With cybercrime on the rise, many companies are looking to build internal SOC teams, or are outsourcing SOC-as-a-service providers to ensure their organisations remain secure. But what is the ultimate true cost to build a SOC team internally, and is it worth it over paying a service provider (MSP)? In today’s Hakubi blog, we’re going to delve into all things cost and value when building a SOC.
Understanding Security Operations Centers (SOCs)
A Security Operation Center is a key team within many large organisations, where their sole objective is to keep an organization secure. Typically reporting to a CISO, CSO, or C-level executive, the SOC should be an all-in-one security powerhouse within an organization.
Ideally, a SOC should have access to all the relevant tools, and staff, and understand the network and infrastructure better than anyone. They should also have the authority to maintain and uphold security to the best of their abilities.
A SOC typically consists of a few things, these include but varies from business to business.
- A SOC Team Leader (SOC Manager) – To lead, and uphold the team.
- 2-4 Senior SOC Analysts – Who act as a point of contact for standard SOC analysts.
- 1-2 SOC Engineers – To ensure the tooling is working as intended around the clock.
- 4-6 SOC Analysts – Who are doing a lot of the triage/analysis.
Typically, a SOC would also have various tools and systems to improve their detection capability and let automation take a lot of pressure off them. This includes;
- A SIEM Tool (such as QRadar, Microsoft Sentinel, or Splunk etc.).
- A SOAR Tool (such as CP4S, Azure Automation, Rapid7 etc.).
- NGAV (Next-Gen Anti-Virus) (such as Microsoft Defender or Sophos InterceptX).
- Advanced Firewalls (to capture packets and network events).
The above would help a SOC be completely self-efficient, running a 24×7 shift to protect a business. Depending on the size of the team and organization, this may also extend further into intelligence leads, compliance leads, and developers.
Why should your Business Consider building a SOC
SOCs are a major step towards betting your cybersecurity. A SOC is not only a place for your staff to ask questions, and report incidents or activity, but also allows for analysts to pick up on the most suspicious or unknown threats that could be occurring within your organization right now.
A SOC isn’t only a reactive measure to any security threats, but can also be proactive allowing you to remediate, or mitigate any attacks way before they do, or could happen. This value of having a well-designed SOC can save your business both damages and financial loss.
Although the cost of building a SOC is often a heart-wrenching number for most organizations, you must keep in mind that even if an attack doesn’t occur, your SOC would be your gateway to detect, stop, and prevent any level of attack that could be detrimental to your organization.
Key Components of a Successful Security Operations Center
Building a successful SOC is determined by several elements, namely those that you’re putting money into. Below are just some of the key components that you need to get right to have a successful SOC.
- Staffing
- Your staff must be capable and knowledgeable. Having SOC analysts and team members who can be accurate and relied upon to detect, analyse, and remediate/resolve your security woes is paramount to having a successful SOC.
- Tooling
- Your staff won’t be able to do their jobs correctly and could leave you open to possible risks if your tooling isn’t right. This doesn’t mean you need to go out and buy the most expensive SIEM tools, but do some research and garner feedback before making a purchase.
- Training and Education
- Ensuring both your internal SOC staff and the wider organization are taught about common security threats and are up-to-date with any cyber threats emerging (via. Threat intelligence) is another amazing component that all SOCs should be doing.
- Self-Sufficient
- A SOC needs to be completely self-sufficient. This means full permission to everything that they may need access to. Not only this, but they should also have a ruling power to prevent connections to or from devices, files, or such without being blocked.
Factors Affecting the Cost of Building a SOC
Several factors could affect your building your SOC, and we will list most of these however other factors may apply.
Location
After the pandemic, many people started working from home and in most cases, tech-based jobs were one of the biggest WFH jobs around. Cybersecurity analysts also had this, where if you can work from home, why don’t you?
When we speak about the location being a cost factor, we mean that having an office can cost and having staff come to the office may cost you more. Ultimately, we also mean the location of your tools, i.e in the cloud or on-premise. These will all factor into your end number for building a SOC.
Staffing Cost
Arguably one of the biggest costs of a SOC team is the staffing cost. The average salary for someone working in a cybersecurity career is just under $120,000 (£100,000) but this is greatly dependent on location and of course the organization. If we take into account what we could consider the “bare minimum” of staff, including a SOC manager, a single senior analyst and three base analysts – this number could reach $350,000 – $500,000 a year.
This is usually the reason many organizations, even large ones outsource to a 3rd party that can provide the service of a SOC for much less than this figure alone.
Tooling Cost
Another instance which may not be as costly as staff, but is still a big portion of a budget is tooling. SIEM tools, SOAR tools, and other security products that may be used by a SOC team can reach $10,000 up to $250,000 for the top-range, all-feature tools. This is often yearly too, and depending on where the tools are hosted/used, this could also increase the cost.
Size of your Organization
Although this may not matter too much, depending on the size of your organization may mean that you need to shed a little more cash to get a capable SOC. This includes log-ingestion, scaling (i.e storage and redundancy for the tools), and also the analyst workload. The bigger your organization (both by users, endpoints, and network devices) will all contribute to your final cost.
Estimating the Cost to Build a Security Operations Center
To estimate the cost of your security operations centre, there are a few calculators available, but below is a formula that you can use to get a very rough figure for building your SOC. Please keep in mind that this is average, and will greatly depend on your requirements.
Tips for Building a Cost-Effective Security Operations Center
Building a cost-effective SOC centre may be the difference between you standing up your own SOC, or outsourcing it to a 3rd party. Although there really should be no shortcuts with security, there are some cost-effective strategies you can do that will help you build a cost-efficient SOC.
Multi-Role Staff
Although I am a strong believer in giving people a good work-life, having your analysts carry one or two more extra responsibilities won’t be too bad and will help them long-term with their careers. This may mean that your Senior analysts double up as CSIRTS when needed, or can have the knowledge to onboard new devices/assets.
It may also be that your senior analysts are also doing the triaging and analysis on alerts, which is all been seen before and is becoming more common as this can reduce your staff by half. The downside to this is that your staff might become overworked, in which case you need to hire more staff.
Professional Services/Contractor Setups
Something I’ve experienced before is the setup of SIEM tools, SOAR tools, or other security tools can be time-consuming and ultimately will cost a business owner money. Whilst this might seem counter-productive, hiring a contractor or professional services to create and stand up your tools can be a great cost saver if you don’t have the resources for it internally.
Bulk-tool Licensing
A lot of security tools I’ve used in the past, often have other tools. Take Microsoft for example, they have Office, they have Azure/Microsoft Sentinel, and Defender. Licensing all of these does have some cost perks. This is the same for IBM, with QRadar and CloudPak for Security, as these can come with licensing price discounts. If you have a technology stack you use primarily, then typically using them will give you a more cost-effective SOC.
SOAR
SOAR tools (Security Orchestration Automated Response) when set up correctly, can be a massive weight off your shoulders both financially, and staffing-wise. Although it would be a big cost upfront, implementing SOAR successfully has an incredible number of benefits including faster response, automated response, and may even help you take your staffing resource right down. It can also help you run a 24×7 SOC team without having eyes on 24 hours a day.
Is Building a Security Operations Center Worth the cost for your business?
In all honesty, and knowing this first-hand – unless your company has enough revenue to support what would be around 6-8 new employees at fairly average salaries, then an internal SOC may be out of the question for you. Whilst there are MSPs (managed service providers) who can do all of this for you for a fraction of the cost, many small to medium-sized organizations fail to use a SOC at all.
So, all in all, unless your organization has the funding to stand up a SOC team with all the tools required, there is a slim chance that it’s worth it for your business. Remember though, no matter what – security should be a top priority for your organization and it can be achieved without a SOC.
