If a Security Operations Center is essential for a modern IT department, which type of SOC to choose between an internal or an external SOC? Review of the advantages and challenges of each one.
Today, IT threats are increasingly sophisticated with disastrous consequences for companies – for their finances and their image. Countering these threats requires the use of proven processes, effective security solutions and high-level skills. The whole system must be available and operational at all times 24/7. This is the promise of the Security Operations Center (SOC).
To benefit from it, the company must make a strategic choice: set up an internal SOC or use a third party via an outsourced SOC.
Internal SOC Scenario
- A dedicated internal team with a strong reactivity: an internal SOC has the advantage of benefiting from dedicated employees who are very familiar with the company’s ecosystem and its challenges. This mastery often allows a high reactivity in solving security problems.
- Event logs and all elements for tracking alarms and incidents are stored internally. This reduces the potential risk of external data transfer.
- Communication in the event of an attack is often faster because it uses the company’s own means of communication
- The solutions implemented are highly customized to the company’s needs.
Having an internal SOC requires permanent management of several elements:
- Recruitment of skills and training: a SOC requires experts in each of the areas addressed. Today, the recruitment of SOC analysts and cybersecurity experts is a real challenge and can take some time. Finally, maintaining and developing the skills of these experts on new technologies, standards or processes requires time and a significant budget.
- The rise in maturity: since internal resources are only required by the internal ecosystem, the process of having a truly operational SOC is quite long. For example, the implementation of the Michelin SOC will have taken more than 4 years to reach its maturity phase (Michelin CLUSIF Case).
- The scope of business expertise: managing the unknown is the most complicated paradox in terms of risk management. It may be more difficult internally to discover threats that will be more obvious to a company that specializes in identifying malicious behavior. An internal SOC will need a first confrontation with a new threat in order to deal with it effectively at a later date
- The documentation of internal processes is often forgotten: knowledge is often based on a limited number of experts, thus becoming essential. The result, not surprisingly, is a risk factor for loss of consciousness in the event of departure.
- Consolidated budgetary visibility of expenses: the implementation of an internal SOC implies a significant initial investment with associated expenses that remain difficult to cross-reference. Building an internal SOC often leads to the aggregation of multiple budgets, which complicates the demonstration of results. As Ken Ducatel, Director of the European Commission’s Directorate-General for Information Systems, confirms: “Keeping in-house makes it more difficult to see exactly what we are spending.
External SOC Scenario
Opting for external SOC via a third party is an excellent alternative to facilitate implementation at a controlled cost. With multiple advantages:
- Obtain and justify a budget by top management
Choosing an external SOC brings transparency and simplifies the promotion of a SOC project within the company. Indeed, an outsourced SOC project goes through a tendering process, and the validation of a budget at the management level.
- Improve image and communication
Having an external SOC allows top management to be reassured. The perception associated with the use of an external expert is often better than that of an in-house SOC. In addition, the popularization of technical elements is facilitated to improve management’s understanding of the issues and needs. Also, the CISO is better positioned to explain its value and demonstrate a return on investment.
The external SOC also limits potential conflicts of interest between internal departments within the organization with sound advice and reports.
- Have cybersecurity skills
In this model, competent and operational people are made available immediately – without having to wait for lengthy recruitment processes. It is also a way to benefit from the experience of analysts who have monitored other environments and who follow proven processes.
- Ease of implementation
According to a study conducted by PWC, CIOs and CISOs prefer this type of SOC because they are aware of the complexity of implementing such a system: setting up many tools, finding experts in the field, mastering the tools, analyzing incidents, forensic.
- High levels of service
Organized and mature, this type of SOC also offers the advantage of offering high levels of services (e.g. 24/7). In addition, with the SLA (Service Level Agreement), the entire service is defined and precise, sparing the company from unpleasant surprises, especially during attacks.
- Access to Threat Intelligence
A “threat intelligence” is a threat intelligence service. This monitoring of threats and incidents is very difficult to do alone. A SOC operator is well placed to consolidate many sources of information, both external and internal, to achieve this.
- Reduced costs
Finally, an external SOC is much cheaper because most equipment, solutions and experts are shared. For 24/7 monitoring and analysis via an outsourced SOC, a budget of between $350k to $820k is required, while internalizing the SOC costs between $1,200k and $2,400k – which includes developing and maintaining the platform but not the technological costs.
In addition, this is an operating expense (OPEX) and not an infrastructure expense, so it is easier to include in the budget.
The external SOC requires ongoing management of the following elements:
- External experts: although experienced, dedicated people cannot know the organization’s infrastructure as well as they do, and their skills are often shared. In this context, the partner must take the time to fully understand the organization’s business issues and implement procedures involving internal and external people.
- Data stored and analyzed outside the company’s perimeter: outsourcing data, having items outside the company can mean risks if security measures have not been implemented.
- Reversibility can be complex, especially if the service provider relies on proprietary solutions. However, even with market solutions and clear documentation, interoperability remains limited and the recovery of expertise on existing detection rules and procedures may suffer.
- A change of mentality required: accepting the handling of security by third parties is not necessarily natural and requires change management.