To Buy or To Build: Developing Your Security Operations Center

Data lies at the heart of all security operations. Like other networking operations, security relies on the ability to trust the data. Data pools that are outdated, duplicated, or overwhelming can impact the security operations (SecOps) team’s ability to perform analysis and develop policies. Intrusions can go undetected. Malware can spread. Assets may be compromised, and infections may go without remediation. To address this, SecOps must leverage systems to view this data accurately and in a timely fashion, to create and enforce policies to protect the organization. This often leads to the debate to develop these systems or to purchase them. This is the build vs. buy debate.

Building SecOps includes deploying in-house expertise to develop and maintain solutions that ensure data trust. Buying is leveraging a qualified vendor to provide these solutions and associated services. There are several key factors in deciding which approach is right for the organization. The goals remain the same for both.

Data in full: Is all the data available for analysis?
Data accuracy: Are the systems producing accurate data?
Data consistency: Can the data provided by multiple systems be accessed?
Data de-duplication: Are the same data points being provided multiple times?
Data relevance: How stale is the data?

Answering these questions often spotlights the potential failures of a SecOps approach. Where is there opportunity for human error (either in data input or analysis)? What are the potentials for system faults and failures that can lead to data corruption? Are there opportunities for data integration failure? Are there complexities in the systems that can slow or even prevent access? Issues like multiple language support, data formatting, and conflicting weights of criticality may lead to improper reporting and alerts.

The approach to choose buy vs. build includes several steps. These typically involve a cost analysis of developing and maintaining a system as opposed to making a straight purchase. In addition to cost, organizations must determine the time to implementation. They must also determine in-house metrics for data integrity, data retention, and service levels for reporting and response. Another consideration is the uniqueness of the data. Are there considerations unique to the organization or are there broader concerns for the organization’s industry or vertical? One major concern is the hiring, development and retention of personnel with the skill sets to administer the systems. Due to constraints of time, budget and skill, many organizations choose buy over build after the analysis is performed.

Organizations that determine that the buy approach is right for them can leverage Cisco’s Managed Detection and Response (MDR) offering. MDR combines the elite team of researchers, analysts, and engineers with threat intelligence, automated response capabilities and investigation and response playbooks provided by Cisco Talos Threat Research. MDR is designed to minimize time to both detection and response. This service leverages Cisco’s integrated architecture to advance SecOps capabilities to contain threats quickly by using data that is relevant and accurate.

By providing a standardized and unified set of data, MDR provides SecOps teams higher quality threat intelligence both for that organization and through the global view of events. Administrators have the ability perform management and automation of alert volume across cloud, network and endpoints. Defined investigation and response playbooks are included to accelerate containment and remediation.

Integrated systems included in the Cisco security architecture and backed by the Cisco Talos Threat Research provide an unmatched global view of events to supply SecOps teams with fast and accurate alerting. Leveraging these systems can reduce time to detection from months to hours. MDR can help SecOps team define, test and implement proven security practices to ensure the organization has visibility and control to protect virtual and physical systems deployed on-premise or remotely.