6 Tips for Outsourcing to a SOC Provider
The decision to build or outsource your security operations center is complex and requires careful consideration. Here are tips for making the right choice.
March 14, 2023
The decision to build a security operations center or outsource to a SOC-as-a-service provider involves more than the obvious concerns of cost, staffing, and basic operations. Other factors must be considered before making the decision.
The decision to build vs. buy is strategic, involving the board, C-suite, and senior IT executives. The choice can affect the DNA of an organization. However, it is the SOC analysts and managers who must implement the strategy made by top decision-makers.
Here are six tips for outsourcing to a SOC provider — plus, considerations for when building an in-house SOC may be the better option.
1. Find a SOC partner you can count on
The first thing to do is identify a service provider you can trust. “The service provider is the most important relationship that you are going to have — much more so than the technology itself,” said Allie Mellen, senior analyst covering SecOps for Forrester.
Allie Mellen Forrester quote_0
Your SOC provider will be privy to some of the private inner workings of the enterprise and its operations. If you can’t trust your closest technology partner, you should find someone else, Mellen said.
2. Match technology stacks with SOC provider for best results
Determine if your SOC service provider has developed their own applications or if they use off-the-shelf software. Self-developed applications are often optimized to deliver the provider’s best results.
However, the provider’s technology stack must match yours to avoid issues with identifying threats, noted Josh Lemon, director of the managed detection and response (MDR) team at Uptycs and a SANS Institute instructor, based in New South Wales, Australia.
Having technology stacks that are in sync lead to the best results. Likewise, having a service provider analyst manage too many separate stacks simultaneously can increase the possibility of missed alert signals.
3. Reduce analyst burnout through SOC outsourcing
If you already have an in-house SOC, you must always consider the risk of analyst burnout. Analysts are among a company’s highest-paid staffers. Outsourcing the most mundane tasks, such as MDR functionality — the top of the potential alert funnel — could reduce stress for corporate SOC analysts. (MDR can refer to a specific application used by a security team or a generic term for SOC-as-a-service provider.)
Outsourcing the initial analysis of threats can change the incentive of the service provider. Instead of demonstrating how good they are at finding threats, which can overwhelm your low-level analysts with unproductive alerts, the SOC provider is incentivized to pass along only vetted alerts, Mellen said. This benefits your organization’s SOC analysts, as it frees them of mundane and routine tasks. Staff can instead work on more complex projects and advance their careers, she noted.
4. Define expectations for SOC partnership
What does your organization expect from a service provider? If service providers are incentivized to show that they are ‘working hard to find threats,’ they may provide an avalanche of false positives and “threats” that are nothing more than internet noise. Instead, if the expectation is to stop threats before they become incidents, the SOC partner will focus on threat hunting and detection.
To obtain highly accurate results, your SOC provider must have deep knowledge of your organization’s internal infrastructure; ongoing knowledge of systems changes, updates, and new strategies; and insight into the company’s activities. That requires a strong working relationship.
5. Contextualize data to support threat-hunting activities
Data is all about context. Whether you use an outsourced or in-house SOC, modern threat hunting requires moving between data sources, including cloud-based sources, noted Sushila Nair, vice president of cybersecurity services at Capgemini Americas.
“If the monitoring service is sending everything to a repository in their environment, then the service provider may not have enough context when looking at the logs,” Nair said. “The SOC-as-a-service provider or your in-house SOC team needs context to do false-positive reduction, and that might be pulling firewall packet captures through APIs or searching through endpoint logs.”
6. Balance cost and quality
Selecting a service provider based on price alone is generally unwise because it can lead to poor service quality. Your organization will suffer as a result. Similarly, if you set up an in-house SOC without investing in talent development, tools, and innovation, you can struggle with service quality, coverage, and scope, Nair noted.
Service providers can spread investment across multiple clients and inject more automation and innovation than an average client can do on their own. However, it is important to establish requirements for year-on-year cost savings to maximize the cost-benefit and drive the SOC-as-a-service provider to automate, Nair added.
When To Consider an In-house SOC
If persistent issues arise with your outsourced SOC partnership, building an in-house SOC might be the best solution.
An in-house SOC could make sense, for example, if your network has become too complex for a SOC partner to provide the necessary services or if your internal team is unwilling to cooperate with service providers (e.g., to keep them informed about the network design, updates, and operations). When the feedback loop between the client organization and service provider fails, it can result in the SOC partner sending inappropriate or misidentified alerts, noted Jacob Ansari, director and PCI practice leader at Mazars US LLP.
A SOC must identify and anticipate threats, hunt for threats in the wild, and quickly communicate potential vulnerabilities. If an outsourced provider cannot meet these requirements, consider building your own SOC.
Careful Planning and Relationship Building
Deciding between an in-house or outsourced SOC is not a quick and easy process. Finding the right partner and building relationships and technology connections requires planning for both your company’s growth and the changes the provider may undergo, including their ability to cope with evolving regulatory compliance and potential acquisitions.
As Forrester’s Mellen noted, if you choose to outsource, “It really is a marriage when you consider how much time you're going to be spending with your providers and how much you rely on them.”
About the Author(s)
You May Also Like