Plenty of organizations are considering setting up their own security operations center (SOC). The prospect of having the entire infrastructure under the stringent scrutiny of information security monitoring is appealing – it is a strong line of defense against potential threats. However, the question of who will actually construct this SOC and how they will do it often arises during implementation. To help with this, companies frequently call upon service providers and/or integrators who can serve as consultants or outsourcers.

In this article, I will explore how to select a trustworthy provider for your cybersecurity infrastructure, what you should focus on during a pilot phase and whether it might be simpler to develop the SOC entirely in-house. Let’s dive in and find out.

Who Needs an In-House SOC?

Let’s start by deciding on the appropriate model: A fully developed in-house SOC or an outsourced one.

Of course, the main factor that determines the future of SOC in an organization is management policy. There are many instances when a company may reject the idea of outsourcing IT and information security processes.

Various reasons motivate this inclination, including concerns about privacy, protecting the brand’s reputation, strategic planning and so on. This viewpoint makes sense, especially given the rise in cyberattacks through third-party contractors. While creating an in-house SOC may be a good option for some companies, it may not be feasible for all.

Before embarking on the journey to build your own security operations center, it is essential to objectively assess the critical components involved in this complex process. It is important to note here that we are considering a scenario where the company already has a basic information security system in place. Without this foundational system, creating a SOC would be an insurmountable task.

1. Budget
Setting up and operating a security operations center can be a significant financial undertaking. The costs can encompass various aspects such as design, network and endpoint security tools, staffing (with a minimum of ten team members), internal integration development, incident identification routines, response mechanisms and more. Even if your company opts to outsource just the design and technical implementation, handling the remainder in-house often leads to unforeseen challenges with internal processes. This scenario is similar to a home renovation project; you might start with a specific budget in mind only to find that the actual expenses end up being much higher.
2. People
It is banal to repeat the words of almost every SOC owner that people are the most important thing. Let’s look at it from the point of view of building the process of hiring and training new employees. To begin with, it is worth studying the region’s universities with specialized departments of information security. The presence of such an educational institution will significantly facilitate the search for employees for the SOC duty shift. There is also a chance that there are ready-made SOC analysts and architects in your region.
3. Time
Time, while incredibly valuable, is often the most restricted resource. Budget holders within a company often underestimate the amount of time required to establish a Security Operations Center. A common directive from management might sound like, “Dear head of the information security department, you have six months to establish a monitoring center in the company.” Of course, this is almost an unattainable task as introducing the technical infrastructure alone could take half a year, let alone establishing workflows and hiring staff. Under the best conditions, it can take up to two years to build a fully functional and highly efficient SOC.

If you have carefully evaluated and accounted for the three critical factors time, human resources and budget – and believe you are in a favorable position, then moving forward with constructing an in-house SOC may be a viable option. If there is any uncertainty or lack in even one of the above factors, outsourcing could be a more prudent choice. But the journey does not end there; the next step involves selecting the right service provider. This is where conducting a pilot project becomes invaluable.

How to Start a Pilot Project

Before you launch a pilot project, it is crucial to gather as many proposals as possible and define your fundamental requirements:

• Why do I need a SOC?
• Who am I trying to defend my company against, and who would have an interest in targeting us?
• What is my vision for how the SOC will evolve over the next two to three years?

Once you have analyzed all proposals and compared them with your own needs, you can create a list of companies to consider for the pilot project. At the outset, it is vital to establish clear and attainable objectives. For instance, it would not be reasonable to set a goal for the pilot project to detect advanced persistent threats (APTs) within your infrastructure, as there is no guarantee such an attack will occur within that time. A more achievable goal might be: “To demonstrate the efficacy of the proposed incident detection and response scenarios, successfully pass a penetration test and get the required service level agreement (SLA).”

The limitations set by the service provider, both in general and for the pilot project in particular, are also noteworthy. For instance, some providers have various restrictions for pilot projects, such as the number of connected sites, the total volume of event data and the number of scripts that can be implemented. For a comprehensive demonstration of the service, one site should suffice. The restriction on the number of scripts is not necessarily due to the provider’s intention to display a standard demo functionality but rather reflects real-world SOC operations, where it is essential to start with basic risks rather than diving straight into detecting APT groups.

Lastly, it is important to decide on the format of the pilot project: Whether to test all potential contractors simultaneously or one after another. Each approach comes with its own advantages and disadvantages.

Piloting Multiple Service Providers Simultaneously

Pros:

• Enables a direct comparison of incident detection scenarios using the same data set.
• Allows for a comparison of the quality of incident response and investigations.
• Reduces overall time spent piloting various service providers.

Cons:

• Challenges in configuring information security event sources according to the requirements of different service providers.
• Limited time for thorough engagement with all service providers.
• The need to simultaneously understand each service provider’s logic of incident identification.

Verdict:

While this approach enables you to compare several SOCs simultaneously without time delays, the objectivity of the comparison could be questionable. Any service provider in such conditions can provide reasons as to why they were unable to identify a specific incident or why there was no response. Also, keep in mind the substantial amount of work that will need to be done.

Sequentially Piloting Different Service Providers

Pros:

• Each service provider can demonstrate their capabilities without conflicts regarding the configuration of information security event sources.
• The opportunity to delve fully into all the specifics of each service provider.
• Less demand for resources from related departments.

Cons:

• The need to develop a unified test scenario for different service providers to ensure an objective evaluation.
• Extended total testing time.
• Timing differences in testing can skew a service provider’s final score, for example, if a more serious information security incident occurs while piloting one of the SOCs.

Verdict:

The primary advantage of this method is the objectivity of the evaluation process and the ability to devote substantial time to each provider. However, the extended duration could negatively impact budgeting/purchasing procedures or the perception of projects by management.

Running the Pilot Project

The primary portion of the pilot, as a rule, does not differ from what happens during the commercial provision of the service. There are two stages here:

1) Installation (preparatory)
2) Main

I will not delve into all the actions taken by both the client and the service provider but focus on what could help make an informed decision.

• The Team of the Service Provider
It is important to know who is managing your pilot project. How many individuals are involved, and what are their roles? For instance, some providers may assign a service manager and a SOC analyst to the client for any service project. However, there could be a different team dedicated to pilot projects, handling all the work, and acting both as service managers and analysts without being sidetracked by daily tasks. This approach ensures that specialists dealing with existing clients are not distracted from their responsibilities.

• Assistance in Setting up Sources
Sometimes, the guidelines provided by the service provider for configuring information security event sources may not be compatible with the client’s sources due to differences in software types or technologies used. However, a proficient service provider will always accommodate the client’s needs and modify the rules as needed. If this is not feasible, they will propose compromise solutions, such as jointly examining the console of the information security system that needs configuration and suggesting suitable setup options.

• Detailed Investigation Reports and SLA
Most service providers are willing to commit to a stringent service level agreement (SLA) and may even adhere to it for a certain duration, like during a pilot project. However, it is hard to verify whether the provider will continue to meet this commitment in the long run, so it is important to focus on the quality of their incident investigation reports. The quality of the work done on a specific incident can be gauged by how much detail the service provider puts into the investigation report. Indeed, a provider could meet the SLA entirely by automatic incident detection using SIEM and generating alerts only based on correlation triggers. However, it might turn out that, even with the same SLA parameters, the quality of investigation varies significantly.

Conclusion

The success of a security operations center is not just about the numbers. By knowing exactly what you need and closely evaluating potential service providers during a trial run, you can get a good sense of how an outsourced SOC might perform. This evaluation will allow you to predict how effective the SOC will be throughout the duration of your contract and how well it can handle the specific threats facing your organization. In case you choose to build your own SOC, the pilot project will allow you to evaluate various service providers and determine which one can be engaged as a consultant and helper.