Is outsourcing to a Nomios SOC right for you?
Organisations face several challenges related to cybersecurity that may lead them to consider implementing or outsourcing a Security Operations Centre (SOC). This page is intended to give an overview of our UK SOC, approach, capability and processes.
If any of the challenges below resonate with you, then a SOC could be the right approach; if so, get in touch and we will be happy to share our knowledge and experience, and provide straightforward advice.
- Increasing complexity of threats
- Compliance requirements
- Lack of in-house expertise
- Scalability issues
- Resource constraints
- Inefficient incident response
- Integration of security tools
- Visibility and monitoring gaps
- Reputation management
- Budget or cost control
- Alert fatigue
- Knowing best practice
Typical drivers for initial SOC consideration
Mandated compliance and maturing cyber-threats continually put pressure on organisations and security professionals; typically, the growth combination of both, or the extreme of one, is an initial driver to outsource SOC services.
Increasing Complexity of Threats
- Challenge: Cyber threats are becoming more sophisticated and harder to detect.
- SOC Solution: Continuous monitoring and advanced threat detection capabilities offered by a SOC can identify and respond to complex threats.
- Challenge: Stringent regulatory requirements related to data protection and privacy.
- SOC Solution: A SOC helps ensure compliance with laws and regulations like GDPR, HIPAA, and others by maintaining detailed logs and following industry standards.
Nomios SOC process and structure overview
The diagram above gives an overview of our Managed SOC services process and structure.
We start with the log sources that will be feeding the service – allowing us to identify anomalous and malicious behaviour.
Log sources can come from a broad range of sources, dependent on what you want alerts on. Typically, they would cover systems, the network, deployed security controls, cloud, users - ultimately, anywhere that might allow us to detect malicious activity against the assets you need protecting.
The log data that we collect feeds the security operations tooling layer.
The tooling layer acts as an aggregation point. You’ve got all this logging data, data generated from endpoints, scanning data, telemetry data – it feeds into a SIEM, EDR, or Vulnerability Management platform.
The tooling at this layer will detect malicious activity or activity you want to alert and feed it into the SOC for further analysis and response.
From a Nomios perspective, we can deliver these as a managed service or ingest event data from customer self-managed platforms. Please get in touch with Nomios UK&I for eligibility for this service.
Once an alert of interest is generated, it gets sent into the SOC – into the SOC tooling layer, or more specifically, the SOAR.
>. SOAR stands for Security Operations and Automated Response
>. SOAR allows us to coordinate, execute and automate tasks between various people and tools all within a single platform.
>. Our SOAR platform will ingest the generated alert data, and these alerts then trigger playbooks that automate/orchestrate response workflows or tasks.
By automating a lot of the repetitive tasks that a level 1 analyst would typically do, we negate the need to have those level 1 analysts in our SOC, and instead only have higher skilled, more highly trained, level 2 and level 3 analysts responding to customer alerts
Alerts coming into the SOAR are augmented through the use of Threat Intelligence. We use a feed from Mandiant for this purpose. Any alert is enriched based on IOC’s such as IP Address, File Hash or Domain Name.
SOC functions are undertaking on a daily basis in support of our customers.
Use-case development. Initially as part of the service onboarding, but use-case development and tuning will be an ongoing part of the service.
If an alert is generated, it will be investigated. If it’s a false positive, we’ll tune the use case, if it’s a legitimate incident, we’ll undertake an investigation, and if required, we will support the customer through whatever remediation is required within their environment.
Moving from reactive to proactive, we will perform threat hunting as part of the service. Threat hunting is all about actively searching for threats that may have evaded your security controls and monitoring, aiming to detect and mitigate them before they cause harm.
Finally, we provide regular meetings and reporting through the SDM.
Ultimately, our service is built on the capability and professionalism of our people.
There are a number of people you will have contact with day-to-day. These are all named individuals, which sets us apart from many MSSPs. We aim to become an extension of your team, working with you, fundamentally operating in exactly the same way as if you'd built a SOC capability in-house.
The SDM, or Service Delivery Manager will:
- >. Project Manage
- >. Undertake Reporting
- >. Monitor SLA's and KPI's
- >. Own the DAP - Document Agreements and Procedures. The DAP is a comprehensive document of everything about how the service will run
- >. Run service reviews
Cyber Security Consultant is responsible for onboarding and supports the analysts if needed with ongoing use-case development or onboarding of new log sources.
Analysts are our SOC operational experts.
>. We don’t employ L1 analysts - we use automation to do most of the initial triage that an L1 analyst would typically do.
>. Our analysts are focused on use-case development and tuning, incident management and investigation, remediation advice and threat hunting.
Our SOC manager is a point of escalation, will get involved in strategy meetings, and helps coordinate our response to a cyber attack.
Our unique managed SOC approach
Knowledge of the client's risks, its technical environment and its organisation is essential for the SOC to be able to carry out all its activities. We carry out an initial assessment of your environment to understand your organisation, your technical context, your business and the associated risks.
This insight enables us to prioritise risk coverage with you and control the "Time-To-Detect" of the serious threats to your organisation.
"A balanced approach between the newest technology and the addition of "scenarios" allows us to optimise the incident timeline by improving both detection and remediation capabilities. This is why, as part of our business and our duty to advise, we strive to remain very pragmatic about the budgetary efficiency (CAPEX/OPEX) inherent in covering your risks." - Avinash Shet, Senior SOC Analyst
Efficiency is maximised by the close proximity between the customer and Nomios. The customer has direct access to our analysts who will work hand in hand with the customer's operational security and production teams, for which Nomios is a true extension.
Protect your organisation, and your network
As the volume and complexity of cyber attacks accelerate, Security Operations Centres (SOCs) have become the focus for bringing together the people, processes and technologies needed to defend and respond to the attacks on an organisation.
However, most IT and business managers do not know the true level of risk, and many have no visibility into the full range of potential vulnerabilities that could be exploited, let alone the means to fix them.
But organisations can keep abreast of modern threats by using a managed SOC. An effective SOC improves an organisation's incident detection and response capability while accelerating and improving its security posture.
How we work with our customers
A critical part of any managed SOC is the onboarding process – which we call The Shared Journey. The Journey shows the patch in which the client will take in order to get fully onboarded and live with the Nomios SOC.
The Journey consists of 6 workshops which can be delivered in person or remotely. To find out more download our SOC Guide or get in touch with our SOC team.
The Nomios SOC work process is agile and iterative
This agile model is the pillar of our operational security approach. It governs the quality of our offer through the iterative prioritisation of your risks, the pragmatic and total implementation of your use cases, and making the most of existing infrastructures in a continuous improvement process. The risk-based approach is the backbone of the service. We re-evaluate the risks at each iteration of the agile approach.
The initialisation of the service allows Nomios to get to know the technical, functional and organisational context. This discovery of your environment and your specificities is done through workshops covering your organisation and the personnel with whom the SOC will work.
This phase also allows us to frame the governance of the service with the final versions of the Service Agreement, Quality Assurance Plan and Security Assurance Plan.
Cyber risk analysis based on the Mitre Att&ck model:
- External risk assessment, based on multiple cyber threat intelligence sources. Qualification of the real risks to the organisation.
- Internal defences: analysis of your internal security situation, including policy, security tools and organisational structure.
- Consolidation: the cross-referencing of all this data will make it possible to highlight the techniques most at risk for your organisation and thus define the priorities in the actions to be taken.
This step consists of the technical implementation of the use-cases in the existing security components: SIEM/XDR, EDR, NDR and SOAR.
After enriching the alerts (investigation, sandboxes), the correlation of indicators and the history of alerts known by the SOC makes it possible to refine the criticality of the alert to qualify it as an incident.
Monthly analysis and consolidation of incidents in order to highlight recurring incidents. The re-evaluation of Mitre Att&ck risks and the search for root-causes allow us to propose improvement plans at each iteration of the process.
Outsourcing to a Nomios SOC helps reduce the complexity and cost of threat detection and incident response.
Having a dedicated managed SOC offers multiple benefits to your organisation. It's not just about detecting incidents, but also about analysing and proactively hunting down threats to help prevent attacks from happening in the first place. Discover the unique benefits of our managed SOC service.
Full security monitoring 24x7
- Security monitoring of advanced cyber threats on networks, on-premises, public cloud environments, SaaS applications and endpoints.
Responds to threats faster
- Nomios SOC analysts identify and validate threats, working with your incident response team to guide, automate response and remediation.
Keep an eye out for the latest threats
- Detects emerging and evolving threats with continuously updated threat intelligence.
Controlling the SOC budget
- All the benefits of a SOC while controlling the cost, complexity and time investment of an in-house operation.
Advanced analysis and machine learning
- A modern security platform combines advanced qualitative tools based on machine learning algorithms, data mining tools and simulations with traditional data query and consultation approaches.
Adopt an adaptive security architecture
- Static security architectures are outdated and inefficient. Our adaptive security architecture is able to prevent, detect, react and predict.
Read more about our network overlay support services
Frequently asked questions
Yes, establishing and maintaining a Security Operations Centre (SOC) can be expensive, and the costs can vary widely depending on several factors. Here's a breakdown of some of the aspects that contribute to the overall expense:
1. Personnel Costs
- Hiring skilled cybersecurity professionals can be costly, especially in competitive markets.
- Continuous training and certification of staff to keep them up-to-date with the latest threats and technologies also add to the expense.
2. Technology and Infrastructure Costs
- The necessary hardware and software for monitoring, detection, analysis, and response can be expensive to purchase and maintain.
- Integrating multiple tools and platforms may require additional investment.
3. Facility Costs
- If an organisation opts for an in-house SOC, the physical space and related infrastructure (e.g., secure communications, redundant power) add to the costs.
4. Compliance Costs
- Ensuring that the SOC adheres to various regulatory requirements, industry standards, and certifications can entail significant investment in both time and money.
5. Ongoing Operational Costs
- Continuous monitoring and maintenance of the SOC, including software updates, hardware refreshes, and regular audits, contribute to ongoing costs.
6. Scale and Scope of Services
- The size of the SOC and the range of services offered can significantly impact the total cost. A larger, more comprehensive SOC will generally be more expensive.
Outsourcing to a Managed SOC
- As an alternative to building and maintaining an in-house SOC, many organisations choose to outsource to a managed SOC provider.
- Outsourcing can be more cost-effective, as it allows access to specialised expertise, tools, and infrastructure without the need for significant capital investment.
- However, the costs for outsourced SOC services can still be substantial, depending on the level of service, SLAs, and other contract terms.
SOCs can be expensive, and the decision to implement one should be carefully considered in light of the organisation's specific needs, goals, and budget. While the costs are substantial, the value provided in terms of enhanced security posture, risk mitigation, compliance management, and potential prevention of costly breaches should also be weighed in the decision-making process.
Organisations should carefully assess their requirements and explore various options, including in-house and outsourced SOCs, to find a solution that aligns with their budget and security needs.
As organizations scale and compete, protecting endpoints, assets and data from exfiltration, breach or other risks becomes paramount. The complexity of the security landscape has changed dramatically over the last several years, and organizations need to stay ahead of a rapidly changing threat landscape.
Many organizations now seek to outsource parts or all of their security functions to a trusted security provider. Managed security services (MSS) is a service model or capability provided by security service providers to monitor and manage security solutions, networks, systems, and even software-as-a-service (SaaS) applications and cloud environments.
MSSPs provide an array of skilled professionals, such as onboarding specialists, security analysts or service delivery experts, engineering and support, project management and customer service. More specialized roles such as incident response, threat intelligence and threat hunting can be added, depending on the desired scope of the engagement.
Discover more network overlay support services from Nomios
Our strength lies in our flexibility and focus on developing tailor-made solutions for our customers. Discover in which areas we can support your IT team.
MDR Managed Detection & Response
Advance your security operations capabilities while reducing mean time to detect and contain threats.
Full management of your organisation’s firewall infrastructure.
Enterprise-grade SIEM to protect and secure your critical data from ever-changing cyber threats.