Data strongly suggested that having a security operations center provides a significant boost to an organization's cybersecurity initiatives, which makes a SOC the cornerstone of an effective enterprise cybersecurity initiative. Research showed highly successful cybersecurity organizations, as measured by mean total time to contain, are 52% more likely to have deployed an SOC than their less successful peers.
In fact, merely deploying a SOC can improve an organization's mean time to contain a breach by almost half. The data strongly suggested that having a SOC provides a significant boost to an organization's cybersecurity initiatives.
But, as always, the devil is in the details in terms of assessing security operations center best practices: Should cybersecurity pros outsource the SOC function or develop one in-house? And, if they outsource, what should the selection criteria be?
The answer on outsourcing depends largely on the size of an organization and its approach in managing the SOC. Nemertes Research found larger organizations -- more than 2,500 employees -- with an internally managed SOC saw their mean total time to contain improve by 50%. But those that outsourced their SOCs found their mean total time to contain degrade by 58%. Smaller organizations -- fewer than 2,500 employees -- experienced the exact opposite: a 50% improvement in mean time to contain with an externally managed SOC and a 50% decrease in mean time to contain with a SOC they staff themselves.
Why smaller companies benefit from outsourcing
The results make logical sense. Staffing a SOC 24/7 requires a minimum of four to eight full-time employees -- one for each eight-hour shift, plus a manager and backups. That's a heavy burden for many SMBs. SOC analysts must be trained, and they need a career path and growth. Additionally, SOC analyst burnout is a real issue -- one that smaller companies may lack the resources to deal with.
Still, deciding to outsource is just the first step. Nemertes Research has defined five key selection criteria that companies should use when assessing SOC providers and ensuring security operations center best practices.
First is the operational model: Is the SOC provider primarily focused on event notification, or does it work in a team extension mode and proactively take steps to respond to events? There's no right answer, but the response affects how an enterprise's cybersecurity team should be structured. If the SOC team merely notifies the enterprise of events, then its internal cybersecurity team needs the training, tools and processes necessary to assess the events and take appropriate action, which is typically described in the SOC run book -- a set of defined procedures developed by IT for maintaining everyday routine.
Second is the SOC run book itself. Regardless of who executes it -- the internal team or the SOC provider -- how is the run book developed? Does the SOC provider have a standardized run book that can be customized to each client, or should the client plan to develop it?
The third step to ensure security operations center best practices is to examine the portfolio of services the SOC provider offers. What services does it deliver in terms of first-, second- and third-level support? Does the SOC provider offer proactive, versus reactive, services, such as threat hunting, penetration testing, or red or purple team exercises? Reactive services are table stakes for SOC providers. Proactive services may enable the client to reduce its reliance on other providers or help to enhance its security stance significantly.
Fourth is the set of tools and technologies the SOC provider relies on. Tooling can frequently be a deal breaker, particularly if there's a mismatch between the enterprise's needs and what the SOC provider offers. Be sure to ask the following questions:
- Will the provider work with the client's tools, or does it require its own?
- Who owns licensing of tools and software? Ownership and licensing issues can add cost and complexity to the SOC engagement.
- How does the SOC provider handle integration into a client's tooling environment?
Finally, as counterintuitive as it sounds, there's the question of how the relationship will be terminated. Frequently, clients are locked into relationships because of the complexity and cost of the offboarding process. The best way to avoid that is to understand the process upfront.
Summing up, smaller companies should almost certainly avail themselves of SOC services. They should conduct a thorough evaluation of providers, focusing on understanding the operational model, including run book development; service portfolio; tools and technologies; and offboarding processes. With proper attention to these security operation center best practices criteria, smaller companies can significantly improve their cybersecurity operational metrics.