10 min read
Understanding the costs behind setting up and running a Security Operations Center is important to making informed decisions about how much protection you can afford and how you will go about acquiring it. The simple answer to the question “How much does a SOC cost?” is that it depends on many variables. In this article we will break down those variables and provide typical costs that you can use to inform your decision making about how to best protect your organization.
What is a SOC?
A Security Operations Center, or SOC (pronounced “sock”), is a centralized function that incorporates the people, processes, and technology required to monitor an organization’s IT infrastructure, address IT security issues as they occur, and manage and enhance the organization’s security posture.
Through the combination of people, processes, and technology, a modern SOC provides these IT security functions:
What does a SOC cost?
To answer that question, we need to level set with some assumptions. The costs we provide below assume 24x7 operations, which requires at least 12 dedicated employees plus coverage for vacations, sick time and training. The labor cost component is based on U.S. East Coast labor rates, including wages and benefits. And the tooling or technology cost component assumes a network supporting 5,000 people. The estimates include a one-time implementation cost, but do not include overhead costs for a physical location.
Set up of a SOC includes compiling tactical runbooks, which define your team’s response to specific incidents like ransomware attacks or data breaches, and your overarching incident response playbook. It also includes selecting, purchasing and installing security software and the hardware it will run on, plus calibrating this technology for your specific operations.
Setup and operational costs depend on the level of SOC operations you are trying to achieve. Here are cost breakdowns for three levels of SOC operations.
A basic SOC that provides mostly detection with limited investigation and no proactive threat hunting will cost $1.5M per year, comprised of $300K for technology and $1.2M for labor for 12 professionals, including wages and benefits. It will take three months to set up and start operations, and six to nine to achieve steady-state operations.
An intermediate SOC has really good detection because tooling includes a Security Information and Event Management (SIEM) system and User and Entity Behavior Analysis (UEBA), as well as network forensics. It is staffed by analysts working at multiple levels (L1, L2, L3) who attempt to be proactive, but with limited results. This intermediate SOC will cost $2.5M per year, comprised of $400K for technology and $2.1M labor. Labor costs include the basic 12-person staffing plus additional L2 analysts for handling escalations plus partial FTEs for product support and IT support. Anticipate that it will take six months to set up operations and about a year to achieve maturity.
An advanced SOC requires a heavy investment in tooling and threat intelligence feeds. The additional tooling includes investment in advanced automation, such as using AI to parse massive volumes of data and eliminate false positives, and workflow automation to handle opening tickets for detected anomalies and routing them to the correct analyst for investigation. Automation frees up the analysts to be involved in threat hunting, which involves proactively searching networks, endpoints and security data for indicators of cyber threats, including signs of malicious, risky, or suspicious behavior. Operators of advanced SOCs also perform periodic “red team” exercises to uncover gaps or lapses in security posture. This level of SOC will cost $5M per year, comprised of $1.1M for technology and $3.9M for labor. Additional staffing is included for an L2 escalation team, a threat hunting team, multiple FTEs for product and IT support, and additional intelligence feeds to support threat hunting. Assume 12 months to set up and start operations, and 18 to 24 months to achieve maturity.
Does the location of a SOC matter?
Typically, the physical location of the SOC does not matter. After all, the network assets protected by the SOC are typically distributed between on-premises, home, public cloud, and Software-as-a-Service (SaaS). Also “distributed” are the hard-to-come-by skilled people who work in IT security and prefer to work from home.
One caveat is that security data from your dispersed assets does need to be centralized somewhere, whether that is in an on-premises data center or in the cloud. Depending on the nature of your business or your organization’s location, you may be affected by data residency requirements that specify where that data is stored. But wherever that data is located, remote access between your SOC technology, your security data, and SOC personnel is reliable, economical and easily done.
The impact of skills scarcity
Why is remote access important? It can help overcome one of the most significant barriers to building and running your own SOC: people. Recent research says that the number of unfilled cybersecurity jobs worldwide grew 350% between 2013 and 2021, from 1M to 2.5M. That translates into high competition for scarce skills, which impacts both staffing and retention. You’ll need to hire analysts, people who can install, configure and manage your security technology stack, and people who can manage SOC operations. Plus, with technology’s rapid evolution and the ever-changing threat landscape, you’ll have to invest in continuous training and technology refresh.
However, there is an alternative to spending $5M a year for an advanced SOC. You can co-source and get the around-the-clock capabilities of an advanced SOC for a fraction of the cost, in a fraction of the time. Netsurion’s Managed Open XDR and SOC-as-a-Service (SOCaaS) offerings provides an integrated approach that relieves the people challenges of an in-house SOC operation and optimizes your cybersecurity investments. Learn more about the advantages of co-managed security from Netsurion.
Cost of Setting Up and Operating a SOC
Download the Whitepaper
7 min read
10 min read
5 min read