The issue of creating and operating centers for monitoring and responding to information security incidents is relevant for many companies. Large organizations, primarily subjects of critical information infrastructure, have created their own centers or use the services of specialized companies. But some enterprises are still trying to figure out how to properly build their monitoring and incident response processes, what to do in-house, and what to outsource. Let’s look at several approaches to solving this issue. If you want to learn more about Security operations centers, as well as SOC 2 type 2 cost, then this article is for you.
What Is SOC?
SOC Center for Monitoring and Response to Information Security Incidents. The classical SOC is based on the triad “people, processes, technologies” and has three levels.
People: User Experience Specialist, Intrusion Detection Specialist, Hardware Maintenance Specialist.
Processes: user interaction, event monitoring, attack, and incident detection, fixing attacks and registering incidents, and interaction with other SOCs.
Technologies: end device protection, network perimeter protection, means of collecting data about the configuration of information resources.
People: Security Assessor, Incident Response Specialist, Incident Investigator.
Processes: information infrastructure vulnerability analysis, response to computer attacks and incidents, establishing the causes and analyzing the consequences of computer incidents, and interaction with other SOCs.
Technologies: security analysis tools, information security event management tools.
People: Analyst-methodologist, experts in various fields of activity, lawyer.
Processes: analysis of information provided by specialists of the first and second levels, analysis of security threats, development of threat models, development of recommendations for improving the activities of the SOC, and regulatory support for SOC activities.
Technologies: Information security incident response tools, threat detection tools, and computer forensics tools.
Internal And External SOC
It is generally accepted that there are three variants of SOC:
- Internal – all monitoring and incident response processes are provided by the organization itself (hereinafter referred to as the customer).
- External (outsourcing) – the implementation of all processes is transferred to a third-party legal entity, a specialized organization that has the appropriate license (hereinafter referred to as the contractor).
- Hybrid – the customer performs some of the processes on his own, and transfers some to the contractor.
From the analysis of the SOC structure, it is clear that it is impossible to completely transfer all the implemented processes to the contractor. Control in terms of monitoring and response processes should be carried out by an employee of the customer’s company.
The same situation is with the functions of interaction with users of information resources and the legal support of the activities of the SOC. Such functions cannot be fully transferred to a third party.
Thus, outsourcing of all SOC processes does not exist in practice. The customer always makes a choice between a set of functions performed in-house and outsourced to an external organization.
Check out the SOC 2 Type 2 2023 cost on Dworkz website.
Which SOC Processes Should Be Outsourced?
An analysis of the SOC structure shows that the company needs to perform the following functions on its own:
- Management, coordination, and control of the actions of their employees and employees of the contractor.
- Interaction with users. No one knows the users better than the employees of the company, and the trust of users in the employees of their company is much higher than in external ones.
- Interaction with other SOCs. It is always better to build relationships with industry peers on your own and monitor what information is passed to regulators.
- Regulatory support of activities. Claim work, as well as support for events related to the consequences of incidents, can be effectively carried out only with the company’s own lawyers. In addition, most SOC providers do not provide such services.
It is advisable for the contractor to conduct an examination in various areas related to the investigation of incidents. It is better to purchase such services from the SOC provider as needed since it is not economically viable to maintain a staff of highly specialized experts because expertise is not required on a daily basis, but only for specific cases.
For example, daily forensic analysis and daily malware analysis are not required under the normal operating conditions of an organization.
As for the remaining SOC processes, the decision to transfer them to the contractor is different in each specific case and for each specific customer. In other words, the head of the company’s information security service must analyze the pros and cons of transferring a particular function to outsourcing.
Benefits of outsourcing:
- No costs for ongoing training and advanced training of SOC employees, and no staff turnover.
- There is no need to build processes from scratch. However, it will be necessary to adapt the processes to the specifics of the customer. In addition, the transfer of functions inevitably entails the risks of their possible loss, so it is necessary to pay attention to the negative aspects of such a decision.
Cons of outsourcing:
- Loss of functionality in case of refusal of the contractor’s services.
- The difficulty of control. The activities of a third-party organization, as a rule, are controlled only in the part that is prescribed in the contract. At the same time, it is not always possible to really track how the contractor actually performs the work. Errors in operation, which the customer cannot influence, can lead to adverse consequences.
- It is important to note that the contractor may require the placement of technical solutions that collect events from information infrastructure components on the customer’s premises. So, the customer will need to make certain investments: either renting a technical solution or implementing his own event monitoring system with access to the contractor.
If you are ready to outsource all SOC care and focus on business development, we recommend that you find an experienced provider. UnderDefense is a trusted provider of cyber threat prediction and protection services. You can order a managed SOC service, find out the SOC 2 Type 2 cost in 2023, as well as the conditions for providing other services that are important to you.