1

Taking the risk out of setting up a SOC #1

Are you a Managed Service Provider toying with the idea of setting up your own SOC and providing security monitoring services to your customers? This is a strategic decision that comes with considerable risk and initial cost outlay. The alternative is to OEM someone else’s SOC service which greatly reduces the risk however denies you the relatively high margins associated with this line of business, this is the MSP dilemma!

Our research shows there are three obstacles to setting up a SOC from scratch:

1The upfront cost of buying a SIEM solution

2Securing suitably skilled resources

3Delivering a SOC service at an attractive price

Obstacle #1: The upfront cost of buying a SIEM solution and having to pay for it long before the service is built and can be charged for, “build and they shall come”!

Are you concerned with buying a SIEM solution that doesn’t match your business model? Most vendor SIEM sales are driven by the vendor’s sales cycle which does not align with building a new service from scratch. The need to pay for the SIEM solution up front means the service provider is taking all the risk.

Huntsman Security Mitigation

Our commercial model permits your business to set up a SIEM service and only charges for the software when each customer is onboarded. Using this model means the risk and time to revenue is shared equally between us.

Standard SIEM Offerings
  1. Pay annual charge upfront
  2. Build Service Offering
  3. Install SIEM
  4. Receive training
  5. Familiarisation
  6. Configure rules, dashboards & reports for demonstration purposes
  7. *Onboard 1st customer
Huntsman Security SIEM
  1. No charge
  2. Build Service Offering
  3. Install SIEM
  4. Receive training
  5. Familiarisation
  6. Configure rules, dashboards & reports for demonstration purposes
  7. Onboard 1st customer
    Pay monthly charge

* It could be six months before your first customer is onboarded and soon it’s time to pay the second annual charge, before you’ve reached breakeven point.

2

Taking the risk out of setting up a SOC #2

Let’s look at the second of three obstacles that you face as a Managed Service Provider wanting to set up a SOC from scratch:

1The upfront cost of buying a SIEM solution

2Securing suitably skilled resources

3Delivering a SOC service at an attractive price

Obstacle #2: Securing suitably skilled resources at an affordable price. MSSPs report that it is difficult to recruit and retain SOC analysts. The demand is greater than supply so they are quite expensive.

In 2018-2019, cybersecurity skills topped the list — 53 percent of survey respondents reported a problematic shortage of cybersecurity skills at their organization. Source: ESG Global Survey

Huntsman Security Mitigation

Huntsman Security’s SIEM is multi-tenanted, which means it only needs to be built and configured once. It requires engineering skills but only at the beginning during set-up, assuming you decide on a relatively fixed Service Definition (highest margins/lowest cost).

The engineering effort to install and configure the SIEM is included in Huntsman Security’s partner onboarding package. The only ongoing operational activity for the SOC is to analyse alerts, manage incidents and generate reports. The skills required to manage a multi-tenanted SIEM are considerably less than standard SIEMs that need a new machine installed and configured for every customer.

Some SIEM solutions are so complex to configure and operate they require a specially trained “data scientist”.

There are existing IT roles that already have much of the domain knowledge needed to operate a SIEM solution. They usually come in the form of a network engineer or sys admin. With training on how to navigate the SIEM solution, these roles can get up to speed quickly due to their inherent knowledge of the environment and its configurations.

3

Taking the risk out of setting up a SOC #3

In this section we cover the third obstacle that you face when you want to set up a SOC from scratch:

1The upfront cost of buying a SIEM solution

2Securing suitably skilled resources

3Delivering a SOC service at an attractive price

Obstacle #3: Delivering a SOC service at a cost that businesses are prepared to pay for.

SIEM solutions are typically enterprise-level technologies. They were designed to be deployed into a single organisation with dedicated staff to monitor for anything and everything. By contrast, managed services are bound by SLAs and the fees chargeable and so cannot afford to be so wide-ranging.

The challenge is to devise a service that is attractive to your customers within the threshold of its perceived value. What constitutes the right amount of “security” is highly subjective. When designing a service for customers who have never had security monitoring or SOC services in the past, it is unlikely they will want an advanced package. One of the most popular packages is one focused on boundary monitoring which offers the biggest bang for your buck.

DEFINITION

Perceived value is the value that a product or service has in a consumer’s mind. They’re usually unaware of what goes into the products they buy, in terms of production costs. And instead, they place a value on how much specific products are worth to them, from an internal feeling.

Huntsman Security Mitigation

Huntsman Security has developed a commercial model based on charging for the functionality used as per the Service Definition. This can cost between 30% and 50% less than a standard SIEM.

Huntsman Security’s multi-tenant SIEM keeps costs down, lets you onboard new customers with minimal effort and reduces the time to revenue.

4

How much to charge for SOC services

Customer expectations

Customers expect to pay for SOC services but how much is highly subjective and relates to Perceived value.Perceived value is the value that a product or service has in a consumer’s mind. They’re usually unaware of what goes into the products they buy, in terms of production costs. And instead, they place a value on how much specific products are worth to them, from an internal feeling.

There is also an expectation around when the services should be paid for – definitely not before they start. Generally, customers expect to pay a monthly charge the same way they do for the other managed services they consume.

Variables impacting cost

When providing managed services such as managed firewalls or endpoints the set-up overhead is relatively low. By comparison, when you embark upon setting up a SOC, which has several moving parts and needs a good deal of consideration, the cost is considerably greater.

Setting up SOC services from scratch can take between 6 and 12 months depending on where it sits in your list of priorities. It includes the following stages:

  1. Defining the service – the number and type of use cases e.g. boundary monitoring
  2. Evaluating technology and trialling it
  3. Platform configuration, data inputs, dashboards and reports
  4. Processes – investigation and incident management
  5. Creation of sales & marketing material – web pages, sales collateral, customer contracts, SLAs etc.
  6. Planning and undertaking training – technical and sales

 

The primary consideration when looking at your costs is the number of use cases that you decide to run with. Each one included in the service adds to both set-up and operational costs. The second consideration is whether you have to set-up and configure a new platform or service for every new customer OR have a multi-tenanted platform that you only need to set up once for multiple customers.

As a Managed Service Provider, you bear the whole cost of the SOC set-up as well as the resources needed to operate the services. This begs the questions:

How many customers do I need to onboard to recover the set-up costs and operate a commercially viable service? How much do I need to charge?

Where to draw the line

Most managed services are charged by number of devices or number of customer employees (seats). As mentioned in an earlier section, SIEM and the associated processes are essentially an enterprise-level solution which presumes there is a minimum size and number of customers to make it viable.

The rule of thumb is that in order to move successfully from being an MSP to an MSSP you need:

  • A minimum of 6 customers within the first year of offering the service, and;
  • Each customer needs a minimum of 200 employees.

It’s worth remembering that the price your customers are prepared to pay depends on the perceived value of your service; the “product”, people and sales force will be instrumental in positioning it effectively.

In the next section, we look at how automation can greatly reduce the amount of resource needed to operate the SOC services and therefore minimise the day to day costs.

5

How much Security Monitoring is enough?

Variables impacting cost

For organisations who have advanced security requirements, this question is fairly straightforward to answer as they will already have architected security into their network design, user access and processes. They will have refined incident management processes and will have been reviewed and accredited by the UK government, many against the GPG13* standard.

*GPG 13 – Good Practice Guide 13 was a UK government security and monitoring standard for departments who held sensitive information, it continues to be applied to many organisations.

For organisations on the cusp of adopting security monitoring/SOC services, the answer to the question “how much Security Monitoring is enough?” is more difficult. Who decides? Who is equipped to weigh up the options, and the cost versus the benefits?

Where does Cyber Essentials fit in?

Cyber Essentials is a Government assurance scheme that is mandatory for all organisations bidding for central government and MOD contracts that deal with the handling of personal information and the provision of certain ICT products and services. For organisations generally, it encourages adoption of good practice in information security in the pursuit of cyber resilience. Cyber Essentials (CE) focuses on five technical controls that, when properly implemented, will protect against the majority of common threats. The certification process requires participating organisations to go through a self-assessment process. Cyber Essentials Plus adds 3rd party audit to the certification process.

CE certification occurs once each year. By comparison compliance with GPG13 requires continuous monitoring – an entirely different level of investment. So, what if a customer wants something in between? Perhaps a service that can assess the 5 controls more frequently than annually to ensure the organisation remains protected against common internet threats.

 

Cyber Essentials Monitoring

Our Cyber Essentials monitoring solution, the “just right” option takes all the benefits of CE and makes it a continuous process throughout the year. The proposition is to have automated assessments at intervals that suit your customers’ business, where a report is automatically generated to communicate the compliance levels against the 5 controls. This gives your customers the opportunity to continuously or regularly adjust and remediate issues to ensure the preferred cyber posture is maintained.

Routine monitoring and recalibration ensures the organisation’s cyber resilience is maintained throughout the year not just at a point in time.

Cyber Essentials solution dashboard

Should priority events occur during the intervening period between reports being issued, alerts will be automatically issued to designated recipients via email for immediate action. This eliminates the need for someone to be continually monitoring a screen.

To find out more about Cyber Essentials Monitoring click here