SOC: Good Buy, Beats Bad Build

SOC: Good buy, beats bad build

Building an internal security operations centre is neither easy nor cheap. However, an external SOC also brings challenges, says Jochen Koehler of Ontinue.

The attack surface for attackers is constantly increasing. But hybrid work, edge and IoT scenarios and the use of cloud services reduce the visibility of the IT infrastructure. Administrators therefore hardly manage to provide sufficient protection – freely according to the motto: “You can’t secure what you can’t see”.

SMEs in particular often react to this by investing in new cybersecurity software. Ironically, the often uncoordinated ones create more gaps. This is because very few tools from different manufacturers are compatible with each other. On the contrary, they can hinder each other. Since staffing levels are also low, dedicated Security Operations Centres (SOC) are coming into focus as an alternative to tools.

MXDR versus dedicated SOC

The overview of the components of a SOC, however, leads to the question of how SMEs in particular are to cover the tasks in terms of personnel, because even large corporations are reaching their limits. A functional SOC requires at least ten experts, who devour an immense budget and also have to be ready for action around the clock. An alternative is Managed Extended Detection and Response (MXDR) services, which provide a fully functional SOC team. They ensure round-the-clock support through automated workflows and shift work.

MXDR providers gain deeper insights into the attack vectors of all comparable companies through their user base. This allows them to scale the adapted protective measures to their users after an attack. And externalising to an MXDR provider is also financially worthwhile, since transparent pricing models and flexible contract terms facilitate budget planning. Companies know from the first day of cooperation what costs they will incur for the work of the SOC teams and for software licences, and in what time frame they will have to budget for them.

Implementation of endpoint detection and response platform

Before MXDR providers can begin their work, SMEs need to do a bit of groundwork. This includes implementing an Endpoint Detection and Response (EDR) platform that provides visibility to all clients in the organisation. A security information and event management (SIEM) platform extends this visibility to all of the company’s hardware, software, network and cloud components, collecting, analysing and visualising metrics that the SOC needs to do its job. The service provider’s own XDR, AI and automation tools build on this software infrastructure.

Basic protection can be realised within one to two weeks, and the familiarisation phase should end within three weeks. By comparison, even if SMEs have the costs for their own security operations centre as well as the necessary manpower, they need months until all workflows, processes, software systems and teams are operational. Once all workflows are established and the SOC and the SME’s internal IT department are up and running, the next step is to leave the pure detection-response phase. To do this, threat hunting and threat intelligence must expand prevention capabilities with the help of the internal IT department and its expertise.

AI works off “benign positives”

Artificial intelligence will also play an increasingly important role in cybersecurity: Tools like ChatGPT can check systems and code bases for vulnerabilities. In the event of a security incident, artificial intelligence is used to simulate the behaviour of analysts. In this way, many manual steps can be replaced in the case of a large number of incidents by the AI running through various defence scenarios and taking into account the local circumstances of a customer. The AI helps to process so-called “benign positives” on the fly – i.e. actual security incidents that do not pose a threat in a specific setup. In this way, human analysts save themselves unnecessary work, thus increasing their efficiency and can focus on the really tricky attack scenarios.


Jochen Koehler

Jochen Koehler

is VP EMEA Sales at Ontinue.