In-house SOCs – hidden costs and considerations

Johannesburg, 31 Jul 2020
Read time 3min 40sec

Security operations centres (SOCs) have an important role to play in the large enterprise. But for mid-to-large enterprises, an in-house SOC may come with more cons than pros.

“Not all organisations need to build their own SOC, and doing so could incur unexpected costs and risk exposure,” notes Martin Potgieter, co-founder & Technical Director at Nclose.

The SOC, responsible for ongoing threat monitoring and analysis, differs from the IT security team, Potgieter explains. “Most organisations have security engineers, who typically manage security infrastructure like firewalls and AV – but they are not aligned with incident detection and response,” he says.

Potgieter says many organisations assume they can build and manage their own SOCs inexpensively and with ease. But the technology is just a part of the overall picture.

ITWeb Security Summit 2020
Register now for the ITWeb Security Summit 2020 virtual event, and experience four days of international keynotes, sessions and workshops all for one price. The event will feature over 50 speakers, with all content being made available on demand online. To register, and for more information, please click here.

“The time and resources required to build an in-house SOC adds considerable unexpected costs to the project, plus the models used to build an SOC are often based on outdated models and technologies, meaning key building blocks of the SOC may be compromised,” he says.

“One of the biggest risks in building an in-house SOC is a false sense of security," he adds. “In the time it takes to mature the model, organisations will have gaps in security in the time it takes to get it right. It could take at least a year to achieve mature methodologies, and usually, the SOC is never finished as there are continuous improvements that will be needed.”

When considering the viability of an in-house SOC versus a managed detection and response (MDR) service, organisations should consider:

  • The size of the enterprise. “Considering the resources needed, an in-house SOC only becomes viable in an organisation with over 5 000 or 10 000 users, or in a particularly high risk mid-sized enterprise,” Potgieter says.
  • The skills that will be needed to run the SOC. Typically, these will include SOC security analysts, detection engineers and an SOC manager. These skills can be costly, and are scarce in South Africa, says Potgieter.
  • The challenge of retaining highly skilled SOC staff. “Small organisations would struggle to keep security people engaged and challenged, and they would in all likeliness have high staff turnover due to this,” Potgieter says.
  • The challenge of staying up to date. “In an in-house SOC, skilled resources would be limited. Due to the team being small, knowledge sharing and industry exposure would be a challenge. And due to the limited number of investigations that the security team will be exposed to, their experience levels will grow at a slower pace and the development of the SOC would take longer,” he notes.
  • The costs of vendor security information and event management (SIEM) solutions, including hardware, licensing and support, which can amount to hundreds of thousands of rands in a 1 000-plus user environment.
  • An outsourced, MDR service can give organisations access to a world-class, mature SOC even if the organisations have limited skills resources and security budgets. Typically, the costs of an MDR service are 40% lower than the costs of building and running an in-house SOC.

“Upfront cost is not everything when it comes to deploying a SOC,” says Potgieter. “Organisations must carefully assess ongoing running costs, risks and real-world resource challenges to get a realistic understanding of which approach will work for them.”

Nclose Nview is a leading-edge MDR solution combining extensive experience in delivering managed security service with a blend of open source and in-house written applications. Its features include regular, scheduled threat hunting by experienced analysts, monitoring beyond the traditional security software sources to include DNS traffic, application processes and other sources, the use of honeypots to detect intruders or malware attempting to move laterally in the network, advanced threat intelligence and active mitigation against “alert fatigue” and “defence regression". Nview is available as a hybrid cloud/onsite model to allow clients to make use of data analytics onsite for operations and security.

See also