Pros and cons of an outsourced SOC vs. in-house SOC
Security operations centers have become an essential element of threat detection. Here's how to decide whether to build one in-house or outsource SOC capabilities.
The term cybersecurity operations is straightforward. In business, operations refers to all the things an organization does in order to perform its mission. But, to do that, the organization must also protect the resources needed to meet its goals, and that's where cybersecurity comes in.
Online information and resources require protection, and cybersecurity operations are the organizational processes needed to secure the overall organization -- and, in particular, its information assets -- against cybersecurity threats.
Cybersecurity operations have one overriding goal: protect the organization's information, websites, databases, business processes and communications. They do this by monitoring what goes on inside and outside the network to detect action that may represent malicious activity or threats.
Many networks grew in response to emerging technologies and changing demands -- leaving cybersecurity without a unified master plan to follow. The internet disrupted everything, making it critically necessary for companies to beef up their security operations and to place them under one umbrella. The volume of alerts generated by intrusion detection/prevention systems, firewalls and other systems compelled companies to take a closer look at their security infrastructure. Not only did companies fear a lack of trained staff meant alerts weren't being analyzed, but they were also worried that the sheer number of alerts was just too great to diagnose in a timely fashion. Organizations were afraid of what they didn't know from a threat monitoring standpoint.
Outsourcing vs. in-house cybersecurity operations
For these organizations, there are two possible approaches to create security operations center (SOC) capabilities: outsource or build in-house.
Outsourcing the cybersecurity operations function is a reasonable way to monitor network alerts. At its most basic, outsourcing cybersecurity operations involves contracting with a managed security service provider to analyze network alerts for potential malicious behavior, with the MSSP discarding those that are not malicious and reporting those that may, in fact, be harmful.
Pros and cons of outsourced SOC
Outsourcing pros
- Trained personnel. The MSSP has experienced personnel immediately available, saving the organization the time and expense of hiring and training the dedicated people needed to do the analysis.
- Infrastructure. The MSSP also already has the facilities and tools required to do the job, saving more time and the upfront expense of building out an internal SOC.
- Continuous threat monitoring. MSSPs should provide SIEM capabilities that filter false alerts so forensics are only conducted on legitimate threats. This type of proactive, continuous threat hunting and monitoring may be difficult for a company's cybersecurity team to conduct on its own.
- Intelligent analysis. Outsourcing cybersecurity operations can provide security analysis capabilities while an organization builds its own in-house SOC.
Outsourcing cons and questions to ask
- How much analysis is the MSSP going to provide? Outsourcing the cybersecurity operations function does not usually provide features such as multi-tier analysis of alerts or an incident response service. Instead, many outsourced cybersecurity operations only provide the equivalent of a Level 1 cybersecurity operations analysis.
- What happens to alerts that the MSSP cannot clear? The MSSP may only be able to analyze a subset of alert logs generated by an organization. Alerts from applications like databases and web applications may be outside of its area of expertise. If the MSSP is also a tools or hardware vendor, it may only be able to analyze logs from its own products.
- Who is going to provide a detailed analysis of potential threats? An organization still needs some internal analysis capabilities to deal with the smaller number of alerts that cannot be easily cleared by the MSSP and thus returned to the client.
- Does the MSSP provide compliance management? The SOC must operate in compliance with regulations and standards that the company must conform with. The MSSP should provide templates for required and recommended compliance processes and consider regulatory standards when developing vulnerability assessments for the company.
For some organizations, complete and permanent outsourcing of cybersecurity operations is a desirable option. This is a reasonable approach for governmental organizations, in particular, where obtaining, training and managing people and facilities, as well as predicting cost effectiveness, are preferably handled under a services contract rather than in-house. Governmental organizations may also have significant compliance obligations regarding cybersecurity where it may be convenient to transfer regulatory mandates to a contractor.
In-house cybersecurity operations center
Building an in-house cybersecurity operations center provides the greatest degree of control over cybersecurity operations and the best opportunity to get exactly the services that an organization needs. Building an in-house cybersecurity operations center can also provide the foundation for building future comprehensive cybersecurity services, including vulnerability management, incident response services, external and internal threat management services, and threat hunting.
Compared to outsourcing the cybersecurity operations function, building in-house capability has the following pros and cons.
Pros and cons of internal SOC
In-house pros
- Tailors the operation to meet demands. Design the security operations and monitoring capabilities that best meet the organization's requirements.
- Tracks capabilities that are stored on-site. Storing event log data internally lessens the risks that come with the external data transfer required to report security incidents.
- Improves communication. Breach transparency and coordinating incident response are typically much easier and faster when the processes are conducted in-house.
- Builds a unified security strategy. An in-house cybersecurity operations center can be the foundation for a comprehensive security, threat and incident response capability.
In-house cons
- Planning and implementation. The time required to get an in-house cybersecurity operations center up and running can easily be a year and is likely longer. CISOs and other security personnel will face a significant time investment in planning and implementing the SOC.
- Costs. Establishing an in-house SOC requires a significant budget, with upfront IT and personnel investment.
- Finding appropriate personnel. Hiring people who have the right skills, training and experience or developing and training existing in-house staff can be time-consuming and expensive.
- Acquiring multiple security technologies. Continuous threat detection and compliance monitoring across several departments likely will require purchasing several AI-driven security tools. This may be out of reach for security departments budget-wise, especially in smaller organizations.
As with many cybersecurity decisions, the right approach for many organizations is to find the correct balance between managing the cybersecurity operations function in-house and outsourcing it to an MSSP.
One reasonable option -- particularly for companies that intend to build an internal cybersecurity operations function -- is to take advantage of the speed that outsourcing provides while the organization builds its own cybersecurity operations. Outsourcing can provide at least some of the cybersecurity services needed today, and the organization can take advantage of the trained, experienced staff that an MSSP has at its disposal while building the services that it wants to provide on its own.