Over the past few months, I have had a few conversations with different cybersecurity leaders who are thinking of or are in the progress of building out their own security operation team to deal with threats.
The first thing that always comes to mind is why a company would build its own security operations center. It may sound nice, but do you fully understand what that entails? After discussing this topic, the realization that may have motivated a company to take such a decision is the lack of insights to mitigate the risks involved.
To run a good security operations center, not only do you need a team of about 8-12 people, but you also need a team that can continuously create and stays up to date on the ever-changing tactics, techniques, and procedures. It would be necessary to re-create the MITRE ATT&CK framework using your custom toolset.
Let’s jump in.
Reason #1 – You need a staff of about 8 to 12 people for 24×7 shift coverage, so that’s quite a bit of investment on your organization’s part, not just from a financial capital perspective but also a human capital investment as well. When someone leaves the organization, do you have the resources to rehire and get somebody else on the team? What is the impact of rehiring? SOC burnout is real.
Reason #2 – As your organization changes and you get new products or solutions, do you have the expertise to integrate these new solutions, do you have the skill capacity to build out these custom rulesets in all the integrations, and are you doing it correctly?
Reason #3 – Will you be able to keep up with the ever-growing list of cyber threats/behaviors? Will you be able to backport existing TTPs into your SOC? It takes a lot of time and skill to develop and stay up to date with the latest TTPs, IOCs, and new behaviors. Building this out yourself can be a significant risk to the organization.
In my view, partnering with a great SOC provider can be a much better experience to reduce risk and ensure asset telemetry is enriched with other intelligence information into a decision point for you to take action on. You will always need to build out some custom rules and watchlists but let that be the smaller set than a larger one. You should include periodic/continuous security validation as part of your strategy as well.
What is your experience? Let me know in the comments below.
- What do you think?
- Have you had good experiences building out your own SOC, or did you end up partnering with specialist organizations?
- If you could do it again, would you?
Notice: This post was not sponsored by any organization.