Running a Security Operations Centre

Q: Running a Security Operations Centre
Can anyone tell me is they have had any success is setting up an internal SOC (security operations Centre) compared with outsourcing / smartsourcing it to a third-party to manage or partially manage

A: Hi ......,
We have set up several SOCs for ourselves (us being MSSP) and for our clients.

I assume you are interested in a SOC type that our clients use for internal security operations.

Yes, an internal SOC is very tricky and can be very expensive based upon the initial scope.

Here are the initial problems that we faced for internal SOC initiatives

1) Developing the redundant infrastructure. Real time active-active SOCs are recommended, this makes the infrastructure complex
2) Finding right people: It is tough to find people who can work in 7x24x365 work schedule with a lot of stress. It is tough to keep trained security experts in-house. It is tough to run follow-the-sun or 3-shift teams. If this is the first time for the client, expect major problems for the first year
3) Developing operational procedures: Unless you mimic a working operation, starting from the scratch will not be easy. Security monitoring and management procedures are dependant on the toolsets, resources and the architecture. Internal SOCs require a long learn by mistake period..
4) Integration with internal workflow. All internal IT procedures must be updated to work with the new SOC
5) Integration with existing IT infrastructure. All existing systems and policy should work together.
6) Achieving the certification and compliance for the new SOC (SAS 70 type II, ISO 27001, PCI etc)

If you have any specific questions I might give more definite details. I think the link below will help you for the SOC operation scoping on the technical side:

http://infosecforum.blogspot.com/2007/08/ideal-managed-security-service-provider.html

regards,
- yinal ozkan