8

The other day I was talking with a service provider (MSSP) who has experience with operating SOC (security operations centre) 24x7. Their price was rather steep (in the millions range). I don't understand why it would be so steep. My impression of a SOC is:

  1. getting a log collector such as HP ArcSight
  2. implement IDS on different locations, eg snort, which is low cost.
  3. forward the logs from these IDS (and other devices) to Arcsight
  4. Let ARcsight do the magic of correlating events.
  5. 2-3 Analysts on the Arcsight console monitoring 24x7 (on shifts) and doing incident response. This I could probably do in-sourcing as I don't have the staff to do this. The console could use VMware or some other virtual technology, thus I save on the hardware cost?

With the above, I don't think my SOC would cost in the millions. Or is setting up a SOC really not that simple?

Disadvantages I can think of when using MSSP:

  1. Lack of resources to monitor full time as MSSP may use shared resources for different clients
  2. Slow response to incidents?
  3. Could not customize the way I want to run the show

What are your thoughts of engaging MSSP? What other things do I need to consider if I wish to set up my own low cost SOC?

schroeder
  • 123,438
  • 55
  • 284
  • 319
dorothy
  • 715
  • 1
  • 7
  • 18
  • Your list of activities for a SOC isn't really a SOC: you've only described log analysis. Have you read something like this: https://www.defcon.org/images/defcon-18/dc-18-presentations/Pyorre/DEFCON-18-Pyorre-Building-Security-Operations-Center.pdf – schroeder Feb 05 '15 at 18:17
  • hi schroeder, yes I have gone through the slides you refered. Even seen the video presentation on youtube. And the title is "for little or no money". The IDS are low cost if we use snort. the events, reporting, correlation can be done using things like Arcsight, which is expensive but won't be in the millions. The rest is to engage staff for incident reponse, analysis on 24x7. I think such a setup should not be that exorbitant. – dorothy Feb 06 '15 at 01:38
  • Incident response, in my opinion as a SOC architect, is where the cost resides. If all you are looking for is 24x7 log analysts who send alerts when anomalies are found, then yes, you can do that for lower cost, but once you need experts handling Incidents 24x7, then your costs skyrocket. Add in the 3rd party's certification (SOC, ISO, FEDRAMP, etc.) and "millions" is not out of the question. – schroeder Feb 06 '15 at 01:52

2 Answers2

3

A tool like HP ArcSight can be customized very deeply, and just writing the right use cases and rules to correlate relevant events and alert on meaningful incidents, is super hard. Many organizations fail miserably implementing ArcSight.

Just getting raw logs through connectors to logger and then to ESM, and then writing use cases is a project that depending on the size and bandwidth of your network can cost from $100K to $3M.

But once it is up and running, now part of the SOC daily routine is to look into the alerts and tune the tool to avoid too many false positives; it involves revising the rules and use cases. For the first six months, if you do not have the right resources, you may only see red dashboard full of alerts that you don't know which one to pay attention to.

When an incident happens, a world-class SOC has a well defined triage, investigation, and escalation process to handle it, with at least 2 tiers of analysts. A 24x7 SOC should respond in near real time, and take appropriate actions against the attacks that was detected.

Usually, these tiers are security experts, which are expensive, and rotating in shifts make it even more expensive. The service must be reliable, which requires lots of redundancy. They also should do the threat intelligence gathering and research on the new trends in cyber attacks for you. These are expertise that are rare and expensive.

But just $1M per year for SOC is not reasonable. If you go to big players, because they use the economy of scale, they may offer a better deal.

Goli E
  • 895
  • 1
  • 11
  • 20
1

I wish setting up a SOC was that simple. I have experience setting up an MSSP where we provided SOC as a Service to numerous clients and helped some of the clients to set up their own SOC.

The questions you are asking look great but they are mostly covering just the technical part of the SOC setup. Secondly, it is going to take lots of patience and time to build something mature. I understand your concern about setting up a low-cost SOC but the quality will suffer. I mean you can go with OSSIM or ELK for free resources but this will require lots of effort from your team.

Let me share a small list of things I'd be worried about:

Technology:

  1. Deployment itself is a big project.
  2. Integrating of log sources with your SIEM. (dealing with the infrastructure team is a pain)
  3. Are you getting the right set of logs? Are they of any value?
  4. Logs are properly parsed and being digested into right functions of SIEM.
  5. Use cases are properly fine-tuned and are being triggered?

People:

  1. Do I have the right resources? L1, L2, L3, SIEM Engineer, Content Creator.
  2. Can I retain the resources for the long term?
  3. Can I provide the right training for the resources?
  4. How can I run shifts 24x7 with limited resources? Do I have the right number of resources? They have to go on leaves and who is going to cover them?
  5. SOC Analyst might not be the right person for IR.

Process:

  1. Alert Triage process?
  2. Communication with clients (even inter-company departments)?
  3. Incident Declaration and Response

Don't want to scare you, nothing is impossible but the right research and questions asked beforehand will save you a lot of trouble.

schroeder
  • 123,438
  • 55
  • 284
  • 319
Bilal Ahmad
  • 116
  • 6