zones, effective security needs to be ready to respond 24/7. CyberGuard has already demonstrated the importance and effectiveness of this kind of rapid-response relationship – even when a critical security issue began to develop on Boxing Day evening[4].

Perhaps most significantly of all, an outsourced SOC unifies defence against cyber threats across a diversity of enterprises. When a new threat emerges that targets one business, all the SOC provider’s client businesses benefit from the ensuing response. This way, even if an enterprise is targeted by an emerging threat, there is a good chance the threat has already been encountered in the wild and a counterstrategy developed. 

Reference Sources:

[1] https://www.ncsc.gov.uk/guidance/security-operations-centre-soc-buyers-guide
[2] https://bricata.com/blog/how-many-daily-cybersecurity-alerts/
[3] https://www.itpro.co.uk/security/cyber-attacks/358276/2020-the-busiest-year-on-record-for-cyber-attacks-against-uk-firms
[4] https://www.ogl.co.uk/cyber-defence-report-january-2021