One month ago, I was invited to my home by an old acquaintance of mine, a director for information security in a fairly large company, with the goal, in his words, of "surprise me". I note that earlier we discussed the challenges faced by many companies in the field of cyberthreats and the problems of building the SOC (Security Operation Center).
 
 
So begins my story about building SOC in the company.
 
 

 
 
With the inherent ceremoniality, the IB director accompanied me to the dispensary of their IT department. And there I was shown a pile of boxes with expensive "iron", as well as a printout of the specification. She pointed to the purchase of licenses by one of all the well-known vendor included in Quadrant for SIEM . The genuine joy on his face spoke of the fact that the voiced problems from the past conversation were resolved overnight. And later he told me that in addition to this "treasure" money was agreed on the implementation of this system, and it is planned to hire three specialists in the staff for this activity. At the same time, he made a special emphasis on the "three specialists", as if making it clear that he had thoroughly worked the question and figured everything out. The calculation was really relatively robust, but unfortunately, not tested empirically.
 
 
We sat down and discussed both the SOC project structure and the proposed economic model. We tried to evaluate the allocated rates, roles and competencies required to reach the required level of service.
 
 
Initially, the idea was to support the working capacity of the "iron" to delegate to the IT Department, sending their engineers to specialized vendor courses. Then the first bet is to be used for the SIEM application engineer. It was expected that this friend will be able to connect the sources of events after the training, and also "it is desirable to write connectors, if necessary" (direct quotation). Also, the rest of the time, participate in the analysis of simple incidents. The second and third rates were planned for experts to disassemble incidents, form new correlation rules, and develop the direction as a whole. It also took into account the fact that there could be many incidents, and at the moment some of the experts might get sick or go on vacation.
 
 
To the question: "What was the forecast: by the number of sources, incidents, the complexity of events and the expected reaction times?", A very chaotic response was received, and then silence and in custody, with sadness in his voice: "Then we'll think of something!" ".
 
 
This case can be called quite typical for those companies that for some reason realized the need to implement SOC, but could not comprehensively assess the "magnitude of the disaster."
 
 

We are "ripe", we need SOC

 
One of the prerequisites for the introduction of SOC is the reached certain level of maturity of the company. This level allowed earlier to close, according to the pyramid of needs, the basic things and realize that now for an integral picture there is one important component missing. Indeed, after the company has put in order the infrastructure (network architecture, segmentation, domains, update procedures and other useful things), and has implemented the necessary and sufficient set of information security tools (security layers, endpoint, etc.), it is involuntarily set the question: "How can I see all my household and how to evaluate what I see?".
 
 
At that time, the company presumably already has built-in processes. Many of them are built in the best traditions of ITIL. Support-division of IT (in some cases, IS) is divided into support lines, and maybe even there are shifts with the mode of operation 24 * 7. However, it is worth noting that such companies are rare, and in my memory only 3 out of 1? with more than ?000 workstations, can boast of all this list of achievements.
 
 
Nevertheless, if as an example, to take these 30% of the lucky ones, then they face the challenge of implementing an integration project that must degenerate into a very important and critical service. Within the framework of the project, describing with thick smears, it is necessary: ​​
 
 
 
Implement and configure a SIEM system (integration with a service desk or an analogue, setting up and connecting event sources, customizing and applying basic correlation rules, etc., etc.).
 
Hire and train staff (specialized vendor courses on the siem-system, conducting investigations, etc.).
 
Document and implement regulations /response instructions (including incident albums, rank criticality /complexity ranking and still a huge set of documents, commensurate, in printed form, with results on government contracts).
 
Identify areas of responsibility between departments, prescribe a clear SLA and run the service.
 
Uncork and taste a bottle of fizzy when the first incidents occur and will be clearly processed. This item is optional and depends solely on the company's internal culture. Sufficient is the verification that the service operates according to the specified SLA.
 
 
It would seem that everything is simple, detail every point, draw a plan and execute it on the scheduled date. But the devil is in the details.
 
 

SOC - these are the technologies used, experts and processes built.

 
Now in order.
 
 
Technology SOC - these are the tools that the service uses to automate the collection of information, correlation and primary analytics. Of course, the toolkit is determined by the available capabilities and functionality.
 
 
Experts SOC - team members, with competences in the directions:
 
 
 
administration of OS, DBMS, AD and network components;
 
administration of IS application systems;
 
administration of applied IT systems;
 
Analytics (monitoring and 2nd line for SOC);
 
an analyst with relevant experience and expertise (3rd line for SOC: from 3 years of work in the profile companies, as well as participation in the investigation of incidents).
 
 
Processes of SOC - a set of organizational and technical procedures, which cover 4 areas:
 
 
 
Support for infrastructure infrastructure (infrastructure support);
 
Monitoring of security events (monitoring);
 
Investigation of incidents (incident investigation /responce);
 
Development (service development).
 
 
All components are aimed at detecting and preventing cyberthreats.
 
 
At the same time, the most important requirement for these processes is that they must be seamlessly embedded in the current business processes of the organization. In other words, SOC processes can not stand separately as a "mansion" and should, firstly, be filigree built, and, secondly, effectively perform their task - to bring the expected value. Also, we note that the "filigree" of a critical service means absolute clarity and consistency in the actions of employees of adjacent units, in which the simple and violation of the specified parameters of the SLA is not allowed even in the case of force majeure. Not to mention popular: "the employee was at dinner" or "could not get through." The result should be clear and on time. For this reason, the SOC work model is similar to military service, and the adopted regulations and instructions - to the unconditionally executed charter.
 
 
Paradoxically, many are confident that the main component of SOC is the toolkit. In this case, it would be appropriate to give the following example. Imagine, you go, God forbid, for an operation. The news is not happy, and you in the clinic are beginning to cheer up with the words that the operation will be done by some surgeon, but he has a tremendous scalpel of one of the most expensive manufacturers. And about the "miracle-scalpel" you will say a few times, and maybe even show a certificate that confirms its sharpness and purity of the metal. I assume that this argument will not be very reassuring to you, and you will want to make inquiries about the doctor, as well as his experience in conducting similar operations.
 
 
Of course, the choice of SIEM-system is extremely important and its functionality should clearly reflect the buyer's requests. However, one should always remember the fact that SIEM is only automation, for the configuration of which you need deep competencies and a very clear logic of work.
 
 

Experts and processes are the cornerstone of SOC

 
From the above list of necessary competencies, it can be understood that SOC specialists are universal and highly qualified employees who must be at the junction of deep technical knowledge, and also have the analyst's experience. In addition, the direction of SOC is quite young for the Russian Federation and the CIS, which means that there are few experts in this subject area. Meet the market of literate and "free" professionals is extremely difficult. First of all, such specialists are interested in working with new and interesting cases that allow developing. Need flow. For this reason, they often "settle" in large service providers and rotate only between similar structures.
 
 
It is worth noting and the level of salaries of these specialists. Previously, colleagues have repeatedly cited analyst . The information is quite relevant to this day, except for only the level of salaries - they have become higher, and the market by an average of 15-20%. This means that the company that expressed the need to hire experts should put quite serious money. How much is this money relevant to the benefits it brings, provided that very little company (exception - "Service Provider") can recycle the time of such an expert at least by 70%? Even if such an expert has a high salary, the likelihood that he will find a more interesting job is high. In addition, there are statistics that the team members of this kind of project-service for 3-7 years are completely updated. This is a reality and it must be reckoned with.
 
 
So, the company bought a wonderful toolkit, a functional and efficient SIEM-system, took a talented and experienced SOC expert, who was able to create a friendly and coordinated team of responsible specialists. Further, this team should take the system to support, develop the necessary procedures and regulations, implement them and start working on them. It should be noted that even after a good consulting from the integrator, who helped to cost SOC (implemented the system, did the audit of the processes, created basic rules and wrote the necessary instructions), the SOC team lay a huge layer of optimization work for the response center created under the company's reality. The combing of processes and work patterns follows in the "case by case" mode.
 
If there was no consulting, and the team must build SOC independently, the story becomes even more interesting and costly. It's like a graduate student (even though with a red diploma) in the first days of work in production put on the most responsible site, and hope that he "somehow navigated."
 
 
It follows that in order to entrust the construction of the SOC to the team being created, you need to be prepared for two scenarios:
 
 
 
To recruit a team of specialists who already created a similar service (either by this team, or each participant individually according to their role).
 
Collect experts from similar fields with relevant knowledge and "flood" with money the way out of erroneous decisions, shortcomings and uncoordinated actions.
 
 
Of the two scenarios more budgetary, it is more likely that there will be a first option because of the guarantee of the result and the timeframe for reaching the target service work. Moreover, in the first version, the project-service sponsor already understands the number of necessary employees and the composition of the required roles (the number of support lines, including the 24 * 7 or 8 * 5 mode of operation, the number of analysts with functionality, support for SIEM and components and so forth). In the second - usually the sponsor argues the following categories: "We have 5 universal units of work, each expert can take 2 units of work in a moment, so we take two experts and one student." However funny this may seem, practice shows that in the hectic flow of tasks, some managers automatically make such decisions. And at the same time they are sure of the result, under the motto: "There would be good employees, but how to use them and load them then come up with."
 
 

Or maybe better SOC as a Service?

 
Now the Internet is full of the latest trends: digital transformation, companies completely go to "clouds", non-core processes are outsourced. Large companies are beginning to offer platforms, with which you can dial the necessary number of services to support and develop business of any size. Outsourcing in accounting, legal services, call-centers, IT "on a turn-key basis": this is only the beginning of global changes. And the types of services can be absolutely any. Those that yesterday seemed incredible and original, such as "print outsourcing", are now in great demand. Moreover, we can see the development trend of the service-oriented model in the Western market, which traditionally is ahead of Russia and the CIS. It is huge and covers all industries.
 
 
SOC as a Service (SOCaaS) is no exception. In the market there are enough players, providers of information security services (MSSP), which offer customers not to "reinvent the wheel", but simply to take advantage of expertise and experience in this area. Experts here, on the "flow", are filling their hands and gaining vast experience, which allows them to draw up clear and efficient processes. They collect all rakes to analyze all possible scenarios and offer options that are relevant to the needs of customers. The client does not need to invent anything, he just tries on the proposed options and chooses the necessary ones.
 
 
What is the most "delicious" in this story, is that:
 
 
 
for quite acceptable money, the client receives the entire list of expensive experts in the required amount;
 
service is qualitatively designed, trained and tested on other companies;
 
the service company is responsible for the implementation of the SLA and the "human factor" in money;
 
the client receives a turnkey service. This means that the client does not need to generate proposals for the development of the service, the service provider will come with them himself. And of course there are no concerns about the motivation of the SOC team or the "turnover" of specialists. Aboutthis will be taken care of by the chosen partner.
 
 

And what in the end?

 
For my friend there are two options for a successful exit from this situation:
 
 
 
Get an additional budget for competent experts who previously built the SOC and expand the staff for at least 4 more people (and in the case of 24 * 7 - for 7 specialists), then perform an ambitious internal project.
 
Get an even bigger budget for building SOC "on a turn-key basis", where a qualified and experienced service provider will act as the executor. This is a whole novel worth tens of millions of rubles (capex), but with a guaranteed result. Opex will also be commensurable with point ? but the required level of service will be obtained much faster.
 
 
In any scenario, both options are commensurate with the cost of spent funds for SIEM licenses and are obtained at times more expensive than a managed service with similar parameters. It is a fact! That is why now this direction is developing so actively and is in great demand among interested companies.
 
 
However, we must admit that even the best service is not a universal means of solving all the problems and pains of the client. And everything as usual remains at the mercy of a specific task, the size of the wallet and the pedantry of the customer SOC.
 
 
Denis Gushchin, Deputy General Director of Infosecurity.