Security is quite a complex and important topic. The complexity is in the technology and organisation of security. Security is complex as it requires your organisation to have a skilled set of people, decent processes and good technology in place. The importance of cyber security has its origin in the increasing amount of cyber security attacks that are executed and the increasing amount of vulnerabilities that are found.
The following graph shows the amount of CVEs per day that have been reported to the NVD (https://nvd.nist.gov/). The graph is generated by using the following Jupyter runbook: https://github.com/jgamblin/CVEStats
As the above graph showed, the number of reported CVEs per day has been increased drastically since the year 2016. The is one of the reasons why security is so important at this moment. Every company needs to have a running security operation; by themselves or by a partner.
Is it hard to run security operations in-house?
As stated earlier, security is complex as it requires your organisation to have a skilled team, decent processes and good technology. Let’s discuss the people component of security operations in this blogpost.
A good skilled set of people drives a Security Operations Center (SOC). Having a non-skilled team, means you cannot respond (well) on security incidents. This could result for example in attackers that are still persistent in your organisations IT environment, which is a big risk. The following skills are required in a Security Operations Center:
1. Security Analyst (junior) — This role is responsible for determine if an alert/incident is true positive or a false positive. People that fulfil this role should have basic knowledge of IT administration as they need to dive into logs, settings etc. 2. Security Analyst (Senior) — This role is responsible for determining the scope of attack, and the mitigation of the attack. As this role is mitigating on the attack, he/she need to have advanced knowledge of IT administration and advanced skills of cyber security (knowing how to mitigate on certain types of attacks).3. Forensic Researcher — This role is responsible for the forensic research that needs to get executed after an incident has been reported. As part of the forensic research, this role needs to find answers on questions like:
- Is the attacker persistent? (are there any backdoors?)
- Has the attacker exfiltrated data?
This skill requires wide and advanced skills of IT administration and cyber security (knowing how to research attacks). 4. Threat Hunter - This role is responsible in searching for threats. Based on a hypothesis, this role searches for threats in the cyber environment. There are a couple of ways how to drive these activities:
- Analytics Driven: Machine-learning and UEBA, used to develop aggregated risk scores that can also serve as hunting hypotheses
- Situation Awareness Driven: Crown Jewel analysis, enterprise risk assessments, company- or employee-level trends
- Intelligence Driven: Threat intelligence reports, threat intelligence feeds, malware analysis, vulnerability scans.
This role requires advanced IT administrations skills and also requires advanced cyber security skills (knowing how to threat hunt).5. Security Developer - This role will build and automate the organisations security operations. In order to automated incident response, classification etc. this role requires advanced skills of IT administration, cyber security, IT automation and software development. Aside from these technical skills, this role also requires to know the security processes in and out.6. Security Operations Manager - This role is responsible for auditing, security roadmapping and escalations. There will be one day that an advanced cyber security attack hits the organisation. During that day, this role is responsible for all communications and activities that the security team is executing.
Attackers are active 24–7. Unless an organisation shuts down the whole IT environment by night and in weekends, the organisation needs to have a 24–7 availability of at least the Security Analyst (Junior) and Security Analyst (Senior) roles. The other roles (except from the Security Developer role) need to be stand by so they can become active when a cyber attack is happening.
If you do a quick calculation, a minimum of around 10–12 people is required to run a security operations center 24–7. If you calculate in the fact that people also go on vacation, even more people are required. For small and medium sized businesses it is most likely that they don’t have the budgets to hire such a team. Aside from the number of people that is required, skilled people aren’t cheap.
How about organisations that have the budget to hire a security team? Well, finding people with the right security minded skills is hard. This even becomes harder if your organisation is not an organisation that has security as its core business or has something really valuable that needs to be protected (e.g. a bank).
Setting up a security operations center is requires a skilled team. As security consists of various roles that need to be available 24–7, a minimum of around 10–12 people in the security operations team is required.
For most small to medium sized companies, it becomes quite expensive to run their own security operations center. These companies most like use a partner to help them with security operations.
For enterprise businesses, the story depends. If an enterprise has security as one of its key values, they most likely run the security operations by themselves. Most of these enterprises that run their own security operations are companies that have something valuable that needs to be protected and already have a decent IT environment. (e.g. a bank).
If security is not a key value of an enterprise, they most likely will let a partner run their security operations so they can focus on their key values.