Posted: 5 Min ReadExpert Perspectives

Building Your SOC Need Not Be a Zero-Sum Game

As your organization builds out parts of your security operations, don’t forget that cyber security thrives on collaboration

When it comes to cyber security war stories, file this one under the heading: “Don’t Try This at Home.”

I once worked with a client who was convinced they could save a lot of money by building their own security operations center (SOC) without any more help from us or, for that matter, any other security vendor.

They wound up investing an enormous amount of money to ramp up their security operations capabilities. They purchased intelligence feeds while staffing up and acquired all the latest tools to be sure they could cover every contingency.

On paper, it looked awesome! In practice, it was a disaster. Not only had the system grown too complicated to run, it failed miserably when it came to achieving what they were solving for: protecting the organization’s crown jewels from attack.

But there was a happy ending.

After years of investment and effort with scattershot returns, the client’s leadership realized a change was needed. They asked Symantec to help rationalize their processes and reallocate their people while peeling back the pieces of their environment that didn't deliver the level of cyber security that they expected or needed. In the end, the client saved money and became more secure. This was by no means an easy task and credit goes to those people in charge for having the gravitas to make the tough decisions and course correct.

Forget the Extremes

It’s not a unique story. As you might guess, many organizations want to outsource everything, including risk management and decision making, while others don’t trust anyone but themselves to do everything.

Neither extreme is appealing.

The question is how far to go and in what direction? Working through this problem is a valuable intellectual exercise that forces leaders to ask the tough security and risk management questions. The process also clarifies the issues to think through to properly allocate and organize resources defensively and offensively to secure your organization at the right price. Having faced this problem as a CSO and worked through the challenges with countless security chiefs, it’s best to frame this as a division of labor problem.

A top-flight Managed Security Services Provider (MSSP) will always be more capable when it comes to detection and response than almost any DIY organization for at least three reasons: 

  1. Analytics backed up by intelligence – At Symantec, we detect over 40% more than just eyes on glass
  2. No company or industry blinders – An MSSP analyst’s range of daily experience and interaction allows insight into patterns that a more narrowly focused “inside” analyst will miss
  3. Time and talent acquisition are on our side – MSSPs have the capacity to work around the clock cost-effectively and, because their analysts ‘see’ more attacks than any one organization, they naturally attract the best analysts who share a common trait: to learn.  A safe journey requires an experienced guide, whether it’s the basics of monitoring and detection or the most advanced Managed Endpoint Detection and Response and Incident Response solutions.

Avoiding Potential Pitfalls

I often tell my team that when I was a CSO running my company’s SOC, I never, ever had to pay for lunch.

Why you ask? There was always a sales person from yet another security vendor standing at the front door, waiting to take me out for a meal if only I would listen to their pitch.

Some of the people who walked through my door were indeed very good. Others were only interested in getting my signature on the dotted line.

Here’s where a trusted partner can play a critical role. A common mistake of the “Go it Alone” crowd is the failure to find a partner they can depend on to provide thoughtful, useful perspectives and help them create a well-balanced SOC organization. Good leaders should be ready to vet options and ask searching questions such as, “Is my endpoint protection sufficient?” or “Should I deploy my scarce resources on detection or response and at the first basic tier or most sophisticated levels?”

On top of that, a good partner can address how you shape your process and policies. For instance, what’s required from a compliance perspective? How should your SOC be integrated into the intelligence process of your organization so that you can start to play offense as opposed to remaining on your haunches just playing defense? You’re not going to get that feedback from someone only looking to make a quick buck by convincing you to buy their latest product.

That’s why you’re going to need a partner, perhaps even more than one, to ensure that the different pieces of your operation work together. Now, with no malice toward consultants generally, you should expect a trusted security partner not to bill you “by the answer”, but rather their insight comes with the service.

Your SOC is going to be different than the one down the street but in the end, it will be all about the fundamentals - being able to prevent, detect and respond.

As an example, Symantec MSS’s dedicated onboarding squad will work with customers throughout the life of the relationship because after the initial on-boarding, upgrades, version changes, and acquisitions result in continuous on-boarding and tuning.  You’re constantly facing new challenges.  You’ll need a partner to help you adapt, adjust, and overcome because stuff happens.  It’s all part of an ongoing relationship where your partner is sure to understand what the client is solving for. And while the answers vary from company to company, Symantec leverages our global experience to help our clients avoid the familiar and unfamiliar traps. Above all, erase the lines of “us” and “them” to the extent that we’re viewed as an extension of our customer’s team.

Your SOC is going to be different than the one down the street but in the end, it will be all about the fundamentals - being able to prevent, detect and respond. The best way to get there is to make sure that someone’s got your back because when all’s said and done, you can’t avoid the ultimate truth that cyber security remains a team sport.

For the 15th time running, Symantec has been named a Leader in the 2019 Gartner Magic Quadrant for Managed Security Services, Worldwide. Symantec’s MSS can transform an organization’s security program through its integrated services portfolio powered by industry-leading threat intelligence, advanced 24x7 monitoring, incident response and the unequaled human expertise of our global SOC analyst team.

Disclaimer: Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose. The report was renamed to “Magic Quadrant for Managed Security Services, Worldwide” in 2014 from “Magic Quadrant for Global MSSPs”.  It was also known as “Magic Quadrant for MSSPs, North America” from 2005-2012.

You might also enjoy
Expert Perspectives3 Min Read

How to Lighten Your SOC’s Growing Work Burden

The number of security alerts SOCs must investigate and remediate has never been higher. But the integration of threat intelligence with SOAR solutions promises to be a boon for defenders.

About the Author

John Lionato

Vice President, Global Operations, Symantec Cyber Security Services

John Lionato runs the global operations and delivery for Cyber Security Services, including six Security Operation Centers around the world as well as Managed Security Services, DeepSight Adversary Intelligence and Incident Response businesses.