Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: Pro & Con of Outsourcing your SOC - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Pro & Con of Outsourcing your SOC

I'm involved in a project to deploy a SIEM ("Security Information &Event Management") / SOC ("Security Operation Center") for a customer. The current approach is to outsource the services to an external company also called a MSSP ("Managed Security Services Provider"). We had an interesting chat about the pro & con to have an internal or external SOC. The main arguments from the company are:

  • We don't have experience on board and we should hire people. And keep them on board!
  • We don't know how to deploy the SIEM / SOC
  • We have a limited budget (which is the 1st argument for many organizations)

Often, if not always conceded, the deployment of a SIEM is part of a long list of compliance requirements (from the business or the group the company belongs to).

Here is a small recap of the points we discussed:

SOC Pro Con
Internal
  • Good knowledge of the business
  • Tailored to your own requirements
  • All data are stored and processed internally
  • Easier correlation of events between the departments
  • Costs to deploy and maintain
  • Difficulty to hire talented people
  • Risk of conflict of interest between departments
  • Long term ROI
External
  • Costs (it's a new service contract - OPEX)
  • Benefit of trends and detection on other customers
  • Access to more threat intelligence
  • No conflict of interest with the other departments (external advice & reporting)
  • Scalability and flexibility
  • There is a clear lack of knowledge of the "business"
  • Lack of communications
  • Difficulties to keep the SIEM in sync with the infrastructure
  • Services are provided based on "levels" (ex: gold / silver / bronze)
  • Lack of dedicated people to YOUR environment
  • Data stored and processed outside your perimeter
  • Lack of customization

And you? What is your point of view? Feel free to share.

Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
PGP Key

Xme

284 Posts
ISC Handler
* Some MSSPs offer to have a group of dedicated people from their pool that are knowledgeable about your organization ; this also improves the communication (and sometimes trust)
* Some MSSPs use a SIEM deployed on your infra and then do their work on “your” SIEM (they manage/config "your" system). They do get alerts from events above certain thresholds, but “in theory” no data ends up on their premises
* Next to hiring talented people, it can be extremely difficult to find enough staffing to do an in-house 24*365
* Some MSSPs claim “we use threat intelligence” but what they actually mean is “we have a feed from a vendor and do alert processing, not correlating with other events”
cudeso

6 Posts Posts
It's not hard to find talented people, it's just that companies don't want to pay realistic wages. In my area, they want to pay a SOC analyst 40-55K a year for a degree and a minimum of three years experience on so many different things it's laughable.

No one can make a 100% match on a job listing, unless you've been in the industry 40 years or more (LOL), but until hiring managers and HR staffers start getting a clue, this problem will not change any time in the near future.

If you cannot find the talent locally, outsourcing is a good option, as long as you go with a top notch company.
dogbert2

18 Posts Posts
With regards to outsourced security functions:

You become the cookie and they are the cutter. Unless they are very small, you will play by their rules and procedures, not yours. "Inflexible" takes on an entirely new meaning. And if they are small enough to allow customization and flexibility they probably do not have a wide visibility into threat intelligence worldwide because they do not have enough customers. Buying feeds from vendors does not constitute "threat intelligence".

Learn their analyst-to-customer ratio. They probably will be on 12-hour shifts and paid by the hour. That means you'll have at least four different people watching your stuff and probably more due to vacations and the like. Probably more as they try to keep from paying overtime. The more people watching your stuff the less chance there is that something will be caught.

No outsourced operation can ever know your network and its applications as well as your own people can. If the threats hitting your network do not match their cookie-cutter rules, it probably will not raise an alarm. If you make changes to your network and they do not notice, do not be surprised.

You will dedicate at least one person to going over their work product and managing the relationship. That does not mean one full-time person but the cumulative time will be that much. And the outsourced provider cost will be at least one FTE with benefits and probably more. But hey, HR will be happy because you did not add headcount.

True dialog from a major outsourced SOC player: "Our contract allows for monitoring 25 security devices." "Umm, what is a "security device?"" "Anything that sends logs to us." "Wait, so we have 600 servers and we store all of their event logs in our SIEM that you will be managing." "OK, thanks for telling us. We will increase the contract limit to monitoring 600 security devices. Do you send any switch syslogs to your SIEM? How about firewalls? Do you send security events from the desktops and laptops such as anti-malware hits also? If so, how many security devices should we add to the contract?" and now that customer was up to 4,000 monitored "security devices" and they were already wide-eyed at the price of 25.

When vetting an outside company, find out how many customers they have. Then ask how many MONITORING customers they have. The two answers are rarely the same and the monitored customers is usually a lot smaller. That's not a good thing. It does not mean the analyst-to-customer ratio goes down.

Check their online job postings. Even if you do not see a salary, contact the recruiter and ask for the salary range. One company recently posted, with their own posting, that the salary was $30,000 a year. In the industry that is known as a "SOC Monkey", someone who follows procedures someone else wrote and performs tasks that someone else developed. Even in 2017 you get less than you paid for.

But as noted in the original article, we're talking "compliance" here and not "security" so all boxes are checked.

"XXXXXXXX takes the security of the customer information entrusted to us very seriously. We were in full compliance with all industry best practices and regulator requirements at the time we were totally owned for over a year. We are undertaking significant improvements including replacing our outsourced security monitoring function with an in-house operation."
Anonymous

Posts
Quoting dogbert2:If you cannot find the talent locally, outsourcing is a good option, as long as you go
with a top notch company.


Or you could offer full remote to get qualified people onboard.

And whenever a company writes "Occasional remote" in their job posting I translate that to "Nights, weekends and holidays after your regular shift." :-)
Anonymous

Posts
Oh, been there, done that, and have the friggin t-shirt...though some internal SOC's usually stick to 3 on/4 off, 4 on/3 off 12 hour shifts, so the analysts don't go too nutso :P
dogbert2

18 Posts Posts

Sign Up for Free or Log In to start participating in the conversation!