• Netenrich
  • /
  • ...
  • /
  • Right-sizing SOConomics Part III: Demonstrating Value
Subscribe To Our Newsletter!

Stay up to date on the top trending threats as well as the top stories in Security, Networks, Cloud, IT Ops & AIOps.

Right-sizing SOConomics Part III: Demonstrating Value

Netenrich Intelligent SOC speeds response while also improving qualitative aspects that improve resolution over time.

Liza Kurtz
Post by Liza Kurtz Jan 25, 2021

For a truly intelligent approach to investing in SOC services, we need to contemplate results on two levels—Ops transformation, and alignment with the business. Let’s take Ops first.

One target outcome for SOC investments has always been speed, which can be seen as both a function and a component of efficiency. The longer an attacker hangs around inside your infrastructure before being detected the more havoc they can wreak, and the greater your risk of suffering demoralizing breaches.

The more time spent finding, validating, contextualizing and acting on events, the greater your risk—and cost—so we tend to track SOC efficiency in terms of time:

  • Reduced response times
  • Reduced noise
  • Decreasing false positives to speed qualification and prioritization
  • Faster time to detect and escalate
  • Reduced consumption of SOC analyst time

Netenrich Intelligent SOC services speed response while also improving qualitative aspects that improve resolution over time:

  • How accurate are criticality ratings and prioritization?
  • Are actionable recommendations for remediation provided?
  • What percentage of issues get resolved by machines?
  • Is threat intelligence well-contextualized to alerts?

Speed and efficiency go hand-in-hand. In a recent IDC report, respondents cited their top reasons for engaging providers, which include streamlining complexity, utilizing new technologies, and enhancing visibility.

Download eBook | Right-sizing SOConomics


Efficiency includes optimizing workflows and communications between various solution sets, a major reason some organizations engage managed service providers (MSPs). For example, logging and endpoint solutions may both generate alerts, and may or may not both feed directly into a SIEM, but deep expertise and integration is needed to reconcile alert management. Data may be split across multiple systems, making it more complicated to figure out what actually happened, or even where to look first.

An effective, intelligence-driven SOC improves resolution by applying richer context and better, faster correlation, two capabilities that prove hard to quantify in and of themselves. Go beyond thinking about value in terms of transactions (alerts, tickets, escalations, man-hours), to consider true Ops resolution and ultimate business outcomes.

Aligning with the business

Maybe someday we’ll reach the point where being able to show you have a well-tuned SOC or ongoing attack surface management will directly improve your security ratings. It might even impact annual cyber-insurance premiums, like having good cholesterol and exercising three times a week.

But we’re not there yet.  In the meantime, we can ascribe value to certain aspects of process optimization and risk reduction.

For example, no one wants to learn from a customer, partner, or competitor that something is exposed out on Internet. Yet in-house SOCs are rarely first to identify and respond to new threats, which reflects badly on the team and leaves analysts playing catch-up. How valuable would it be to have your team be first to know when there’s a problem more and more of the time?

Speedy responses could be a massive cost saver. Companies able to detect and contain a breach in under 200 days spent on average $1.1 million less. ~ CSO Online

What about being able to demonstrate a quickly and steadily shrinking attack surface – a sharp decline in exposed ports, expiring certificates, vulnerabilities and brand exposure? Along with avoiding costly breaches and saving time identifying real threats, attack surface intelligence may even impact the scope of compliance requirements.

For example, if you’re subject to Payment Card Industry (PCI) requirements for accepting credit cards, you need to be able to demonstrate that you know where all transaction data resides, and that it does or doesn’t touch the public Internet. Solutions like Netenrich ASI can dramatically reduce the burden on your internal resources by discovering quickly which assets are public-facing.

Demonstrating Attack Surface Reduction

asi workflow

Thinking even bigger, what might it mean to break down those brick walls between NetOps, SecOps and the cloud team? To source alerts to server or firewall outages, or to malware attack within minutes and engage the right analysts on each team without bothering any others?

The real question is . . .

Could the time, skills, and budget it takes to build and run your own SOC be better spent? The ultimate decision is not merely one of pure cost or economics, but the overall SOConomics that factor in the value and resolution you ultimately derive from investments.

For many mid- to large-sized enterprises and MSSPs themselves, an Intelligent SOC approach can introduce immediate and ongoing efficiencies that reduce run costs, bridge skills gaps, and propel their overall cybersecurity strategy forward.

RELATED READ | Right-Sizing SOConomics Part I: Three Steps to Adopting an Intelligent SOC

Redefining “resolution”

The key to driving transformation—and innovation—at every level is more and better intelligence. Intelligent SOC lets security operations keep getting smarter.

Based on Netenrich Resolution Intelligence, Intelligent SOC creates a “best of both worlds” model combining:

  • Machine and human intelligence
  • An AIOps-led SaaS platform with functional sourcing
  • Network, security and cloud domain expertise from one partner

netenrich resolution intelligence framework

Netenrich Resolution Intelligence starts with outcomes and applies the ideal, dynamic mix of human and machine intelligence to achieve those outcomes faster in the smartest possible way. Partnering with Netenrich overcomes challenges inherent in the both the DIY and traditional MSSP models:

  • Fear of commitment: If a provider pressures you to sign up for three to five years before trying its service, ask to try it first. Ask what recourse you have if SLAs consistently go unmet? Request references from customers with challenges similar to yours.
  • Buying outcomes: Most pricing models are based on things like how many alerts your infrastructure generates, how many devices generate them, and how much engineering support the provider expect to allocate to process them all. Flip the conversation by asking to buy only the outcomes you need, with the freedom to turn capabilities off and on at will.
  • Streamlining investment: Consuming outcomes streamlines investment and ensures you get what you need when you need it, with a wide range of capabilities available through one provider, one platform, and one user interface.
  • Getting what you pay for: Is the technology being used enterprise-grade and/or best in class?

Is the team making sound recommendations based on broad experience? Are the playbooks provided road-tested and well suited to your environment?

How intuitive and insightful are the user interface and analytics? Can analysts log into a self-service portal to customize rules, dashboards, and reports?

At the end of the day, the value of any solution pivots on the quality of experience. This includes alleviating the grind of working in the SOC for your analysts and the provider bringing deep knowledge and expertise. And, being able to explore both without risk.

RELATED READ | Right-Sizing SOConomics Part II: The SOC Investment Life Cycle

Try before you buy

The only real way to assess value is to try things out, so don’t take our word for it. Contact Netenrich to arrange demonstrations and trials of Intelligent SOC capabilities so you can experience the power of easy onboarding, quality insights, and rapid time to value for yourself.

Learn more about Intelligent SOC to get started right-sizing your SOConomics in 2021.


Liza Kurtz

About the Author

Liza Kurtz

Subscribe To Our Newsletter!

The best source of information for Security, Networks, Cloud, and ITOps best practices. Join us.

Thank you for subscribing!

Related Post

Feb 24 2021

What Makes the SOC “intelligent” Part II? Assessment, Pen Te

A proactive and resolution oriented soc...

Read More
Feb 10 2021

What Makes the SOC “Intelligent” Part I: Detection, Response

Your security operations center deserves nothing b...

Read More
Jan 18 2021

Right-sizing SOConomics Part II: The SOC Investment Life Cyc

Learn how to make a one- to three-year SOC investm...

Read More