Should you build your own SOC or use one as a service?

You’ve done your homework and decided your company needs a Security Operations Center (SOC) to keep yourself protected and your customers’ data secure. You have a few options available: should you build your own SOC or find a provider for SOC as a service?

The benefit of having your own SOC is having your own SOC. Depending upon your needs you might need one, but there are quite a few problems here.

Big money for rare security talent

Good security people are hard to find and aren’t cheap. You’ll need to hire quite a few rare and expensive specialists if you want true 24/7/365 coverage, so be prepared for a long recruitment process. You will have high upfront capital costs of starting a new department in your company, and you will also need to worry about the running expenses. The overwhelming majority of corporations think it isn’t realistic to build their own SOC due to the costs.

Additionally, your own SOC will only handle incidents at your own company. Most likely this will not happen very often, so your experts will get rusty over time. A provider of SOC as a service will have a plethora of clients so will see what is happening in the threat landscape before it reaches you.

The corporate landscape is always changing, with mergers, acquisitions, strategic business decisions and the like. If your corporation makes a major change, your own SOC will need to change as well. Scaling up your SOC as your corporation changes is a painful and time-consuming process, which is another disadvantage.

Efficiency of SOC as a service

Going to a SOC provider like Basefarm means you are going to a professional who has already invested in the necessary staff, equipment and tools. They will have many other clients, so you get the benefit of their experience. Most likely they will also be heavily involved in the security industry, being members of various associations where they can hone their skills and pass along the latest knowledge. SOC as a service is probably also going to be much cheaper.

Building your own SOC v. contracting SOC as a service will come down to your company’s individual needs. It is quite possible that creating your own is the best option for you, but hiring an expert SOC provider makes more sense for the majority of firms. You get the skills, experience, industry contacts, continuous learning and efficiency at a lower cost, which is a pretty easy business case to make.

Read more about our SOC services HERE

This might interest you too:

What is a Security Operations Center and why do you need it?

How do you find the right SOC provider for your company?


Author: Fredrik Svantes, Senior Information Security Manager, Basefarm

Fredrik Svantes is the Head of the Basefarm Security Operations department and has also lead the Basefarm Security Incident Response Team for the past seven years. Previously he has worked for companies such as Blizzard Entertainment, doing detective work on logs for massive online platforms running games such as World of Warcraft. Blog: . Twitter: @fredriksvantes .

What is a Security Operations Center and why do you need it?

Your company has digital assets that need to be protected. GDPR requires that a company detect any security incident involving personal data and report them within 72 hours, so you also have a legal obligation to be secure. You have responsibly defended yourself with cyber security tools like firewalls, antivirus and intrusion detection. So you’re good, right? Well, maybe not.

Put guards on your walls

This defensive equipment is set to perform specific tasks, but new vulnerabilities are discovered every day. New attacks and new threats constantly develop. These defensive tools are useful, but there is no such thing as 100% protection. If you haven’t been breached yet, most likely you will be.

Only having security tools is like building a wall to keep out the barbarians but neglecting to staff it with guards. You can’t just install your security tools and leave them running; you need someone to also monitor what is going on.

When an incident happens, you need to detect it and respond very quickly. This is the job of the Security Operations Center (SOC), and this is what makes it invaluable.

Be active, not passive

A SOC is a department which is dedicated and organized to prevent, detect, assess and respond to security issues in IT systems and IT infrastructure. These are your guards on the walls, ready to react when they see barbarians at the gate. An SOC can be either your own department or a provider of SOC as a service.

Basefarm’s SOC includes:

• Certified security Alert Analysts who review and act on security incidents 24/7/365.
• A Security Incident Response Team (BF-SIRT) who work on incidents escalated from the security analysts.
• Security Engineers who continuously improve and implement security solutions and are ready to react to emerging threats.

More than simply reacting to events

An SOC responds quickly to incidents, but these security experts also provide proactive security. They are aware of new threats before they materialize. They know what hardware and software you are running so can keep an eye on specific developing threats. They provide suggestions to improve and strengthen your IT environment. When something does occur, they can help with forensics to learn from the incident and take steps to further strengthen yourself.

Read more about our SOC services HERE

This might interest you too:

Should you build your own SOC or use one as a service?

How do you find the right SOC provider?


Author: Fredrik Svantes, Senior Information Security Manager, Basefarm

Fredrik Svantes is the Head of the Basefarm Security Operations department and has also lead the Basefarm Security Incident Response Team for the past seven years. Previously he has worked for companies such as Blizzard Entertainment, doing detective work on logs for massive online platforms running games such as World of Warcraft. Blog: . Twitter: @fredriksvantes .

How do you find the right SOC provider for your company?

You’re working to keep your company secure. You have all the right tools and decided that you need a Security Operations Center (SOC). You’ve done your research and decided that SOC as a service is right for you. But what do you look for in a SOC provider?

Judge your friends by the company they keep

The best way to start is to make sure the potential SOC provider is a member of relevant security organizations. These groups are invaluable to foster cooperation and coordination in incident prevention, as well as information sharing so members know the latest threats and how to mitigate them.

A SOC can’t work in isolation. A member of these organizations gets first hand insight on vulnerability and ongoing attacks, so they can act quickly and proactively. They can secure their own and their customers’ environments before these issues become public knowledge.

The prime group is, the Forum of Incident Response and Security Teams. FIRST is the premier organization and recognized global leader in incident response. It includes a variety of security incident response specialists from academia, government and the private sector.

There are also country CERTs (Community Emergency Response Teams) and regional groups like the European TF-CSIRT which a good SOC should be part of.

Has your SOC paid their dues?

You also need to check the qualifications of your potential SOC provider to see they follow best practices. Various groups provide certifications which are extremely important in this field. As an example, some of Basefarm’s specialists have:

• GIAC Information Security Professional (GISP)
• Certified Information Security Professional (CISSP)
• ITIL Foundation Certificate in IT Service management (ITILF)
• GIAC Penetration Tester (GPEN)
• GIAC Certified Forensic Analyst (GCFA)
• Red Hat Certified Engineer (RHCE)
• SANS / GIAC Advisory Board membership

Additionally, a SOC might have additional services which demonstrate their commitment to security. For instance, Basefarm has a wealth of other service components which can complement a SOC. These include:

• Intrusion Detection System (IDS)
• Web Application Firewall (WAF)
• Log Management with Security Information and Event Management (SIEM)
• Penetration Testing
• IT Forensics
• Vulnerability Testing
• Security Consulting

In a nutshell, if you are looking for SOC as a service make sure the provider has the right people with the right qualifications and right tools who are members of the right organizations.

Read more about our SOC services HERE

This might interest you too:

What is a Security Operation Center and why do we need it?

Should you build your own SOC or use one as a service?


Author: Fredrik Svantes, Senior Information Security Manager, Basefarm

Fredrik Svantes is the Head of the Basefarm Security Operations department and has also lead the Basefarm Security Incident Response Team for the past seven years. Previously he has worked for companies such as Blizzard Entertainment, doing detective work on logs for massive online platforms running games such as World of Warcraft. Blog: . Twitter: @fredriksvantes .


4 Industries That Have to Fight the Hardest Against Cyberattacks

This blog post is a summary of this week’s Information Security News put together by our Security Incident Response Team (SIRT).

Security Affairs gives you some insight to which industries that have to fight the hardest against cyberattacks…

“Society’s dependence on internet-based technologies means security professionals must defend against cyberattacks as well as more traditional threats, such as robbers or disgruntled employees.”

Read more


Top 5 Security News


Virtual Session from the RSA Conference: The 5 Most Dangerous New Attack Techniques, and What’s To Come


Security Software & Tools Tips – December 2018

In this monthly post, we try to make you aware of five different security related products.
This is a repost from my personal website Ulyaothroducts.

This month we have choosen for the following:
* ModSecurity
* Snort
* Nmap
* Osquery


ModSecurity is a WAF module that can be used for various webservers such as Nginx, Apache and IIS.

Information from the ModSecurity website:

ModSecurity is an open source, cross-platform web application firewall (WAF) module. Known as the “Swiss Army Knife” of WAFs, it enables web application defenders to gain visibility into HTTP(S) traffic and provides a power rules language and API to implement advanced protections.



Information from the Snort website:

Snort is an open source network intrusion prevention system, capable of performing real-time traffic analysis and packet logging on IP networks. It can perform protocol analysis, content searching/matching, and can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more.



Information from the OSSIM website:

AlienVault® OSSIM™, Open Source Security Information and Event Management (SIEM), provides you with a feature-rich open source SIEM complete with event collection, normalization, and correlation. Launched by security engineers because of the lack of available open source products, AlienVault OSSIM was created specifically to address the reality many security professionals face: A SIEM, whether it is open source or commercial, is virtually useless without the basic security controls necessary for security visibility.



Information from the Nmap website:

Nmap (“Network Mapper”) is a free and open source (license) utility for network discovery and security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. It was designed to rapidly scan large networks, but works fine against single hosts. Nmap runs on all major computer operating systems, and official binary packages are available for Linux, Windows, and Mac OS X. In addition to the classic command-line Nmap executable, the Nmap suite includes an advanced GUI and results viewer (Zenmap), a flexible data transfer, redirection, and debugging tool (Ncat), a utility for comparing scan results (Ndiff), and a packet generation and response analysis tool (Nping).



Information from the Osquery website:

osquery exposes an operating system as a high-performance relational database. This allows you to write SQL-based queries to explore operating system data. With osquery, SQL tables represent abstract concepts such as running processes, loaded kernel modules, open network connections, browser plugins, hardware events or file hashes.


Photo by Collin Armstrong on Unsplash

Time for a new take on IT security

The digital transformation is speeding up and the world is increasingly running on data. In its wake cyber criminals are getting a whole lot smarter and over the past year we’ve seen massive ransom- and malware attacks resulting in global headlines, and cybersecurity is now a priority for everyone. But building huge walls in order to prevent attacks is no longer the solution. Instead we need a different mindset, focusing more on detection, and on building organisations infused with security thinking.

Big data as a security tool

As organisations become more security aware their cybersecurity efforts have made it harder for attackers to remain undetected. Attackers don’t want to get caught while stealing valuable data so, and as many businesses have data protection solutions in place, for example malware detection systems, they opt for standard Windows tools instead, like Microsoft Power Shell, to snoop around in the network.

This is where big data analytics can really help by setting a baseline for the internal users of the system and warn when anomalies occur. For instance, technicians will have certain work routines, while finance department employees will have a different workflow. When all of a sudden someone in the finance department opens Power Shell, this is not a standard behaviour and it will trigger warning signals even though it just happens to be a standard Windows application. Organisations with high security risks, like government bodies and companies with significant volumes of IP or critical data to protect, already rely on big data for security.

Your servers turn into secret bitcoin miners

The rise of cryptocurrencies has created a new security risk. Cryptomining requires large amounts of computing power and criminals are regularly “recruiting” individual computers in order to creating vaste crypto-mining networks. One or two computers might not show up on the radar, but with proper detection measures in place, like monitoring of resource usage you are able to keep intruding miners away. In general the very best strategy is to ensure all your systems are up to date. Don’t leave things unpatched or run old versions of software. And of course: don’t click on everything you see. Attackers still see e-mail scams as an attractive “way in.

Impossible to keep attackers out

Of course it’s important to try and protect your company, but let’s be honest, there is no way you’re ever going to be 100% protected. This is why we’re now moving away from prevention to focusing on detecting intrusions as soon as they happen. In a world of changing threats and compute-everywhere environments, the old security paradigm of just building bigger walls will be replaced by a continuum from block to allow. Machine Learning is becoming the key technology for predicting, detecting and preventing known and unknown threats. According to Gartner, deploying threat detection and response tools is a top priority for Chief Information Security Officers (CISOs). These investments can make a big difference. A report published by the US Ponemon Institute calculates that when an intrusion is found in less than 100 days, the average cost is $2.8 million. When detection takes longer than 100 days, the expense jumps to $3.8 million.

Security awareness

With the increase in cybercrime the hottest experts are those in IT security. But what can you do when there aren’t enough security experts to go around? The best immediate bet is to look for external partners to help secure the organisation’s IT.

Not every company needs a team of security professionals, but everyone needs people who are security aware. By ensuring the organisation has the right knowledge and culture a lot of threats can be avoided. For example, developers should always have security in the back of their minds while working on their projects. But all employees have to become more aware of security risks and take responsibility.:

  1. Everyone in the organisation must be aware about the threats and know some really simples rules: Firstly not all e-mails should be opened. Secondly, not all attachments should be opened. Thirdly, do not reply to everything. And do not insert any unknown memory stick into the computer!
  2. Establish routines for handling attacks and ensure everybody knows about them. An employee takes the chance of opening an e-mail and then they don’t want to be a nuisance or expose their “stupidity” so they don’t tell anyone. Clearly not a good idea. People need to know who to contact, and they need to be met in a friendly and professional way
  3. If something occurs, the notification procedures must be crystal clear, the distribution of responsibility indisputable and the measures immediate. Surveillance equipment must be routinely controlled, and there has to be subscribers to security updates.
  4. Practice, which is part of the contingency, may be done at different levels: from within the IT department to the entire organisation, but it’s really important that it happens.

When security experts are hard to find a great way to infuse security thinking into the organisation is by creating a multicompetence team. Look for employees with integrity and a personal interest in security, people who are spending time outside of work searching for security holes and keeping up with the latest trends and tools. With this team in place, not only can you use their combined expertise, they will also act as ambassadors and spread security awareness to their respective departments.

Do you want to transform how you work with information security to speed up innovation in your company? Download our Digital Ability Report HERE and get some insights on how to take security and innovation to the next level!

Author: Fredrik Svantes, Senior Information Security Manager, Basefarm

Fredrik Svantes is the Head of the Basefarm Security Operations department and has also lead the Basefarm Security Incident Response Team for the past seven years. Previously he has worked for companies such as Blizzard Entertainment, doing detective work on logs for massive online platforms running games such as World of Warcraft. Blog: . Twitter: @fredriksvantes .

DNSpionage and how to mitigate DNS tunneling

This blog post is a summary of this week’s Information Security News put together by our Security Incident Response Team (SIRT).

Cisco Talos has published details regarding an APT campaign using DNS redirection and a malware they call DNSpionage. The malware supports both regular HTTP and also DNS tunneling as a way of communicating back with the attackers.

The DNS redirection part of the attack was done by compromising nameservers, and then pointing hostnames under the nameservers control to IPs of the attackers choosing. The attacker used LetsEncrypt and was in that way able to set up perfectly valid HTTPS copies of any sites.

DNS tunneling is where data are encapsulated within a DNS query and its reply, often using base64 encoding. As long as a server is able to perform domain name lookups it is able to exfiltrate data in this manner. This can also be used, with some preparation, if you find yourself in an airports WIFI or such, to proxy legitimate traffic and bypass and “signup”-requirement the WIFI might have.

This covert channel can be hard to detect, if the malware minimize the bandwidth used. If used as a proxy for larger amounts of data it will be possible to detect a significant change in the amount of DNS-queries and the size of the queries. A modern IDS or next generation firewall should be able to detect this out of the box today. Another way of mitigating is to use the split horizon DNS concept, resolving internal IPs normally, but external IPs resolving to a proxy server that can have the capability of checking the DNS information further.

Top 5 Security News

Tick the box on GDPR or go above and beyond?

Unsolicited use of personal data can cause great reputational damage. Some companies discover this the hard way. On top of that, new laws on data protection came into effect in May. How should a responsible company act?

By now, many organizations that store and use personal data have taken the necessary steps to ensure compliance with the EU’s General Data Protection Regulation (GDPR). For example, by updating their privacy statements and implementing solid internal processes. Other companies are on their way to GDPR-compliancy while others haven’t yet started. In recent research by software company Talend, only 35 percent of all companies in the EU responded to data requests as prescribed in the new regulation. Much-heard arguments for not initiating GDPR-projects are a lack of resources and a willingness to take a calculated risk to be fined at some point. This is understandable, as the authorities cannot audit everyone at once. Nevertheless, a risk is still a risk.

Misuse of personal data

The extensive use of personal data by big tech companies has certainly fuelled the backlash they now experience in the media and in the political arena. An example being the public outrage that followed the shameless manipulation by Cambridge Analytica of large demographic groups with personal data of Facebook users. It has become clear that unrestricted by law, misuse of personal data can have a destabilizing effect on societies. For this reason, a deeper appreciation of data protection and privacy as a human right has taken root in civil society and businesses alike.

GDPR-compliance is not a one-time effort. When you start your GDPR-journey as a company, you first have to get an overview of the data you have. Perhaps this will bring about the realization that you don’t need all these data. Often, there is a lot of obsolete and outdated data in different places that need structuring and cleaning up. One of the basic principles of GDPR is to prevent storing excessive amounts of personal data. For example, why store a home address when you only need an e-mail address or telephone number? Store only what you need

Many companies are aware of the necessity to be transparent about their data use, towards the very people of whom they collect it. But it’s just as important to create a culture around data privacy and protection within your own organization. Make sure that everybody understands the ‘why’ of it – it’s about the freedom and rights of people – and check this regularly using the processes that you have set up. Everybody is responsible, beginning with the CEO but certainly not ending there.

Commercial value?

Does GDPR-compliance have commercial value? Definitely. It’s in your best interest if your customers believe you are doing the ‘right thing’ by respecting their rights. After all, you can only build a sustainable enterprise on trust. Solid processes regarding the use of data also result in better quality data, that allows you to have a better overview of who your customers are. An obvious example is having the right contact information. Next to that, knowing where the data is that you are looking for, can dramatically improve the efficiency of the company processes.

There is commercial value in implementing and maintaining clear processes around GDPR. And there is also value in the trust you build with your customer. There is a risk if you don’t and that is to be fined by the supervising authorities and/or experiencing bad PR following a data breach. You have to balance these costs to the costs of doing things right. Do the math and the answer becomes clear very quickly.


Author: Patrick Tahiri, Security Compliance Manager.

Patrick Tahiri has a background from IT Operation and technology management. His key competences and area of responsibilities are the security of PCI environments, ISO 27001 audits, implementing information security procedures and GDPR consulting.

Digital Ability Report 2018/2019 : your free guide to digitization

Is your company fit for the future? What do you need to look out for to accelerate digitization and drive innovation? The Digital Ability Report 2018 by Basefarm provides well-founded answers and valuable insights.

This summer, we did a survey to find out the current state of digital maturity of companies and the criteria that have to be met in order to be and remain sustainable.

The report has arrived!

We have received answers from over 200 European IT decision-makers from various industries and evaluated how SMEs and large companies are positioned in the areas that determine digital competence and decide on digital success:

  • big data (data maturity)
  • cloud computing (Acceptance)
  • information security
  • innovation management

Free download!

The Digital Ability Report 2018 gives you insights and tips on how to accelerate innovation, improve digital skills and create success for your business and your customers.

Download the report!

This might interest you too:

How does digital transformation actually work?

Cloud Guide 

Data Thinking: A guide to success in the digital age

Thought you deleted your iPhone photos?

This blog post is a summary of this week’s Information Security News put together by our Security Incident Response Team (SIRT).

Twice a year, an international contest called Pwn2Own – the Olympic Games of competitive hacking, if you like – gives the world’s top bug-hunters a chance to show off their skills.

The word pwn, if you aren’t familiar with it already, is hacker jargon for “own”, as in “owning” someone’s computer – and, with it, their data – by taking control of it behind their back.

In case you’re wondering, pwn is a deliberate mis-spelling, based on the fact that O and P are adjacent on most keyboards. In theory, therefore, it should be read aloud as own, the word it denotes, in much the same way that the word St is read aloud as saint, or Mr as mister. In practice, however, it’s pronounced pone – just treat it as own with a p- added in front.

Like the Olympics, which alternates every two years between summer and winter sports, Pwn2Own alternates between desktop hacking at the start of the year, and mobile device hacking at the end.

Top 5 Security links