A typical security operations centre (SOC) has three core costs: People, data and tools.
The total cost of these will vary dramatically based on factors like how many endpoints and users are in your environment and the number of SOC team members you need. Various SOC cost calculators available online put the cost of building a SOC for a 1000-user environment at upwards of £2 million per annum.
Whatever your total cost of deploying and running a SOC is, you can reduce it by a) automating responses, b) streamlining your data flow, and c) consolidating your tool stack.
Perhaps most importantly, you can make these cost reductions without negatively impacting your security posture. In fact, you can actually improve your SOC’s mean-time-to-detect (MTTD) and mean-time-to-respond (MTTR) to cyber threats while reducing costs.
The reason why is that most SOCs have a data problem. SOCs spend more money on data ingestion than they need to, use various disparate data sources and don’t give their analysts the tools to act on data fast enough.
Solve these cybersecurity challenges, and you can dramatically increase incident response efficiency, cut costs, and improve security analysts’ job quality.
At the heart of your SOC’s threat detection and remediation efforts will be some sort of security information and event management (SIEM) system. This SIEM will ingest event logs from various endpoints across your environment. The process of ingesting these logs costs money. But did you know you could be spending thousands of pounds per month more than you need to on log ingestion?
You can reduce the cost of data ingestion by filtering out which raw logs collected from device activity become normalised. Normalised logs are much larger than raw logs and cost more to process.
We cover this relationship in detail in another blog. In summary, however, depending on your security service provider, you are probably spending around 61% more than you need to on log ingestion costs due to the amount of redundant data your SIEM ingests.
A SIEM augmentation solution like SenseOn can decide, on a real-time basis, which logs are valuable and worth normalising. Then unnecessary logs can be filtered out and not ingested. SOC operations are unimpacted.
Learn how a SenseOn customer saved over £10k a month by augmenting their SOC’s SIEM to filter logs and reduce ingestion costs in this on-demand webinar.
The most significant ongoing cost in your internal SOC is the security teams who staff it.
It’s never a good idea to reduce existing staffing expenditure, especially at a time when security professionals are in extremely short supply. Losing a SOC analyst could cost you as much as 30% of their salary. This cost comes from losses incurred in training and onboarding new hires.
SOC staff costs also rise when an overwhelming SIEM, network detection and response (NDR), and endpoint detection and response (EDR) alerts necessitate hiring new security engineering talent to configure security systems. Or just mean more time wasted closing tickets – otherwise unplanned work that kills morale, leads to burnout, and eats up human resources that could be spent on vulnerability management or understanding the threat landscape.
Sorting out routine false positive alerts from genuine threats can be automated with technologies like artificial intelligence (AI) triangulation, and the business of threat investigation can be made much more efficient through unified data.
SenseOn’s customers have used our security automation capabilities to reduce security risk and dramatically reduce the burden that managing routine alerts puts on their SOCs.
The information about real and false-positive cyber attacks and security threats that end up in your SOC and on your analysts’ screens comes from various sources. Your analysts might be looking at NDR systems, EDR tools, Intrusion Detection Systems (IDS), and Intrusion Prevention Systems (IPS).
But is implementing more tools helping your SOC with its threat intelligence and threat-hunting efforts?
Probably not. According to an IBM report, having too many security tools gets in the way of cyber resilience. Organisations surveyed by IBM with more than 50 tools in the environment had higher MTTRs than companies with fewer tools. The reason why is disparate data from different security technologies.
A dozen or more information security controls might exist across your network, endpoints, and cloud and microservices infrastructure. They’re all sending data to your SOC in different formats and through different UIs. When one or more sound the alarm during a data breach, it becomes a race for analysts trying to join the dots.
SenseOn improves your SOC’s capabilities by solving this problem through unified data. Our sensor collects data from across your environment, including endpoints, servers and the cloud, in a single format. Analysts can get 100% context into device, user and network behaviour immediately when something suspicious happens.
It also removes the need for multiple security solutions – SenseOn combines NDR, EDR, UEBA and SOAR functionality into a single platform.
With many of the costs your SOC creates reducible by solving for data, there is a strong argument for deploying a solution like SenseOn.
Whether used to augment a SOC’s SIEM solution or supplant the need for multiple-point solutions, our customers find SenseOn an extremely cost-effective solution within their SOCs.
Contact us to learn more.