Sep 09, 2019 Seeking a SOC: What to Look for In Security Operations Centers
Should you outsource your SOC? As in so many things, the answer depends.
In our most recent Cloud and Cybersecurity research study, we looked at which factors correlated to a cybersecurity organization’s success, as measured by Mean Total Time to Contain (MTTC) security incidents. We divided participants into two groups, a “success group” that had an MTTC of 20 minutes or less, and “all others”, with an MTTC of more than 20 minutes. (Median MTTC for all participants was 180 minutes.). Then we looked at which factors correlated more strongly with the success group.
Unsurprisingly, we found that successful cybersecurity organizations were more likely to have a SOC (52% more likely, to be precise.) But when we looked at success correlations for outsourcing the SOC versus staffing it internally, things got weird. We found that successful cybersecurity organizations were 25% more likely to staff their SOCs internally–and 58% less likely to outsource. In other words, the data suggested that it’s best to have a SOC–but staff it internally.
We thought that was strange, considering that most companies struggle with having enough cybersecurity professionals to manage day-to-day security tasks, let alone support the 24X7 operations of a SOC. We hypothesized that larger, more sophisticated companies would find running their own SOCs more effective, but smaller ones would benefit from outsourcing. So we ran the numbers for companies with 2500 employees or fewer, and those with more than 2500 employees.
The result? Exactly as we expected: Larger companies saw a 300 percent improvement in their MTTCs (dropping from 270 to 90 minutes) when managing SOCs internally versus externally.
And smaller companies saw exactly the inverse: their MTTCs dropped from 285 minutes when managed internally to 90 minutes when managed internally.
Our takeaway: All companies should have SOCs. Smaller companies should outsource; larger companies should keep the operations in house.
So far, so good. But if you are seeking to outsource your SOC, what capabilities should you look for in a provider? And what clauses should your contract include? The most critical is to clarify what you want them to do when an incident is detected: Simply hand off to you, or take action? And if so, which actions, and in what fashion should they involve you? Which technologies do they provide, and to what degree will they interoperate with your solutions? What does their onboarding and offboarding process look like?
There’s a lot more–more than I can provide in a blog post. So please register for our upcoming Webinar, Seeking a SOC: