Years ago the Network Operations Center (NOC) was well known, but few had heard of a Security Operations Center (SOC). This is no longer the case. I recently chatted with Joe Schreiber, Director of Solutions Architecture at AlienVault, on this topic and captured his thoughts in the following blog. Automation Nation is June 20-22 in Orlando Florida. If you will be there, stop by and see us in booth #704 and we can talk further about turning a NOC into a SOC.
While traditional managed service provider (MSP) offerings, like system monitoring and management, are subject to price pressures and commoditization, the rapidly changing landscape of security threats make information security a high-value business. The existing infrastructure of NOCs make them uniquely suited to transition to SOCs, moving from offering increasingly lower-margin IT services to high-value information security monitoring and management.
- Ever-changing security threats present an evolutionary business opportunity for MSPs. Businesses may have their own security tools—such as a firewall, antivirus, and integrated threat management—but are unlikely to have in-house specialized information security professionals.
- MSPs can begin with managed services and transition to higher profit monitored services. Transitioning MSPs might start the move to security solutions with managed services before transitioning to higher-profit monitored services. A SOC can offer one or both of these services to customers. The key distinction between managed and monitored services is that SOC security professionals are involved in reviewing and resolving issues for customers, whereas managed services push the issues back to the client for resolution.
In addition, a SOC may provide revenue-generating secondary offerings to clients, including security training, pen testing, forensics, virtual chief information security officer (CISO), and more.
- NOCs have already spent the money and done the work necessary for a smooth conversion to a SOC. Businesses starting new projects want to understand how capital intensive the project is. For established NOCs, many of the big ticket items required to create a SOC are already in place, including the building and much of the equipment.
Implementing procedures can be time consuming for a new operations center, but an established NOC already has created and optimized key processes, including issue ticketing systems and workflow, and how and when to interact with and contact customers. To fully deploy an incident management system can take a business anywhere from 18 months to three years; NOCs already have these systems in place as part of their daily operations.
- Additional staffing and tools are necessary to complete the NOC to SOC conversion. Tier 2 staff—information security experts—are a required investment for any SOC. A large staff of these higher-salaried Tier 2 employees isn’t necessary; a single Tier 2 can work with multiple Tier 1 staff members, who will multiply that Tier 2’s labor efforts, research, and skills. As the process is refined, efficiencies allow even more Tier 1 employees to work with the Tier 2 specialist, and even train to move into a Tier 2 position in the future.
Tools are another important part of completing the NOC to SOC transition. A security information and event management (SIEM) platform allows the SOC to take a significant amount of information from a variety of sources—e.g., 30 million events in a day—and distill the data down to 10 or 15 alarms to be triaged for action. A threat intelligence tool that sits on top of the security platform brings extra value to customers by allowing the SOC to overlay threat intelligence and determine actions quickly and efficiently.
- AlienVault provides a unique solution to the security problems that organizations face. AlienVault delivers everything you need to detect, prioritize and respond to today’s threats in minutes. The AlienVault Unified Security Management™ (USM) platform provides five essential security capabilities managed from a single console, combined with regularly updated threat intelligence that ensures you have everything you need to rapidly detect threats and satisfy compliance requirements. The solution offers a variety of security-focused solutions, including the SIEM, threat intelligence, intrusion detection, behavioral monitoring, asset discovery, and vulnerability assessment.