Pro & Con of Outsourcing your SOC, (Fri, Mar 31st)

Im involved in a project to deploy a SIEM (Security Information Event Management) / SOC (Security Operation Center) for a customer. The current approach is to outsource the services to an external company also called a MSSP (Managed Security Services Provider). We had an interesting chat about the pro con to have an internal or external SOC. The main arguments from the company are:

• We dont have experience on board and we should hire people. And keep them on board!
• We dont know how to deploy the SIEM / SOC
• We have a limited budget (which is the 1st argument for many organizations)

Often, if not always conceded, the deployment of a SIEM is part of a long list of compliance requirements (from the business or the group the company belongs to).

Here is a small recap of the points we discussed:

SOC	Pro	Con
Internal	Good knowledge of the business Tailored to your own requirements All data are stored and processed internally Easier correlation of events between the departments	Costs to deploy and maintain Difficulty to hire talented people Risk of conflict of interest between departments Long term ROI
External	Costs (its a new service contract – OPEX) Benefit of trends and detection on other customers Access to more threat intelligence No conflict of interest with the other departments (external advice reporting) Scalability and flexibility	There is a clear lack of knowledge of the business Lack of communications Difficulties to keep the SIEM in sync with the infrastructure Services are provided based on levels (ex: gold / silver / bronze) Lack of dedicated people to YOUR environment Data stored and processed outside your perimeter Lack of customization

And you? What is your point of view? Feel free to share.

Xavier Mertens (@xme)
ISC Handler – Freelance Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.