The cloud-native platform for centralized log management
Analytics, visualizations, and workflows purpose built for practitioners
Leading firms gaining more value from their machine data
Any source, any velocity – centralize logs, metrics, and traces for full visibility.
Close the gap between detection and response with an analyst-focused, cloud-native approach.
Understand complex environments with visual analysis and KPIs that matter most.
The most recent articles & research from Devo
Building an in-house SOC represents a significant commitment, both financially and strategically, to securing your enterprise. In a report from the Ponemon Institute—based on a survey sponsored by Devo of more than 500 IT and security practitioners—67 percent of respondents said their SOC was “very important” or “essential” to their organization’s overall cybersecurity strategy. Developing a complete and clear understanding of the key security operations center roles, responsibilities and disciplines is an essential foundation for building an effective SOC that will be an asset to the security of your business.
Let’s start by answering the question “what is a SOC?” According to the Ponemon report, a SOC is “a team of expert individuals and the facility in which they work to prevent, detect, analyze and respond to cybersecurity incidents.” For a SOC to be successful requires “support from the organization’s senior leaders, investment in the right technologies, and the ability to hire and retain a highly skilled and motivated team.”
Most survey respondents said their CISO or CIO typically leads SOC operations. However, 19 percent say no single function has clear authority and accountability for the SOC. In these organizations, it can be much more difficult to make important decisions about SOC operations and how to improve performance.
When determining the reporting structure for your SOC, it is critical to select a leader who can:
What are the primary tasks performed by SOC team members? The top three activities, according to the survey results, are implementing technologies, patching vulnerabilities, and investigating threats. SOC team members are typically less involved in setting priorities or determining strategy. The following table shows nine of the most common SOC tasks.
Most respondents say their SOCs (52 percent) provide 24/7/365 monitoring and management support, despite the stress this workload places on employees. Only 23 percent of respondents take a more flexible approach with their SOCs.
Take the time to clearly lay out roles and responsibilities for the SOC team. Working in a SOC is a tough job, especially for the analysts who do the heavy lifting of identifying, hunting and investigating threats. Be sure team members know who is responsible for key activities and establish an open communication channel for feedback, questions and suggestions for improvements.
There is no shortage of technologies, tools, and services at the disposal of the modern SOC. Selecting the ones that are the best fit for your maturity and objectives are critical. Using the insights provided by respondents to the Ponemon survey, below are the key recommendations to consider when your organization is ready to establish a SOC:
The average annual cybersecurity budget for organizations surveyed is $26 million. As shown in the following chart, only four percent of respondents say more than 50 percent of the cybersecurity budget will be allocated to their SOC. The average allocation is 30 percent of the total cybersecurity budget.
It’s not realistic to spend most of your cybersecurity budget on establishing and operating a SOC, but it’s not the place to pinch pennies, either. To be effective, SOCs require people, technology and other assets, all of which cost money. Building a SOC is a major commitment—financially and in terms of time and effort—for any business. That’s why business alignment on SOC objectives, budget usage, and performance measurement are so critical for ensuring strong business alignment moving forward. Make a plan and get buy-in from all involved groups and executive leaders. The goal is to achieve overall cybersecurity effectiveness. Make sure the SOC has the resources it needs to do its part.
For additional resources on developing an effective security operations center, read our post on SOC best practices and the full research report from The Ponemon Institute.
The next post in this series will examine options for outsourcing SOC operations for organizations considering that approach.
Sign up to stay informed with the latest updates from Devo.