In-house SOC or MSSP? How to choose security that works for your organization

Setting up a way to manage network security is quite a daunting task for any new organization. And there's not just one way to do it. Modern technology and effective service models have made it possible for organizations to outsource their security to professional cybersecurity service providers.

While outsourcing security may be a good idea for some, a lot of companies want to explore a more complex but beneficial option for security that involves setting up a security operations center (SOC) dedicated to protecting their networks. How an organization's security should be managed will boil down to the available budget, personnel, and threats the industry faces. This article should help you assess your security priorities and choose between an in-house SOC or MSSP.

Creating an in-house SOC

An internal SOC team within your organization involves putting together the personnel, processes, and technology to build a system that detects threats, alerts the team, and responds to security incidents.

Personnel: Personnel can be a tricky thing while building a SOC. You need to build a team of experienced employees who know how to manage and respond to security incidents. This team of analysts will have to use the security technology you've invested in to detect threats, evaluate potential damage, and run routine procedures to check if you're compliant with industry standards and if your security controls are in order.

Some SOC job titles to organize your team by:

• Security analysts: A security analyst is primarily responsible for protecting a company's network through researching upcoming IT trends, formulating contingency plans, and investigating and reporting suspicious activities.
• Lead software security engineer: The lead security software engineer is responsible for designing software security functions, creating strong and secure design patterns, and planning the organization's software security strategy and roadmap.
• Chief security officer: A chief security officer (CSO) handles the safety and security of an organization's data, personnel, and assets. The CSO is primarily responsible for preventing breaches and common attacks like phishing and malware by developing airtight safety protocols and risk management strategies.
• Chief information security officer: A chief information security officer (CISO) is a management-level executive responsible for establishing and maintaining a security vision that is scalable, budgeting, and creating innovative security programs to ensure information assets and technologies are protected.

Technology: With work that's as complex as cybersecurity, you can't just rely on personnel to get the job done. Current security solutions are advanced enough to do a lot of the heavy lifting and mundane tasks. With this, your personnel get more time to focus their efforts on planning and strategizing.

SIEM solutions are a great investment for any company choosing to build its own SOC team. SIEM solutions are comprehensive in their collection and processing of logs from your devices. They provide visual analytics to help you understand data, intensive reports on network activity, and even automation capabilities that help you respond to threats faster. Log360 is a SIEM solution that offers logging and reporting capabilities for your AD, mail servers, and cloud environments along with nifty features such as real-time correlation and behavior analytics to help detect threats and improve the compliance posture.

Of course, building your own SOC can take quite a bite out of your budget, and how big a bite that will be is determined by the SOC you're trying to build. Your SOC maturity level depends on the capabilities you want to equip your team with.

Here is a breakdown of SOC levels your team might fall under based on capabilities:

Basic SOC team

• Decent detection capabilities without many investigation capabilities—forensic capabilities are not an investment a basic SOC team makes.
• Basic SIEM capabilities don't offer much flexibility to tune the number of alerts coming in.
• A low-staffed basic-level SOC team can miss out on important alerts because of alert fatigue.
• Basic SOC teams usually have inexperienced personnel, and not-so-advanced security tools, which makes it a challenge to handle major cybersecurity incidents.

Intermediate SOC team

• These teams are invested in SIEM solutions that have advanced threat detection mechanisms and offer reasonable visibility into the organization's network.
• They might have some endpoint detection and response capabilities and decent capabilities for cyberforensics.

Advanced SOC team

• Advanced SOC teams make a huge investment in SIEM solutions that can expertly detect, investigate, and respond to threats.
• They might opt for security orchestration, automation, and response capabilities to leverage playbooks that can automate responses to incidents.
• There will be a threat hunting team within these SOCs that works on looking for threats that may have slipped past the security tech.
• These teams will source intelligence to build context for threats, so the team can understand and deal with them better.

Any CISO would prefer to have an advanced SOC team with state-of-the-art tech that helps keep every network activity under check. But the issue lays with sustainability and consistency. Security tools considered state of the art today can quickly become outdated a few years down the road and begin to overwhelm your SOC team with useless alerts.

Building your SOC depends not just on the experience of the personnel but also on the kind of security capabilities you want to incorporate into your program. The NIST framework is a five-function model that can help you choose what capabilities to prioritize. Ideally, you would implement all five, but your budget may not permit this. Using the NIST framework, you can determine what functions or capabilities are the highest priority for your organization. From there, you can calculate budgets to introduce these capabilities and look for the kind of SIEM solution that can help you easily manage your security.

However, if when looking at the budget you find you won't be able to fund a fully functional SOC team, you should consider opting for security service providers.

Opting to outsource your security

Managed security service providers (MSSPs) are a good alternative to SOC teams. For a new company, its SOC team might be understaffed and might be struggling to handle monitoring and prioritizing alerts. This is where an MSSP can make life easy. Organizations requiring 24/7 monitoring should consider outsourcing their SOC to an MSSP.

The most common reason to outsource is budget, or rather a lack thereof. The effort and expenses involved in hiring capable personnel, investing in their training, and ensuring scalability of your cybersecurity process can be too much for some organizations to handle. Opting to outsource to an MSSP can eliminate much of the costs and effort, since these service provides deliver SOC capabilities to several customers at once. Not all organizations require cutting-edge security for their organization and may just need critical capabilities that a 24/7 SOC can provide; for these organizations, MSSPs are a far more lucrative option.

Your MSSP can manage your security infrastructure; they'll be able to tune your environment's security controls, manage log information, and set up firewalls and other security hardware.

Cutting costs is the primary benefit MSSPs offer over building your own SOC. But if you're organization operates in a sensitive domain such as finance or healthcare, which are relatively more vulnerable, you may need to consider building a SOC. It is an investment that offers good returns in the long term.

While cost is a major factor, there are plenty of other reasons to opt for an MSSP. An MSSP gives you access to its experienced SOC analysts and threat intelligence. Incorporating these capabilities yourself would require significant investments into technology and personnel which can be quite pricey. The high demand for experienced cybersecurity professionals and the fact that these tech-savvy individuals often prefer to work at established SOCs will be an impediment to small and medium-sized enterprises trying to establish their own SOCs.

Let's weigh these options against each other:

Your own SOC team

Pros:

• You need significant initial investment in technology, people, and processes in order to realize a return on investment.
• Storing logs locally in your own repository gives you more control to manage, analyze, and archive them.
• You'll need a dedicated team that gains experience and matures your cybersecurity capabilities over time.

Cons:

• Experienced SOC analysts are hard to find, especially when there's a global cyberskills shortage.
• Subscriptions to threat intelligence can be expensive, especially when you require lots of feeds. It also introduces challenges in parsing.
• Creating your own SOC team requires a large initial investment and a steep learning curve.

Outsourcing to an MSSP

Pros:

• MSSPs provide their clients with a wide range of different cybersecurity professionals and SOC analysts in order to drive their businesses.
• An MSSP’s security services are fueled by threat intelligence. They are precise about what data they require and they spread the costs across their existing customer base.
• Opting for an MSSP is much cheaper than building a SOC, requiring no capital expenditures.

Cons:

• An MSSP spreads the cost of running its SOC across all its customers. This is economical for organizations wanting a variety of security services, but it might be expensive for organizations that have subscribed for basic security services.
• Your logs are in the hands of your MSSP and your service provider may not let you access your logs on their console.
• You won't have as much control over your own security. An organization's ability to manage their own security will not improve under an MSSP, because all experience with security and incident management rests with the MSSP.