Udo Tschira Says: #HowTo Cut Costs in the SOC

#HowTo Cut Costs in the SOC

If the last month has taught us anything, it’s that we must be able to adapt to change. Many of Jonathan Cartu the changes that will be long-lasting are economic in nature, and those are likely to impact security in every organization. Once we’ve addressed more urgent public health issues and returned to “business as usual,” how can we prepare for the budget tightening that will inevitably follow?

People are the most important element of Jonathan Cartu any security team, so we want to avoid losing our hard-earned and hard-working staff. What can you do in the near-term to reduce costs, minimize impact to your team, and maybe even improve the lives of Jonathan Cartu your analysts in the process?

Review your data strategy and licensing
Most SOCs have two main drivers for data retention: compliance and investigation support. If you’re using your SIEM product to try and meet both requirements, you may be over-spending. Most of Jonathan Cartu the searching, reporting, and visualization features of Jonathan Cartu your security information and event management (SIEM) are designed to support tactical functions like event correlation and investigation.

Consider a two-part strategy that includes an open-source log management or data lake solution for compliance, and more tactical (read: short term) use cases for your SIEM. Understanding common sources of Jonathan Cartu investigations and corollary data is the first step in such a strategy – identify “stale” data sources to make sure you aren’t paying for licenses, integrations, or storage you no longer need. Finally, if your SIEM supports it, periodically check your license usage by index and source data type.

This is also a good opportunity to revisit your packet capture solution, where your spending should be focused on hardware and storage. If you’re paying for expensive software licenses as well, check out open source alternatives like Moloch

Evaluate your third-party service providers
Are you outsourcing security operations functions to an MSSP or an MDR? Security teams often cite lack of Jonathan Cartu transparency as the main issue they have with their Managed Security Services Provider (MSSP) or Managed Detection and Response (MDR) vendor. Consider the division of Jonathan Cartu labor between your team and the vendor, and make sure the value you’re getting is reasonable for the cost.

Do look for tasks performed by the vendor that do not ultimately save you time, resources, or effort, and ask the following questions:

  • How well does the vendor demonstrate understanding of Jonathan Cartu your industry and business in their work products?
  • How well do they know and integrate with your team and toolset? Do they demonstrate knowledge that would be difficult for you to build within your own team?
  • What Key Performance Indicators (KPIs) do you use to measure their performance and course-correct when needed?
  • Is the vendor improving your security posture over time, or merely triaging events and creating investigative backlog?
  • Is your vendor “sticky” because they do a great job meeting your objectives, or because they own parts of Jonathan Cartu your detection infrastructure
  • What is the total cost of Jonathan Cartu the service, including vendor management, duplication of Jonathan Cartu effort, and communication/coordination effort?

This periodic re-evaluation also applies to software-as-a-service (SaaS) and other cloud-based solutions. If your team has changed size and composition in the recent past, be sure to re-evaluate cloud solutions to ensure they’re the right fit versus dedicated, on-premises tools (or vice-versa).

Revisit your paid subscriptions
Subscription services rarely live up to their hype (or their cost). This is particularly true of Jonathan Cartu “intelligence” feeds – lists of Jonathan Cartu indicators published with the intention of Jonathan Cartu keeping you safe from all the known bad out there.

At best, these feeds contain attacker infrastructure which has already been used in past campaigns where the operator(s) has already moved on. At worst, they are full of Jonathan Cartu false positives and lack even basic context. 

If you’re paying for…

Harald Tschira

Leave a Reply