Teceze Blog
Build a SOC or Pick an MSSP?
Deciding to create an internal Security Operations Center (SOC) versus selecting a Managed Security Service Provider (MSSP) to resolve operational security information issues can be a challenging and time-consuming challenge for organisations seeking to strengthen their security posture. This post will explore the advantages and drawbacks of both choices and provide background to help build a SOC and pick an MSSP.
Building a SOC:
A SOC is a centralised entity that deals organizationally and technologically with security incidents. This usually requires a variety of resources, procedures, and staff that are committed to the identification, prosecution, and investigation of security incidents. Understanding a SOC’s main building blocks is crucial, so you set expectations about what key pieces need to be involved in the build-out.
The security operations triad at a high level consists of:
People – Employees who will assist with security incidents, such as the SOC analysts and incident respondents.
Processes – Let the workers learn how to efficiently investigate / manage an accident, ensuring that all activities are successfully accomplished and on time.
Technology – Allows you to have your network awareness and the right tools in place to track and identify signs of bad.
It is important to decide what budget your company has set aside before you start building up your SOC, as a SOC can be a very costly investment. A good budget for information security would be 5 per cent or more of the global budget for IT. First, create a roadmap that includes organised phases of what you expect to accomplish on a quarterly basis or a timeline that fits your organisation best. For example, one step could be to increase visibility by introducing a Security Information and Event Management (SIEM) program such as Arcsight-like, Splunk-like, or QRadar to help put your data under a single glass panel and boost the ability of your analysts to detect malicious activity. In other words, from a technical perspective a SIEM helps to form the foundation of the SOC. Another step could be designing use cases / playbooks to help identify and react to malicious activity by your analysts. Developing this plan will help to set out the most important items to execute and priorities. The phases will concentrate on helping develop or mature SOC teams such as monitoring and identification, forensics, prevention of data loss and teams of threat intelligence.
Here are some of the benefits of an SOC over an MSSP:
| SOC | MSSP |
|---|---|
• Ability to customize SIEM solutions | • Customization minimal, but some can offer the ability to control your SIEM |
• Logs held locally | • Logs can not be processed locally, so consumers can not access the analyst console |
• Dedicated Staff | • People responsible for supervising various networks |
A properly implemented SOC will dramatically reduce the time needed to fix security problems, but it takes well-trained SOC analysts and Incident Responders to resolve these critical incidents. Time to resolve is a key metric of a working SOC, and the number will trend upward once you start monitoring. However, with changes to the SOC it progresses downward over time.
If you can embrace these terms, then choosing to build an SOC could be a good match for your organisation:
- Effective Processes / Policies – analysts have checked the material that all measures are error-free and are reported and validated.
- Relevant budget-5 percent or more of your global IT budget.
- Well-trained SOC Analysts / Incident Respondents – set up an internal training plan to improve analyst expertise or budget to obtain external training
- Quality professional leadership / SOC management – willingness to follow through with the steps outlined in the roadmap.
Choosing an MSSP:
Selecting an MSSP is a tough choice for any organisation. An MSSP can increase a SOC but an MSSP is never a substitute for an internal security operations capability. You need to consider your needs first before you agree to partner with an MSSP. Some examples of why businesses opt to implement an MSSP as a security operations support solution include:
- Your information security team is underemployed and needs help managing your network
- Your company needs to introduce a 24X7X365 system for enforcement purposes.
- You can’t risk having an internal SOC
A good solution to this is to list your needs before you contact an MSSP. Therefore, you are more familiar with what MSSP service will better fit your needs. Following are examples of services provided by MSSPs:
- Monitor Only – alerts and informs clients on security incidents
- Monitor and Manage-track log data and can adjust the environment of the application
- Manage Product – modifications to a security system (e.g. firewall)
When you start assessing vendors, be sure to ask what types of services are being provided, because MSSPs differ in their methodology of execution. Establishing a list of questions that are to be submitted to the MSSP is a good first step to help them understand your needs. In return, MSSPs which provide you with their own documentation that are used to better understand your network (devices, amount of logs, etc.) Once they have a clear understanding of your requirements, they can suggest services to satisfy your request. The cost of each service can vary depending on the number of devices you choose to track and/or handle, or the amount of log. Many MSSPs, for example, store raw log data at the client’s venue, which may entail additional fees. Usually, if you are able to store the logs off-site at the location of MSSPs, an extra expense does not apply. This logging is used to assist in the quote creation. Choosing an MSSP up front is less costly but the SOC can become more affordable for your organisation over time.
Below are some advantages of an MSSP versus an SOC:
| SOC | MSSP |
|---|---|
• Difficult to find high quality SOC analysts | • Security Expertise and Risk Analysis Exposure |
• Difficult to upstream introduce a 24X7X365 SOC system | • Established 24X7X365 SOCs to verify and submit alerts about potential security threats |
• Needs a bigger investment in advance, but can become more valuable over time | • Much cheaper than existing SOC building |
Conclusion :
It’s a difficult challenge for everyone to decide whether to build an internal SOC, opt to go with an MSSP, or introduce both, but the fact that you’re having this discussion within your company means you’re trying to develop your security system, which is a good first step. Before making a decision, organisations need to consider their budget, skills, security posture etc. I assume that most companies would first opt to maintain MSSP funding before creating an SOC, because it offers the fastest return on investment. A SOC is a long-term investment from which companies can benefit greatly over time, but it is more realistic to select an MSSP for most companies so that you can easily and affordably understand the network’s health. Establish targets each year to ensure that an MSSP is still a good match for your company, or when it’s time to start preparing a SOC project. I hope that this post will provide value to all organisations currently assessing the development of an SOC or the selection of an MSSP.
Why Teceze can be your MSSP?
Our UK based Security Operations Center provides highly qualified information security personnel with 24/7 reporting and monitoring. Real-time tracking of various sources of events / logs, the application of information on threats and guidance on remediation. A standardised incident management approach that ensures that processes are back up and running as soon as possible.
Related posts
