Bringing the SoC concept closer to SMEs – options and challenges

Security Operations Center and the Small and Medium Enterprises

The adoption of Security Operations Center (SoC) is considered a key sign that a company has reached a certain level of maturity from a cyber security perspective. It is therefore not surprising that this concept is gaining popularity amongst large enterprises. Meanwhile, more and more SMEs (small and medium-sized enterprises) are being forced to consider SoC for their security strategy in order to meet the ever increasing regulatory and legal requirements. Yet unlike enterprises, few of the SMEs have the capacity to implement a Security Operations Center in their organizations. Let’s try to shed light on the challenges they face and suggest some practical ideas how to overcome them.

1. The concept

The first difficulty is the concept itself. Or better – the people’s perception of how this concept can be implemented in practice. The planning and design phase of a SoC suggests a huge amount of customization to match each customer’s specifics, making it inapplicable for smaller implementations.

Even though the SoC concept has evolved over the years, it is still focused on big corporations and enterprises. So, in order to enable the SMEs to benefit from implementing a SoC, a different approach is required – one that aims to simplify, standardize and make this concept accessible for smaller companies.

2. The technology

Building an effective SoC requires implementing a number of technologies. Enterprises typically have some already in place, but SMEs often lack most of them. There is no recipe for success or a list of mandatory technologies, but a good SoC should at least be built on:

  • Endpoint visibility – what is happening in managed endpoints,
  • Network visibility – what is happening in the corporate network,
  • Data visibility – what is happening with the different classes of data,
  • Web visibility – what is happening on the public web infrastructure,

Depending on the company’s business model, specific structure and processes, the list can actually consist of other areas.

Undoubtedly, one of the biggest challenges for SMEs is managing this large set of technology – its implementation, use, operation and support.

3. The complexity

When we speak of complexity, the first thing that typically comes to mind is technological complexity. This is understandable, since the SoC topic is mainly discussed by technology companies. But the truth is that the most complicated part is not the technological aspect – it is the organizational one. What makes setting up an effective SoC a real challenge is defining the proper rules, processes, procedures, policies, playbooks, scenarios, data categories, alert categories, response mechanisms, and many more. This is hard enough for enterprises, but even more so for SMEs, as they typically lack the deep commitment and focus in defining and sustaining the above listed.

4. The effort

At this point you already get an idea of the effort required to implement a SoC. One vital point to remember though, is that the effort doesn’t stop with the implementation. What many companies don’t realize is that after set-up, they need to establish a continuous process for operating and keeping all of the above up-to-date. It’s like gardening – you need to spend quite some effort on preparing and planting a beautiful garden, but if you neglect the follow-up steps, such as watering, cropping, pruning, improving, lining, etc., the beautiful garden will be gone in a few weeks.

It’s the same with SoC – if you don’t monitor constantly, be pro-active, improve continuously, update and evolve, in just a few weeks, your SoC will not be working properly and all your initial efforts would have been in vain. The workload for operating and updating a SoC is one of the most underestimated factors when companies consider SoC for their cybersecurity strategy. Not only by SMEs, but also by enterprises.

5. The cost

When a problem can be solved by spending money, it’s not called a problem – it’s called an expense. Ultimately, all of the above can be solved with the proper investment. But is it worth it? If investments are focused there, would it not jeopardize other business aspects like stability, growth, improvement, cash-flow, etc. After all, the goal of cyber security is to minimize and mitigate business risks, but is it not a risk to divert resources from other critical business areas?

Even if the decision-makers in SMEs would not describe it exactly like that, their decision against a SoC clearly shows that they see much higher costs in it than potential benefits.

6. What can be done

Let’s briefly recap the main reasons why SMEs shy away from implementing SoC:

  • It’s not designed to address their needs
  • It’s too complicated to implement
  • It requires a lot of technologies, that most SMEs typically don’t have
  • It requires significant effort to operate and maintain
  • The cost outweighs the benefits for SMEs

There is no magic formula to deal with all the obstacles and challenges, but there is something that can be done. There is one approach that addresses all these points, but like everything in life, it requires a trade-off. This approach is actually not new– it’s something we are already very familiar with in our lives and business. What do you do, when you need something you cannot buy or when you need a ride, but cannot drive or when you need legal help, but cannot have a whole team of legal advisors? You consume it as a service –a taxi service, professional legal services, etc.

That is the easiest way for SMEs to adopt a SoC– consume it as a service. This will allow them to take advantage of the benefits while avoiding many of the complications they would face with an in-house SoC. The service should include all necessary technologies and is standardized, much quicker to implement, simplified, operated by the provider, cost-effective and accessible.

It is as simple as a taxi service:

  1. Quick to implement – call now and use it in 15 minutes,
  2. Standardized – you know what to expect from the ride,
  3. Simplified – you don’t need to learn to drive, change a tire, do repairs, etc.,
  4. All-inclusive – includes tires, gas, oil, insurance, taxes, everything,
  5. Operated by the provider – everything is handled by the taxi driver,
  6. Cost effective – you pay way less than when buying a car.

But if taxis solved all problems, people wouldn’t be buying cars. Of course, a taxi ride is not the same as a ride in your own car. This also applies to the Security Operations Center as-a-service. And here comes the trade-off mentioned above. There are several things to keep in mind, which, if not recognized early enough, will lead to false expectations, project failures and in general – resistance against SoC as a Service.

7. Limitations of SoC as-a-service

1.       Standardization means losing flexibility.

To be more precise – the service you get is fixed and there is typically very little room for customization to your own specific requests. In a taxi you can ask for a specific radio station, or a certain route, but that is more or less it.

Since each company is unique, a standard approach would most likely not be an instant fit for everyone. As you cannot change the service, the only option is to change yourself. Are you ready to do that?

2.       You might need to give up on some of the investments you’ve made.

The taxi driver doesn’t care if you have a fuel can in your basement – you cannot utilize that investment. Let’s take endpoint protection, for the SoC example. A lot of SMEs are using technologies that do not support a SoC mode (meaning you cannot collect audit and event information centrally). And they will have to adopt technologies that do. Moreover, since a SoC-as-a-Service provider can’t manage a large diversified technological stack, it will require the company to use only the technology it supports.

3.       You don’t receive individual treatment.

When you are buying a car, you can pick your own configuration, you can fill up at your favorite gas station or use the oil you like best. When you are getting a taxi, you don’t get to choose any of these. Same with SoC aaS – you get the same or similar technology stack, same processes, same SLA, same everything as every other customer of this service.

4.       You have to trust the provider (probably the hardest thing).

In general, the Cyber Security business is all about trust. When you give someone that level of access into what is happening in your organization, you actually entrust your business to them. It is very hard for an organization to put so much trust in external entities and it requires time to build it.

Until recently (and even continuing) providers told companies to take measures to detect insider threats. And now they are telling customers to trust them with all their data. Well, it might take a while to convince them.

5.       Few companies are providing a real end-to-end SoC aaS.

Because of all of the above, the demand is gaining momentum only slowly. Nevertheless, researchers expect this market to grow by 300% in the next 5 years. And it is already showing – customers are starting to ask, vendors are preparing their technologies to match that model, service providers are building their concepts and business cases.

What can we conclude from all this?

Well, it is clear that not every SME can afford an in-house SoC due to factors such as high complexity, required technology, implementation and maintenance efforts as well as costs. Nevertheless, they still have the option to benefit from SoC by adopting it as-a-service. This of course comes with some limitations, so here comes the most important moment for SMEs – to analyze these limitations thoroughly and make a decision whether they are ready to make these compromises and adapt their organization to the requirements of SoC as-a-service. No taking the limitations into consideration may create false expectations and render the service unusable for the SME.

If you are a SME and want to make a well-informed choice if SoC as-a-service is right for you, we will be happy to advise you and show you the best options for your company. Don’t hesitate and contact our experts at cybersecurity@bulpros.com.

About the author

Pavel Yosifov

Business Development Manager

Pavel is a Business Development Manager for the Cyber Security portfolio of BULPROS Group. For the previous 10 years, he has been acting as a CTO of a leading  Bulgarian implementor for information security solutions.

Pavel has vast experience in selling, implementing and supporting various Cyber Security solutions in organizations from various industries and of all sizes. With over 13 years of experience in IT, over eight of which working in the field of Cyber Security, he has solid technical expertise, rich history of good partner relationships, and successful years in management and business development roles.