Organisation & Compliance
How to establish it and what it will cost you

Your company’s own IT security centre

Security Operations Centre (SOC)
Today, you can no longer effectively protect your IT by building up high walls. Too many gates are available for attackers to intrude. So, if it is impossible to fully exclude risks, what can you do? You can focus on the quick detection of actual, instead of fictitious, risks! Attackers who have entered the network must be stopped before they can cause any damage.

From security warnings to actual alerts

This is how risks are detected in the Security Operations Centre (SOC) (also known as Cyber Defence Centre): in a first step, automated risk detection produces lots of alerts with regard to potential security risks. The challenge then is to condense items of information from several sources and filter truly critical events from the large volume of data. Then the experts have to respond properly: they must process the available information, inform or alert the right persons and finally make sure that the threat could be successfully averted by the measures taken.

Hardware, software, security experts and emergency processes that work. All these components are pooled in a SOC. Depending on the company size, it must be available 24/7.

These are the most important tools:

  • Continuous Vulnerability analysis
  • Network risk detection based on signatures and behaviourbased analysis
  • Log data analysis (security information and event management)
  • Sandboxing (Advanced Persistent Threat Detection)
  • Threat intelligence
  • Knowledge database (risks and solutions)
  • Workflow management system.

What experts do:

  • Evaluate risk warnings from automated risk detection
  • Continuously adjust risk detection tools to the current situation
  • Contextualise security events to create actual incidents
  • Develop, implement and optimise risk detection use cases
  • Integrate already existing risk detection solutions
  • Manage IT risk management processes and workflows
  • Identify, collect and collate threat intelligence data

The experts focus

The experts focus on the following: draw the right conclusions. These can be reached by combining different sources of information.

Combining different sources of information

How to establish your own SOC

Establishing a SOC requires precise planning, as this involves the complex interplay of various individual components.

  1. Which components are already available in the company? The first step includes an initial evaluation of needs and the selection of necessary products and solutions. What needs to be monitored and what technologies are to be used? What compliance requirements must be observed and what data volumes are involved?
  2. Once detailed planning and subsequent negotiations of the agreements have been completed, implementation can start. The purchased hardware and software is installed. The SOC staff undergoes initial training. The processes for remedying risks are defined. A risk workflow/ticket system is implemented. Trial operation is initiated and the first results are analysed.
  3. Subsequently, regular operation starts. The automatically generated results are analysed by experts, who condense important items of information to create actual alerts, cooperate with other departments to remedy risks and are responsible for final control of the measures taken. It is important for the expert know-how to be up-to-date at all times. On-going further training on the cyber threat landscape, new methods of attack, new product features and releases are indispensable

Operate your own SOC or use “SOC as a Service”

Establishing an in-house SOC is especially recommended to very large companies and public institutions. An alternative solution is “SOC as a Service”, i.e. commissioning an external service provider, who will deliver the complete system and ensure fast results. In addition to strategic considerations, it is mostly the costs that are decisive for choosing one or the other method of establishing an SOC.

Two examples

Starting point

The “NIDS” risk detection module reports web page access attempts that are suspected of being initiated by malware.

Condensing of information

The access operation (network traffic, PCAP) is analysed in detail, along with the web page criticality. The firewall and proxy log data of the relevant IT system are taken into account.

Starting point

The “SIEM” risk detection module reports an unusually high number of firewall deny messages generated by outbound Internet connections.

Condensing of information

The affected IT system is analysed with regard to its data traffic and behaviour. The download behaviour and antivirus messages are examined. The result of the most recent vulnerability analysis is considered. Further analysis of the terminal is initiated in conjunction with Operational IT.

A cost calculation example

A company has 5,000 employees; in terms of the factors relevant for an SOC, this means: there are about 5,000 IP addresses and 5,000 events per second (EPS).

Building your own SOC

Based on our experience, establishing an in-house SOC in this context will take 9 to 12 months. During this phase, it is mainly internal human resources, the technology to be purchased, external consulting services and the training of SOC staff that needs to be calculated. As of the second year, costs will mainly include licence fees for using the technology and the SOC staff.

DescriptionPurchasing costsAnnual costs
Technology – RadarServices Cyber Security Detection PlatformEUR 300.000EUR 60.000
Threat IntelligenceEUR 10.000
Consulting (external)EUR 20.000
Personnel (internally operated SOC / minimum scenario 5*12; 4 employees)EUR 320.000
TOTAL – In-house SOC operated based on the RadarServices Cyber Security Detection PlatformEUR 300.000EUR 410.000

In this scenario, the financial outlay would be EUR 710,000 for the first year and EUR 410,000 for the second.

Besides the costs: you need time!

“A fool with a tool is still a fool” is a saying that is particularly worth bearing in mind when thinking about security to avoid creating a false sense of security. The key factors for success include “time” (as a resource) and a proper focus on SOC set-up and operation. In the end, everything must work out to a T, if worst comes to worst.

Compared to SOC as a Service

External service providers usually bring along all necessary tools and experts as well as established processes, which fully covers SOC operation. Customers choose the required risk detection modules and the intervals in which experts become active: in this example, we assume that daily analyses will be performed.

As a rule, there are no purchasing costs, but a “set-up fee” that covers all initial expenses. The work of the external SOC is demonstrated in a trial phase (Proof of Concept, POC).

DescriptionPurchasing costsAnnual costs
POC (Proof of Concept, 3 months)EUR 30.000
Set-up feeEUR 70.000
Annual service feeEUR 190.000
TOTAL – SOC as a ServiceEUR 100.000EUR 190.000

In this scenario, the financial outlay for the first year would be EUR 290,000 if a daily interval was selected for the experts‘ analysis work. The anticipated costs for the second year would be EUR 190,000 in the case of a daily interval. The prices include the costs of experts, maintenance and threat intelligence but do not include any potential consulting expenses.