In the ever-changing threat landscape, information security has never been more important. Threat groups are hunting for targets twenty-four hours a day, seven days a week, and are always finding new tactics for making their attacks more destructive. The security operations center (SOC) is the hub that keeps up with and protects your organization from the relentless pace of cyberattacks.
An effective SOC is crucial for organizations of all sizes. But how much does a SOC cost to build and operate? What are the key features of a SOC and how can you achieve them? In this blog, we cover how to calculate the cost of a SOC and discuss current options for the 24/7 security your clients, customers, and partners expect.
What Are the Needs of a State-of-the-Art, Modern SOC?
Before you can break down the cost of a SOC, you’ll need to consider what goes into building and operating one. Every SOC is different, but all SOCs can benefit from identifying their current level of maturity, and finding out how they can increase that maturity to provide for the security needs of the companies they protect. There are five levels of SOC maturity:
- Basic detection and prevention: This is the bread and butter of the SOC, being able to take in logs, make sense of them, and detect problems and attacks. Increasingly, even basic detection requires being equipped to monitor cloud services, as businesses continue to transition more operations to the cloud.
- Context, Control, and Coverage: At this point, you are taking in more telemetry, getting more context around alerts, and broadening what you can comprehend in your environment. It requires both increased expertise on staff and increased technical capabilities.
- Basic Hunting and APT: Your SOC begins to bring threat hunters into the SOC, strengthening its abilities to correlate and detect more sophisticated attacks against your business.
- Remediation: At this level, you have the expertise on hand to not only identify threats and work to prevent them but perform more sophisticated incident responses.
- Deep Hunting: At this level, your SOC has expanded its capabilities to perform even deeper threat hunting. You have extensive technical capabilities to collect and correlate data, as well as expert-level threat researchers and hunters to proactively identify issues.
Given the scale of modern security operations and the amount of telemetry that modern devices create, a modern SOC needs to take advantage of automation and data science to detect threats and make sense of data. According to a Forrester study, only 13% of current organizations are taking advantage of automation and machine learning along the full lifecycle of an alert, and 17% are not using automation or machine learning at all.
Bringing on security and even data analysis features is only part of the picture, however. A SOC must verify that its controls are working in a way trusted by the industry. This requires certification, and the industry standard for that is SOC 2 Type II certification. This is a recognized and trusted set of standards that lets you show prospective customers, clients, and customers that your SOC is equipped to keep data secure.
Options for a SOC Structure
Your business has as recently defined by Gartner, three major SOC models to consider: fully insourced, fully outsourced, and hybrid. A fully insourced SOC can be tailored to your business from the ground up, but it requires taking on all of the costs and tackling all of the challenges of building a SOC from the beginning. Even a hybrid SOC requires some of the time, expense, and expertise of building a SOC in-house: acquiring (and upgrading) technology, hiring (and training) staff, or both. For many businesses, an outsourced SOC can help build up security capabilities while overcoming the challenges of insourcing SOC capabilities.
Challenges of building an insourced SOC
Building a SOC requires people of varying levels of expertise: front-line analysts, analysts to take escalations, and as the SOC gets more sophisticated, data scientists, threat researchers, and threat hunters. On average, businesses have between 11 and 20 security analysts on staff. This means not only paying their salaries but also time and expense recruiting and hiring them in the first place. And, this is a challenge: only 38% of businesses think they will be able to hire the right talent, and security analyst positions tend to be high-turnover jobs.
Insourcing SOC capabilities also requires technology investments. Bringing in up-to-date SOC technology is expensive, and even before the purchase, it can also cost a lot of time and money to assess those technology options. Another part of the challenge of bringing a modern SOC in-house is that even when you do assess and choose technology solutions, there is pressure to change them. Modernization requires not only technology that is well equipped to handle a changing threat landscape, but also the expertise to decide when you can tailor or tune existing technology to handle it, and when you need to purchase new technology.
On the other hand, adopting SOC-as-a-Service means working with a partner that has already worked out how to face these challenges. A SOC-as-a-Service partner has already faced the challenges of building a mature SOC, including creating a technological backbone, building a staff, and implementing a certification program. And, they can bring this maturity to your business at a cost well below building an insourced SOC.
What Does Building a SOC Cost?
Insourcing the key capabilities of an in-house SOC is a serious capital expenditure. Even basic SOC capabilities require purchasing technologies to store log data, as well as equipment for correlating and analyzing that data. More extensive SOC maturity requires further technology including ticketing systems, threat intelligence platforms, threat detection capabilities, investigation and response capabilities, data analysis platforms, and behavioral analysis. In addition to technologies, it requires hiring staff to operate and tune technology, analyze data, and respond. That includes analysts, security engineers, SOC managers, threat hunters and researchers, and data scientists. This may cost $1-$3 million in salary and training.
On the other hand, SOC-as-a-Service gets you on board with industry-leading SOC capabilities and staff without having to spend the time or money building it internally. You gain access to those capabilities for a predictable monthly rate and can grow them with your business, without worrying about buying technology or hiring or retaining SOC staff. It is billed monthly, based on your usage, as an operating expense. And, instead of having to plan, approve, and fund new capital improvements for your SOC as your business grows, you can scale your usage of SOC-as-a-Service along with your business.
In addition to building and staffing the SOC, certification is another key expense. Partners, clients, and customers demand certification such as SOC II Type 2 as an assurance that a SOC is implementing key controls and following best practices. Depending on the size of your company and the in-house capabilities of your SOC, startup costs for SOC 2 Type II can run between $200,000 and $400,000. Yearly costs to maintain it can range between $100,000 and $200,000 a year. On the other hand, when working with a leading SOC-as-a-Service provider, certification is included in the monthly rate.
Moving Forward with a 24/7 SOC
Facing today’s security landscape requires a 24/7 SOC. SOC-as-a-Service brings the capabilities and the trust that customers, clients, and partners expect from your business, both more cost-effectively and more quickly than trying to bring those capabilities in-house.
To learn more about making the business case for SOC-as-a-Service, and calculate your costs for SOC-as-a-Service versus an insourced SOC, read our detailed white paper.