Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC: InfoSec Handlers Diary Blog - Pro & Con of Outsourcing your SOC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Pro & Con of Outsourcing your SOC

Published: 2017-03-31
Last Updated: 2017-03-31 12:30:06 UTC
by Xavier Mertens (Version: 1)
5 comment(s)

I'm involved in a project to deploy a SIEM ("Security Information &Event Management") / SOC ("Security Operation Center") for a customer. The current approach is to outsource the services to an external company also called a MSSP ("Managed Security Services Provider"). We had an interesting chat about the pro & con to have an internal or external SOC. The main arguments from the company are:

  • We don't have experience on board and we should hire people. And keep them on board!
  • We don't know how to deploy the SIEM / SOC
  • We have a limited budget (which is the 1st argument for many organizations)

Often, if not always conceded, the deployment of a SIEM is part of a long list of compliance requirements (from the business or the group the company belongs to).

Here is a small recap of the points we discussed:

SOC Pro Con
Internal
  • Good knowledge of the business
  • Tailored to your own requirements
  • All data are stored and processed internally
  • Easier correlation of events between the departments
  • Costs to deploy and maintain
  • Difficulty to hire talented people
  • Risk of conflict of interest between departments
  • Long term ROI
External
  • Costs (it's a new service contract - OPEX)
  • Benefit of trends and detection on other customers
  • Access to more threat intelligence
  • No conflict of interest with the other departments (external advice & reporting)
  • Scalability and flexibility
  • There is a clear lack of knowledge of the "business"
  • Lack of communications
  • Difficulties to keep the SIEM in sync with the infrastructure
  • Services are provided based on "levels" (ex: gold / silver / bronze)
  • Lack of dedicated people to YOUR environment
  • Data stored and processed outside your perimeter
  • Lack of customization

And you? What is your point of view? Feel free to share.

Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
PGP Key

Keywords: mssp siem soc
5 comment(s)
Diary Archives