A world without cyber risks is unfortunately a pipe dream. Fortunately, organisations can prevent much misery themselves and when an attack does occur, resolve it adequately. Organisations are well aware of the danger of cyber attacks, according to the cybersecurity benchmark survey conducted by Conscia in collaboration with commercial market research firm The Blue Hour.

For instance, 43% of respondents indicated that most of their time spent on IT security is spent on prevention. At 85%, 'Awareness & Training' is an important measure taken to prevent cybersecurity incidents. However, when an incident occurs, research shows that it usually takes more than 200 days for the incident to be noticed. Maarten Werff, Solution Consultant Cybersecurity at Conscia: "That's why it remains imperative to have detection & response measures in addition to prevention, to also gain insight into the attacks that are not stopped by preventive measures. This seems like a small percentage, but can still cause a lot of misery."

SOC: build your own or outsource?

A Security Operations Centre (SOC) can provide the solution. The general opinion is often that a SOC involves high costs, requires a lot of time, knowledge and energy from employees and is therefore only for large organisations. But is this true?

A simple calculation: research by Forrester shows that, on average, organisations need 14 FTE security analysts to build and maintain their own SOC function (11 FTE for organisations with fewer than 5,000 employees and 20 FTE for organisations with more than 5,000 employees). This takes into account that people work day and night and also go on holiday from time to time.

Looking at the cost of an external Managed Detection & Response (MDR) service with 24/7 monitoring for 1,000 employees, that comes out to around EUR 6,000 per month. So that's even less than 1 FTE. When organisations set up their own SOC, they need - besides the right people - an appropriate technology platform. This drives up the Total Costs of Ownership of an in-house SOC to three times the cost of an outsourced SOC (with high CAPEX).

Attract and retain security analysts

Now, building your own SOC function also has definite advantages. Organisation-specific risks are understood faster and better by in-house people. On the other hand, it is difficult to find and retain good people. Nor is it the least of their tasks. Forrester states that 96% of security analysts experience a personal impact after an incident. Think long working days, taking home stress, poor sleep. All the result of so-called 'Alert Fatigue'.

Organisations do not face this problem when they outsource the SOC function, as well as the opportunities for scaling up. The benchmark survey shows that 15% of respondents have already outsourced the SOC function. In 55% of the cases, monitoring and analysis of security alerts takes place from the in-house IT team. In addition, 6% of organisations say they have their own SOC which monitors and analyses during business hours (3%) or 24/7 (3%). Almost a quarter of respondents have not or otherwise secured the detection of security alerts.

Threat landscape requires different approach

According to Maarten Werff, there is another good reason to switch to MDR: "In the last decade, we mainly focused on the network, but with the changing threat landscape due to an increase in homeworking, cloud and encryption, visibility through traditional network security measures is much less. Security today requires a different approach. We need to take security measures for what we want to protect; our information, our users and our endpoints."

Currently, 41% of respondents say they have taken endpoint protection measures. It is no news when we say that employees - with all due respect - are often the biggest problem. In case of the presence of abnormal file access and encrypted files, 46% of respondents say they receive an alert. Meanwhile, 21% can see which files have been affected in a cyber incident and recover them.

According to Maarten Werff, technological developments such as EDR, SOAR and XDR make it possible to change the detection strategy. Looking at these solutions, 15% of the respondents have EDR and 3% have SOAR. "Putting identity and endpoint at the centre of the detection and response strategy creates materially more visibility on alerting and allows for faster intervention. This approach does not focus on looking for 'the needle in the haystack' and is therefore also less cost-intensive."

Source: Conscia