This is the third and final blog in my series on the 3C’s (Coverage, Context, and Cost) required for creating and maintaining a sustainable security infrastructure. In the first part, I reviewed the steps you need to take in order to ensure adequate visibility into your IT environment—determining how much basic sensor coverage is necessary, and how many additional data sources you’ll want to monitor to maximize your chances of detecting attackers. In part 2, I took a deep dive into alert context, discussing the types of additional information analysts must consider when making decisions about whether or not to act upon any particular alert.
Today’s topic is cost. How can resource-constrained security teams see to it that their analysts’ limited time and attention are spent in the ways that are most likely to generate value and results?
No enterprise-scale security program can operate without human monitoring. Simply put, your organization’s security team members—along with the highly specialized knowledge and experience they have—are your most valuable resource. But hiring and retaining top talent isn’t cheap. Nor is building the physical infrastructure to house them.
How can you limit your business’s exposure to IT security risks cost-effectively? Would it make sense to establish a dedicated Security Operations Center (SOC) in-house? Can these capabilities be outsourced successfully? Is there an automated solution teams can use without adding headcount? Let’s take a look at the options.
The Internal SOC Model
Large organizations with highly complex infrastructures requiring continuous, centralized monitoring—especially of highly customized technologies—often feel they have no other option. They must build and run their own dedicated SOC. The costs of creating and maintaining such a facility vary wildly, depending on the coverage, detection and triage capabilities, software and hardware, and physical or virtual facilities you choose.
At a bare minimum, you’d need a team of 12 analysts to maintain 24/7 coverage. On average, a full-time information security analyst earns an annual salary of $95,510, according to the US Bureau of Labor Statistics. And many SOC analysts don’t stay in their jobs for long. The average retention period for a junior analyst is a mere 12 to 18 months. This means that you’ll need to budget for recurring recruitment and training costs—no small expense in a field known for a growing skills gap and near-zero unemployment.
To learn more about how to retain SOC analysts—and keep them motivated to perform at their best, read our Voice of the Analyst Study.
Naturally, the costs of ownership for a dedicated in-house SOC extend beyond salaries, benefits and other personnel expenses. They also extend beyond the initial infrastructure build and purchase costs. Monitoring software is delivered as a service or must be regularly upgraded, threat intelligence feeds are subscription-based, and a SIM/SIEM requires maintenance and tuning.
To maintain an in-house SOC, the total recurring costs are estimated to be anywhere from $1.42 to $6.25 million.
In an attempt to obtain some of the benefits of a dedicated SOC without incurring costs that are within reach only for the largest enterprises—or those with the deepest pockets—numerous businesses today are turning to hybrid or shared SOC operational models. With this setup, your SOC is monitored by dedicated or semi-dedicated employees on a part-time basis. It’s common for internal staff to oversee SOC operations 8 hours a day, 5 days per week, with responsibilities offloaded to an external provider at other times.
Of course, cybercrime doesn’t sleep, and attackers aren’t bound by time zones, nations or continents. If anything, they’re more likely to attempt brute-force style attacks outside of business hours when any alerts generated are less likely to attract notice. Handoff time—when monitoring responsibility shifts from internal staff to the outside provider—is one of your network’s most vulnerable moments.
Another option is to have the external service provider assume a subset of responsibilities at all times, while others are handled in-house. When monitoring that’s not specific to your organization is in place, however, the false positive rate is likely to be higher. Triaging alerts generated by multiple sources with different decision-making criteria can become complicated and confusing, too.
Although the costs associated with the hybrid operational model are lower than those of a dedicated in-house SOC, they remain considerable. Cost estimates vary, but long-term investments in hardware, infrastructure, and talent are still significant.
You can find more information about the costs and benefits associated with different SOC operational models in the recent Gartner report, “Selecting the Right SOC for Your Organization.” Read it here.
The MSSP Outsourced Model
Increasingly, Managed Security Service Providers (MSSPs) are offering fully outsourced security monitoring as an alternative. In this resource-sharing approach, small to mid-sized companies are promised access to enterprise-grade SOC capabilities, but human analysts and costs (for both infrastructure and maintenance) are spread across the MSSP’s customer base.
This service model has inherent limitations. Many MSSPs struggle with the same challenges faced by large enterprises that have decided to build an internal SOC. Highly skilled analysts are hard to find, salaries can be prohibitively high, and once on the job, they must monitor more tickets and events than they have time for. This problem is particularly acute for MSSPs, whose employees must split their attention between multiple client companies’ systems.
MSSPs cannot serve every type of business. If yours needs a significant amount of customization or control over your security monitoring processes, perhaps due to regulatory compliance requirements, an MSSP may not be able to provide this.
MSSPs usually follow standardized workflows and deploy the same platforms and solutions for multiple customers. Because the MSSP decides which software and hardware they support, it’s possible that their selections will be incompatible with your current systems, requiring you to take a “rip and replace” approach to tools for which you’ve already paid.
Giving an outside provider access to your most sensitive data and systems requires a great deal of trust. No matter how strong your relationship with your MSSP, their employees will never understand your business culture or industry as deeply as your own staff. And they won’t be able to amass as much contextual information about each alert generated by your system as an in-house expert could, either.
Ultimately, MSSPs struggle to live up to their promise of providing robust security services at an affordable price. Costs are traditionally tied to the number of devices in a specific service offering (endpoints for anti-malware or network IDS sensors for network security monitoring). The costs of full security monitoring capabilities can quickly add up. Clients often end up feeling “nickel and dimed” when they need additional incremental services or customization.
Now, there’s another alternative.
Enter Decision Automation Software
Gaining in popularity among security teams is “decision automation” software–software that automates the monitoring and triage process with astonishing accuracy. Decision automation software can monitor 100% of your sensor data for about a third of the cost of outsourcing to an MSSP.
With human analysts in short supply, and their salaries remaining the number one driver of IT security costs, you can rely on a more cost-effective automated solution to perform continuous network monitoring and alert analysis tasks. Decision automation software is able to attend to all your sensor data—for 100% coverage—without needing to take breaks and without bias.
Decision automation can readily cover a broad array of network and endpoint sensors, along with augmented data sources. It can collect rich and relevant contextual information for each alert generated by the system, ensuring that analysis is thorough as well as consistent. And it can do so for a small fraction of the cost of even a junior-level SOC analyst. By utilizing decision automation software, you free up your most valuable resource—humans— to use their intelligence and insights creatively.
Adding decision automation to your security operations team will enable human analysts to play the role of full-fledged detectives, rather than small-time “mall cops.” It lets them keep their focus where it belongs—on the bigger picture—and train their attention on high-value tasks, instead of monitoring a screen all day.
If you’d like to see for yourself how low-cost, high-value decision automation software can help protect your organization against cyber attacks, request a demo of the Respond Analyst today.
Tim Wenzlau is a Product Manager at Respond Software. He is focused on adding skills to the Respond Analyst--continuously improving the Respond Analyst’s intelligence, visibility, awareness, and user experience. Prior to Respond Software, Tim managed and launched a user behavior product and held various roles in corporate development, strategy, and business operations. Tim holds a degree in Operations Research and Financial Engineering from Princeton University.View all posts by Tim Wenzlau