Introduction

Deciding to build a security operations center (SOC) in your organization is not a decision that you can make easily. Getting to the point where you can even make the decision requires so much strategy, process, resource, and financial planning that is beyond the capabilities of most organizations that want to improve overall cybersecurity posture.

In general, most organizations (except for the largest) decide to avoid the pain involved in setting up their own internal SOC and completely outsource the function to an experienced MSSP. They will typically select one that already delivers a SOC function to lots of other customers. 

In this article, we will drill down on the decisions involved in choosing between an in-house SOC and an MSSP and explore the disadvantages and the advantages of the two models.

Outsourcing SOC Functions to an MSSP

Outsourcing your cybersecurity needs to a third party MSSP is never an easy decision to make. It involves giving up on the idea of building the capability internally and letting someone else take care of the function. Before deciding to choose an MSSP over building your own SOC internally, it’s important to consider and understand the security needs of your organization.

There are very good reasons to choose an MSSP. For example, if your own security team is understaffed and you need help monitoring your networks and IT infrastructure, an MSSP is a great choice. Similarly, if your organization is required to build 24/7/365 cybersecurity coverage to meet compliance requirements, a shortcut to meeting those requirements is outsourcing your SOC to an MSSP. Regulatory bodies do not mind who provides the coverage as long as it exists.

The most common reason to outsource your SOC to an MSSP is expense. Hiring the right people, investing in training, developing and maturing cybersecurity processes, and buying the technology can be prohibitively expensive for all but the latest enterprises. Most MSSPs deliver SOC capabilities to a number of different customers at once, making it much more cost-effective for them to operate a SOC and pass those cost savings to their customers.

You may not need full-blown SOC. You may just need critical capabilities that a 24/7 SOC can provide, so it’s well worth working out your needs before you begin to talk to MSSPs about outsourcing those needs to them. It could be that you just need your MSSP to monitor your networks and infrastructure, notifying and alerting you when a security event occurs. 

However,  you may need them to go a step further and manage your security infrastructure as well, enabling them to make changes to your environment and manage your log data, firewall, and other security hardware. Once you have a good understanding of your needs you can begin to make decisions about outsourcing your SOC requirements to an MSSP like Digital Hands.

In general, it will be less expensive to outsource SOC requirements to an MSSP. But over the longer term, with a consistent commitment to building a SOC, you can begin to realize a return on the significant investment that building an in-house SOC involves. 

Of course, the decision to outsource to an MSSP does not just come down to cost. It also comes down to people, processes, and technology. An MSSP gives you access to their deeply experienced SOC personnel, as well as threat intelligence. If you were to build this capability yourself it would be difficult to find experienced SOC analysts. There are not enough candidates to fill available positions and only the most lucrative SOCs can attract the lion’s share of experienced candidates.

MSSPs like Digital Hands have already set up and operate a 24/7/365 cybersecurity monitoring system which will allow them to watch over your IT infrastructure in a consistent, granular way. Setting up this sort of environment for yourself can be difficult as you scale up your inhouse SOC operation, team, and technology. Let’s take a look at the key pros and cons:

In-House Security Operations Center (SOC)

  • Difficult to find experienced SOC analysts and personnel against the backdrop of a global cyber skills shortage.

  • Subscriptions to threat intelligence can be expensive, especially when you subscribe to lots of feeds. It can be difficult to manage and parse.

  • Building an in-house SOC requires a large initial investment and a steep learning curve, but gains value over time as it matures and becomes effective.

Managed Security Services Provider (MSSP)

  • MSSPs employ a wide range of different cybersecurity professionals and SOC analysts in order to drive their business.

  • An MSSP’s lifeblood is threat intelligence. They know exactly what data they need and can spread the costs across their existing customer base.

  • Leveraging an MSSP is much cheaper than building a SOC, requiring no CAPEX expenditures and SOC services access generally available on a subscription basis.

Building a SOC Internally

A SOC is effectively a centralized command and control center for your cybersecurity operations, dealing with cybersecurity on a technical level for the whole organization. 

Building a SOC involves fusing people, process, and the right technologies so that they can act in synchronicity and dedicate themselves to dealing with cybersecurity incidents, detecting, prioritizing, and investigating them as they arise. 

This is something that Digital Hands excels at. For us, people, process, and technology is everything. Plus, we work hard to maintain balance between the three.

People 

In the context of a SOC, this includes your incident responders, analysts, engineers, and the SOC manager. Each of these needs to be qualified, experienced, and accredited for their specific roles and responsibilities. There is just too much at stake with a SOC’s responsibility not to have the best people you can find. 

A responsible SOC also hires and trains its own apprentices, juniors who are there to learn and grow into the senior roles over time. Without the right people, a SOC cannot be effective and your technology investments cannot be realized.

Processes 

In a busy SOC, it's not what you do but the way that you do it that counts. This is where process comes into play. The Digital Hands SOC leans heavily on processes that have evolved and been refined over time. They consist of playbooks that help us effectively react and respond to a wide range of different incidents and scenarios. Experience-based modus operandi helps us adapt our workflows to different customers in different industries. 

A mature SOC will have developed a lot of processes. They have seen it all and rarely react to things for the first time. Everything they do is thought-out and well-practiced which makes all the difference in a crisis.

Technology 

In most cases, technology gives your SOC eyes, ears, and a sixth sense. It helps you maintain visibility over your networks, servers, endpoints, and devices, and gathers data from across your estate, analyzing that data so it can be triaged and actions prioritized. 

Technology also helps you automate your approach to the more menial aspects of SOC management, freeing up analyst time to work on more pressing matters. While your technology is an enabler and a force-multiplier, it is not a solution in and of itself. Good technology needs good people behind it.

Before you can begin to assemble your SOC, hiring the right people, buying the right technology, and working out your playbooks and processes, you need to work out how much money you can spend on the capability. There is nothing worse than miscalculating your budget and having to cut corners halfway through the build. SOC builds can get extremely expensive very quickly unless you have a good handle on the true costs. 

Most organizations see approximately 5% of the IT budget allocated to cybersecurity, but this can rise to 10% for the financial services industry. Aim to spend at least 5% of your IT budget if you want your cybersecurity efforts and SOC to make a real difference. Remember that initial build costs can drive this budget even higher as you initially acquire the people and technology.

Once you have a handle on costs and your budget, create a roadmap of structured phases to chart out your SOC build and roll out. In Q1 you may want to roll out a SIEM platform to help you get to grips with all of the data your SOC will gather, bring it all together under one pane of glass and enhance your visibility over potentially malicious activity in your networks. This will more than likely be your first step, as a SIEM forms the core of your SOC technology and all other technologies will feed into it. 

A next logical step would be to work out your playbooks and develop use cases to help inform your SOC personnel of what to do when incidents occur and how best to deal with different scenarios. This step will also help inform your SOC scale-out roadmap and help prioritize the next technology pieces that you need to integrate and deploy. You also need to factor in SOAR planning, deployment and configuration. SOAR (Security, Orchestration and Response) platforms are an essential part of the modern security operations center and provide your people with a set of capabilities that allow them to streamline their operations in multiple areas. It streamlines their incident response workflows, their threat and vulnerability management and automates a large part of their security operations, acting as a force multiplier on your team.

All of this planning will also help mature the SOC team. It provides the opportunity to think through their various responsibilities like threat intelligence, monitoring, threat hunting and detection, data loss prevention, and securing the endpoint estate. Let's take a side-by-side look at the advantages of owning a SOC compared to outsourcing the function to an MSSP.

In-House Security Operations Center (SOC)

  • You need to make a significant investment in technology and process in order to realize a return on investment.

  • Your logs are all stored locally in your own repository for you to manage, analyze, and archive.

  • Your own dedicated people who gain experience and mature your cybersecurity capabilities over time.

Managed Security Services Provider (MSSP)

  • An MSSP will spread the cost of their SOC across many different customers passing across the cost savings to you.

  • Your logs are probably not stored locally and an MSSP may not let you have access to their analyst’s log console.

  • Analysts responsible for managing multiple customer environments that keep the experience gleaned within the MSSP.

A thoughtful and well-structured SOC can dramatically reduce the time needed to resolve and remediate security incidents and issues. But to do so, it requires trained analysts, engineers, and incident responders. A key metric of an effective SOC is “time to resolve”. This metric tends to trend upward when your SOC launches, but then begins to trend downward as your SOC matures and you integrate new technologies (like your SOAR) or embed new processes in the SOC’s operations.

If your organization has a pressing need for a SOC or if you are able to afford a SOC and have the resources to commit to a SOC over the long term, building out the capability internally can be a good choice. Typically, these three conditions only apply to the largest of organizations. Even then, a SOC can be challenging to build out and that is ultimately why many choose an MSSP over an internal build.

Final Thoughts

Deciding if you should build a SOC or outsource the function to an MSSP means that you are trying to improve your cybersecurity posture and security program. This is always a good thing. 

It is really important to understand an organization's level of expertise, existing cybersecurity posture, budget, and resources before coming to a decision. The vast majority of organizations generally outsource the function to an MSSP in support of their own internal cybersecurity team. It acts as a stepping stone to building their internal capability, usually because it gives them the fastest return on investment over the short to mid-term.

Building out a SOC internally is a long-term investment that will yield significant benefits for organizations that genuinely need the capability internally. However, for most organizations choosing an MSSP is simply more practical and allows them to focus on their core business while outsourcing cybersecurity to the professionals, saving a lot of CAPEX in the short term.

Contact Digital Hands

If you decide to outsource your SOC function to an MSSP, contact Digital Hands. We own and operate two US-based security operations centers, fully staffed with experienced SOC personnel and we operate our own SOAR platform to manage our customers’ requirements. Because we have operated these SOCs for a long period of time, we understand the technology and process which underpins an effective SOC better than most. This is also why we are experienced in dealing with a wide range of different requirements from across our entire customer base. 

Here at Digital Hands, our SOCs are the center of our business and drive our operations. We continually make investments into the people, processes, and technology, so we remain at the forefront of our industry and in the top tier of SOC providers nationally. If you or your partners need a competent security services provider to ensure that you are making the right moves with cybersecurity, call Digital Hands at (855) 511-5114 today.

Recent Blogs

5 Characteristics to Look for in a Good Endpoint Security System

Read More

Why Companies Need Endpoint Detection & Response (and Not Just Enterprise Antivirus)

Read More

5 Signs Your Vulnerability Management Solution Isn’t Working

Read More