From security warnings to actual alerts
This is how risks are detected in the Security Operations Centre (SOC) (also known as Cyber Defence Centre): in a first step, automated risk detection produces lots of alerts with regard to potential security risks. The challenge then is to condense items of information from several sources and filter truly critical events from the large volume of data. Then the experts have to respond properly: they must process the available information, inform or alert the right persons and finally make sure that the threat could be successfully averted by the measures taken.
Hardware, software, security experts and emergency processes that work. All these components are pooled in a SOC. Depending on the company size, it must be available 24/7.
These are the most important tools:
- Continuous Vulnerability analysis
- Network risk detection based on signatures and behaviourbased analysis
- Log data analysis (security information and event management)
- Sandboxing (Advanced Persistent Threat Detection)
- Threat intelligence
- Knowledge database (risks and solutions)
- Workflow management system.
What experts do:
- Evaluate risk warnings from automated risk detection
- Continuously adjust risk detection tools to the current situation
- Contextualise security events to create actual incidents
- Develop, implement and optimise risk detection use cases
- Integrate already existing risk detection solutions
- Manage IT risk management processes and workflows
- Identify, collect and collate threat intelligence data
The experts focus
The experts focus on the following: draw the right conclusions. These can be reached by combining different sources of information.
How to establish your own SOC
Establishing a SOC requires precise planning, as this involves the complex interplay of various individual components.
- Which components are already available in the company? The first step includes an initial evaluation of needs and the selection of necessary products and solutions. What needs to be monitored and what technologies are to be used? What compliance requirements must be observed and what data volumes are involved?
- Once detailed planning and subsequent negotiations of the agreements have been completed, implementation can start. The purchased hardware and software is installed. The SOC staff undergoes initial training. The processes for remedying risks are defined. A risk workflow/ticket system is implemented. Trial operation is initiated and the first results are analysed.
- Subsequently, regular operation starts. The automatically generated results are analysed by experts, who condense important items of information to create actual alerts, cooperate with other departments to remedy risks and are responsible for final control of the measures taken. It is important for the expert know-how to be up-to-date at all times. On-going further training on the cyber threat landscape, new methods of attack, new product features and releases are indispensable
Operate your own SOC or use “SOC as a Service”
Establishing an in-house SOC is especially recommended to very large companies and public institutions. An alternative solution is “SOC as a Service”, i.e. commissioning an external service provider, who will deliver the complete system and ensure fast results. In addition to strategic considerations, it is mostly the costs that are decisive for choosing one or the other method of establishing an SOC.
Two examples
Starting point
The “NIDS” risk detection module reports web page access attempts that are suspected of being initiated by malware.
Condensing of information
The access operation (network traffic, PCAP) is analysed in detail, along with the web page criticality. The firewall and proxy log data of the relevant IT system are taken into account.
Starting point
The “SIEM” risk detection module reports an unusually high number of firewall deny messages generated by outbound Internet connections.
Condensing of information
The affected IT system is analysed with regard to its data traffic and behaviour. The download behaviour and antivirus messages are examined. The result of the most recent vulnerability analysis is considered. Further analysis of the terminal is initiated in conjunction with Operational IT.
A cost calculation example
A company has 5,000 employees; in terms of the factors relevant for an SOC, this means: there are about 5,000 IP addresses and 5,000 events per second (EPS).
Building your own SOC
Based on our experience, establishing an in-house SOC in this context will take 9 to 12 months. During this phase, it is mainly internal human resources, the technology to be purchased, external consulting services and the training of SOC staff that needs to be calculated. As of the second year, costs will mainly include licence fees for using the technology and the SOC staff.
| Description | Purchasing costs | Annual costs |
|---|---|---|
| Technology – RadarServices Cyber Security Detection Platform | EUR 300.000 | EUR 60.000 |
| Threat Intelligence | EUR 10.000 | |
| Consulting (external) | EUR 20.000 | |
| Personnel (internally operated SOC / minimum scenario 5*12; 4 employees) | EUR 320.000 | |
| TOTAL – In-house SOC operated based on the RadarServices Cyber Security Detection Platform | EUR 300.000 | EUR 410.000 |
In this scenario, the financial outlay would be EUR 710,000 for the first year and EUR 410,000 for the second.
Besides the costs: you need time!
“A fool with a tool is still a fool” is a saying that is particularly worth bearing in mind when thinking about security to avoid creating a false sense of security. The key factors for success include “time” (as a resource) and a proper focus on SOC set-up and operation. In the end, everything must work out to a T, if worst comes to worst.
Compared to SOC as a Service
External service providers usually bring along all necessary tools and experts as well as established processes, which fully covers SOC operation. Customers choose the required risk detection modules and the intervals in which experts become active: in this example, we assume that daily analyses will be performed.
As a rule, there are no purchasing costs, but a “set-up fee” that covers all initial expenses. The work of the external SOC is demonstrated in a trial phase (Proof of Concept, POC).
| Description | Purchasing costs | Annual costs |
|---|---|---|
| POC (Proof of Concept, 3 months) | EUR 30.000 | |
| Set-up fee | EUR 70.000 | |
| Annual service fee | EUR 190.000 | |
| TOTAL – SOC as a Service | EUR 100.000 | EUR 190.000 |
In this scenario, the financial outlay for the first year would be EUR 290,000 if a daily interval was selected for the experts‘ analysis work. The anticipated costs for the second year would be EUR 190,000 in the case of a daily interval. The prices include the costs of experts, maintenance and threat intelligence but do not include any potential consulting expenses.
