IT Security Monitoring – Build your own team or opt for outsourcing?

The landing theme of European Cybersecurity Month is the threat of phishing. This topis is extremely because this type of attack is equally dangerous for private individuals and organizations, regardless of their size

While individual users cannot count on the support of external experts to monitor their devices, organizations can certainly take advantage of such support. We are talking about a solution known as IT security monitoring, which operates under the name SOC, or Security Operations Center.

How does IT Security Monitoring identify a phishing attack in an organization?

Let’s analyze this with a specific case. In a company – let’s call it “ABC Ltd.” – employees receive suspicious messages in their corporate email inboxes, posing as official communications from a company that provides software vital to their work. The message suggests the need for an immediate software update via an attached link to avoid data loss and system damage. Concerned employees reported the situation to the IT security department; however, the department was already aware of the issue because an alert had appeared on the UTM device securing network traffic, which was then sent to the SIEM system, and the SOC was already observing the situation.

An attack identification procedure was launched using the SIEM system, which operates based on log analysis. The SIEM system can be integrated with other security measures, such as antivirus systems or dedicated anti-phishing systems. These tools provide additional information or warnings about potential threats. As a result of these analyses, SOC analysts can confirm whether a phishing-based attack attempt has occurred and take appropriate steps to protect the company from further threats.

What do the subsequent stages of action look like?

Step 1: Verification of email server logs

SOC analysts check the logs from the email server to see which recipient inboxes received the suspicious message. Analyzing these logs helps identify which employees were potential targets of the attack.

Step 2: Message content analysis

Analysts conduct an analysis of the phishing message content, including the link to the “software update.” They scan it for potential threats and domains that may be associated with phishing.

Step 3: Network traffic analysis

They notice that one of the employees clicked the link. The security department analyzes the network traffic generated by this click. This includes identifying the destination website (checking if it was suspicious) and any potential attempts to download malicious software.

Step 4: Internal network traffic analysis

Analysts check internal network logs to see if any internal devices attempted to communicate with the suspicious website or initiate any unknown connections.

The assumption of this example was that ABC Ltd. had its own internal IT security department. However, other scenarios are possible – suppose the SOC worked as an external partner?

In that case, additional steps appear:

Step 5: Provision of information regarding  the potential attack and the threat to specific areas of these infrastructure.

and next:

Krok 6: Provision of recommendations regarding suggested options for future protection against such attacks.

Often, an attack is not finalized immediately. The infection remains in a latent form until more devices and systems are infected. 24/7 monitoring allows for the prevention of threat propagation and secures the infrastructure and network against negative consequences, protecting the company from losses.

IT Security Monitoring within internal company structures

A Security Operations Center can be built within a company’s own structures. This requires creating a dedicated organizational unit and equipping it with appropriate systems that allow for the observation and analysis of situations and the detection of anomalies.

The advantage of this solution is full control over data and maintaining complete secrecy of the organization’s operations within its internal structures. The downside, however, is the associated expenditure.

The costs of building an internal SOC appear at several levels. Effective network security requires appropriate software that collects information from devices and the network. Such solutions require investments where the TCO (Total Cost of Ownership) often generates recurring, very significant costs. Additionally, a team of specialists is needed to properly read and interpret the information provided by technological solutions.

We are currently experiencing a shortage of cybersecurity specialists on the market, which directly translates into salary levels that represent the minimum acceptable threshold for individuals with appropriate qualifications. Consequently, the human factor becomes a scarce resource that all organizations decided on building their own IT security monitoring department compete for – often regardless of the price, i.e., the salary level.

Outsourcing SOC services

A second solution is also possible, which reduces the costs associated with software and building one’s own team. This is the outsourcing of services related to monitoring internal networks/systems to an external company specializing in cybersecurity.

Thanks to this option, an organization benefits from technological solutions and specialized service without bearing the full costs. Building the SOC department and equipping it with the appropriate tools remains the responsibility of the service provider, while the organization choosing this form of service reaps the benefits of specialist care and security guarantees.

This solution requires sharing some sensitive information about the infrastructure with an external organization. The entire process, of course, takes place based on appropriate agreements and non-disclosure clauses; nevertheless, there are organizations that will not accept such a solution.

The hybrid model

The third path is the hybrid model – a combination of internal competencies with external service. When can this be a good solution?

For example, when an organization has a specialized team, but it is unable to fully supervise the digital security of all its assets. This may result from the organization scaling its operations, opening new offices and branches, or the fact that the team of experienced specialists is unwilling to work night shifts or weekends. In such situations, the internal team can constitute the CORE of the SOC operation, and external outsourcing becomes its supplement – the so-called “Third Shift” working during non-standard hours. This ensures work comfort for the most experienced units in the SOC and builds team stability even in times of such high demand for this specialization.

Perceptus SOC serves public and private clients in both models described above. Our team’s actions ensure care for the network and infrastructure 24 hours a day, 7 days a week, 365 days a year. If you are considering outsourcing these types of services, we invite you to contact us.