Geneva SOC Forum

The Geneva SOC Forum was an interesting event, with some excellent presentations.  The first was by Carine Allaz on her experiences of establishing and running a Security Operations Centre for a private bank in Switzerland.  A lot of the lessons she learnt are common to many of the organisations we’ve seen that have undertaken.  She mentioned that setting up a SOC had given her her first grey hair, I pointed out getting involved in building over 90 for our customer had made mine go grey, then completely fall out…

The second speaker was Jonathan Sinclair.  His presentation focused on demonstrating business value and the development of meaningful use case – again spot-on with my experiences and something that businesses continually get wrong, limiting their return on investment in security operations.

This was followed by the SOC Jeopardy session we facilitated.  In the session we asked the 70+ attendees, from SOCs all over the Geneva and Lucerne area,  a selection of 11 questions around business-alignment, technology, people or process.  These questions were a subset from the over 250 used in our Practice’s Security Operations Maturity Assessment, used to construct build or improvement roadmaps for our customers. |

20171213_155616_resized 2-2.jpg

The next step was to compare the room’s results with that of the average we see across from the hundreds of assessments we’ve conducted across the globe; then to discuss the impact that the different maturity levels would have on the effectiveness and efficiency of their SOCs; as well as discuss the constraints and challenges they may have in achieving the more mature levels.

20171213_162441_resized 2-2.jpg

On-the-whole, the level of maturity seen in the organisations in Switzerland was at least as good, if not higher, than the average across the globe.  Some really insightful questions came from the audience and the two other speakers were exceptional.  It is a shame that non-commercial events like this, that bring together SOC managers and operational staff with their peers to discuss best practices, do not exist in most other countries.

3 thoughts on “Geneva SOC Forum

  1. Amazing event! I agree with Jonathan that most organisations find it difficult to provide a true business value and demonstrate return on their investments. The challenges that Carine faced during the establishment of the Security Operations Centre are real and every organisation faces the same challenges if not more.

    It doesn’t make sense for organisations to do this alone. SOC has one function and one function only and that’s responding to alerts or notifications. The question becomes where do you get the alerts. This is where you have to decide whether you want to purchase a product or partner up with an organisation who provides the service. The product you need is called Security Information & Event Management (SIEM). Now what causes grey hair is the management and maintenance of the SIEM infrastructure. You have to constantly fine tune and develop the correlation rules so you don’t overwhelm your SOC with false/positives. You must develop new correlation rules and Threat Intelligence to keep up with new threats. Of course you have the infrastructure ready to implement and operate the SIEM. You don’t just setup a SOC and not have the technology to support it. So now you have the SOC and the SIEM. What about the process. The process is much more challenging that setting up the SIEM and SOC. The process requires you deciding on the ticketing system you want to use, what alerts should be triaged, who does the validation and escalations, who takes the corrective action against security incidents or perform remediation. You need an Incident Response Platform and Incident Response Team (IRT) as part of you incident response process. This is the costliest and the most challenging part of setting up a SOC.

    SIEM license for 250 devices or 2500 Events Per Second (EPS) will run you around 100€/year. SOC physical place will cost around 100€/year to lease a place. The 24/7 IRT and process
    will cost you easily about 600€/year.

    You are looking at about 1 million EUR a year. So how do you show business value and ROI for such an expense?

    I would always start off by doing the Risk Assessment first and then decide how you want to go about it.

    • Good observations Kevin. As also mentioned during the event, many people don’t distinguish between log management, SIEM and analytics and often confuse what events they need for each. Many are paying far too much for their SIEM licences than they need.

  2. I agree with both Kevin and Jimmy. Education is key when it comes to analysing large amounts of data for cyber threats. Windows servers don’t even have auditing turned of by default. The security events are overwritten too quickly. You have to have a mechanism to collect this data, analyse them and then respond to them. Most small to medium size organisations are vulnerable to threats and SIEM cost are simply to justify.


Leave a Reply