SECNOLOGY: ROI of SOC operations – From noise to signal

What is the SECNOLOGY vision on Data Mining (60)

The question regularly arises as to how to evaluate the ROI of a SOC. Defining the ROI of a SOC is a little bit more difficult and more complex than evaluating the ROI of an antivirus solution.

A SOC is surely a cost center but it’s actually a loss prevention!

In this context, we need to look at it from a different perspective.

SIEM helps analyze and identify gaps in your IT security implementation. Combined with aligned processes and well-established workflows, automation and orchestration (SOAR), it can boost your IT security posture in a number of ways:

  • Enhance IT security capabilities
  • Refine events with contextual information
  • Upgrade reporting for risk threat and risk assessment
  • Correlate numerous types of events across multiple vendors
  • Strengthen threat defense and response
  • Improve threat detection and close gaps in existing solutions

From this point of view, you could integrate the gains of your SOC into the ROI calculation of present solutions. Contrary to the previous result, the outcome should be greater than before and this share would be the ROI of your SOC.

It’s not so nice! You are absolutely right!

Apply Security Principles

Your organization’s governance must address the question, “How much security is required?” Security principles must assist the organization’s mission and, therefore, the notions of efficient security. This involves technology, processes and people in regards to costs and benefits.

As a SOC manager, you must ask yourself the following questions:

– Is my company spending too much for its SOC?
– Is the SOC cost effective?

This involves calculating all the costs of a SOC and proving that you can save money by comparing your budget in terms of personnel, process and technology with the capacity and maturity of your SOC.

Common costs

Environment and Infrastructure costs:

  • SIEM / data lake platform
  • Ticketing system and Knowledge base
  • Collaboration and Communication tools
  • Network connectivity and infrastructure
  • Software licenses

Employee costs for

  • Environmental operations
  • Analysis and Monitoring
  • Engineering and architecture

Not to mention further costs for portfolio management, services, processes and personnel.

OK – and then what?

From noise to signal

In the absence of events and information, it is difficult to maintain a SOC service. In other words, “Without them, your SOC cannot survive.”

So, let’s begin with the event flow. you need to:
– Evaluate the cost of ingested events in your current solution (SIEM/data lake).
– Check the meaning of the event based on your use cases.
– Determine the quality of the event for your use case.
– Consider the false positive rate for use cases verified by your analyst with the customer.
– Measure the amount of time your Analysts spend on the initial classification of incidents by work order and use case.

In the next step, identify areas for improvement:

– Find a way to discard unnecessary events for your use cases and investigations.
– Evaluate the costs of a SIEM versus data lake to retain events for threat intelligence and hunting (based on your SOC capacity).
– Gauge the reason for the false positive ratio of your use cases.
– Appraise the event triage process and whether automation is beneficial.

How to build a SOC with limited resources with SECNOLOGY

Building a security operations center (SOC) is a daunting task, and faced with the costs of implementation, managers often hesitate. The best way to ensure a profitable investment in the SOC is to work with an easy solution which doesn’t require weeks of training to get hands on, nor skilled or experienced developers to program very advanced scripts very hard to maintain. SECNOLOGY is fitting perfectly with these attributes.

In conclusion

More content needs to be explored, such as IT resources for incident management, or off-line storage required for backup and disaster recovery solutions, and business continuity management, systems and services for instant recovery. But this is beyond the scope of this article. Through this article, SECNOLOGY tries to give you some ideas to get started!

For more information about SECNOLOGY, please visit this link:

What is the SECNOLOGY vision on Data Mining (60)