A CFO contacted me with a question about the importance of the services a SOC provides. A SOC is a Security Operations Center whose function is to provide network monitoring services. Often included with these services is alerting and triaging cybersecurity incidents that appear on the network. Unless you are a large organization, you probably don't have a SOC dedicated to your organization. So, many companies will hire a third-party to support these services. Some MSPs or MSSPs (Managed Service Providers or Managed Security Service Providers) may offer this or a similar service.
While this is a valuable service, what is it that you really need? Log auditing. You need to know what is taking place on your network. This is accomplished by capturing events and reviewing those logs. This is simple enough but if you think about all the network traffic that occurs over the course of a work day it becomes overwhelming. This is the reason companies will use a third-party provider.
However, if your organization is not currently reviewing logs, it may not be wise to invest in a SOC as a starting point. It might be best to start small and build up towards a SOC because you may discover that it is not necessary or fiscally responsible. It may be that you do, in fact, need to outsource the network monitoring functions, but it's helpful to first understand the scale of this to actually understand if it is something your internal IT team can take on.
Start with a system logging audit strategy. NIST SP 800-171 identifies 12 controls* related to identifying authorized use, monitoring systems, audit logging, etc. In order to meet these controls, it is wise to have a strategy in place to track your logs. This can be done by making sure Group Policies are in place to capture the events into event logs. Identify what systems you need/want to log and put a plan in place for doing so as well as monitoring them.
Monitoring everything you want to log can be quite burdensome. This is when you may want to consider other alternatives for doing the monitoring. Using as SOC is one option, another is using a SIEM, or Security Information and Event Management, tool. A SIEM will make it easier to correlate logs and allow you to have better monitoring management as well as giving you the ability to set up alerts.
At this point, it boils down to cost. The cost of a SIEM, considering hardware, software, and utilization time may be very close to what the SOC service provides. Understanding what the SOC duties are relative to those of the MSP might help show the potential value in the service.
* There may be more but here is a list of some:
Access Control - 3.1.07
Audit and Accountability - 3.03.01
Audit and Accountability - 3.03.02
Audit and Accountability - 3.03.03
Audit and Accountability - 3.03.04
Audit and Accountability - 3.03.05
Audit and Accountability - 3.03.06
Audit and Accountability - 3.03.08
Audit and Accountability - 3.03.09
Configuration Management - 3.04.03
System and Information Integrity - 03.14.06
System and Information Integrity - 03.14.07