4 Options for Security Operations Detection and Response

The use of rapid detection and response is now recognized as a method to meaningfully reduce security risk. Organizations are moving beyond simply lowering the probability of a breach to limiting the impact if a breach occurs.

Rapid detection and response are a clear focus, and organizations are spending time and money to manage growing security responsibilities, including operating a monitoring infrastructure, investigating alerts, and responding to incidents. Without this investment, organizations risk missing requirements necessary for regulatory compliance and missing the warning signs of incidents while they are in progress. Critical Insight has identified four options to manage detection and response:

• Do nothing and accept the risk of breach
• Assign security event review, investigation, and response tasks to existing IT staff
• Build and staff an in-house security operations center (SOC) to manage the day-to-day elements of detection and response
• Hire a trusted third party to provide the detection and response capabilities of a mature SOC

In this paper, we compare these four options and consider benefits and costs. We cover the necessary elements of a functional SOC, including human resource and capital investments and the operational expenses that go with it. We use data from our direct experience building a SOC, along with expectations for a representative organization. The pros and cons of building a SOC or contracting for SOC capabilities from a trusted 3rd party provider.

In conclusion, we illustrate how outsourcing SOC operations to a trusted third-party provider can save an organization 80% relative to building an in-house SOC.