Pro & Con of Outsourcing your SOC

Published: 2017-03-31. Last Updated: 2017-03-31 12:30:06 UTC
by Xavier Mertens (Version: 1)

I'm involved in a project to deploy a SIEM ("Security Information &Event Management") / SOC ("Security Operation Center") for a customer. The current approach is to outsource the services to an external company also called a MSSP ("Managed Security Services Provider"). We had an interesting chat about the pro & con to have an internal or external SOC. The main arguments from the company are:

We don't have experience on board and we should hire people. And keep them on board!
We don't know how to deploy the SIEM / SOC
We have a limited budget (which is the 1st argument for many organizations)

Often, if not always conceded, the deployment of a SIEM is part of a long list of compliance requirements (from the business or the group the company belongs to).

Here is a small recap of the points we discussed:

SOC	Pro	Con
Internal	Good knowledge of the business Tailored to your own requirements All data are stored and processed internally Easier correlation of events between the departments	Costs to deploy and maintain Difficulty to hire talented people Risk of conflict of interest between departments Long term ROI
External	Costs (it's a new service contract - OPEX) Benefit of trends and detection on other customers Access to more threat intelligence No conflict of interest with the other departments (external advice & reporting) Scalability and flexibility	There is a clear lack of knowledge of the "business" Lack of communications Difficulties to keep the SIEM in sync with the infrastructure Services are provided based on "levels" (ex: gold / silver / bronze) Lack of dedicated people to YOUR environment Data stored and processed outside your perimeter Lack of customization