Security is gaining prominence in the corporate structure—it is no longer advisable for security to be a subordinate function of an IT department. To address this challenge, organizations are investing in the development of security operations centers (SOCs) to provide increased security and rapid response to events throughout their networks & applications. The strength of the SOC depends upon three main pillars: People, Process, and Technology. Building a SOC requires a lot of specialized resources and long term investment being made. Hence most CIOs and CISO’s are in a constant dilemma of choosing the right model of SOC for the organizations. Any organization can hence look at having SOC in three models: a) Completely In-house Built b) Completely Outsourced c) Hybrid.
Let’s look at each model with their possible benefits and drawbacks.
Captive SOC is usually adopted by organizations that are reluctant to outsource a task that is so indispensible to the integrity of their business or might see outsourcing of SOC as non-compliance to their industry regulations.
Building an In-house SOC, mitigates any possible risk of critical security data loss that organizations may be vigilant about. Unlike in Outsourced SOC, organizations don’t have to worry about its security logs or the analysis data being misused, mishandled post the termination of the SOC contract. Also in process of Building a robust SOC, organizations tend to become more mature around its security and incident handling process.
Based on my experience, some of the most common challenges organizations see in building In-house SOC are that it may take organizations years to realize the ROI of this project due to huge Capex investment w.r.t to licensing of SIM tool, threat intelligence and setting up the infrastructure. Organizations also face a pertinent risk of not being able to get the best of the in-house SOC deployment because of lack of skilled SOC analysts and incident handlers in the market.
Many experienced Security Service providers help organizations build in-house SOC services for their clients’ w.r.t to framework, technology selection, process, and skill sets thus making a captive SOC implementation easier.
Outsourced SOC: Organizations going for Managed Security operations are on the rise. While building a Captive SOC for an organization is capital intensive and requires lot of in house expertise, in out-sourced model, customer can see the immediate benefits of implementing SOC in their environment by leveraging service provider’s infrastructure, intelligence and capability. By going for Outsourced model, organizations solve the problem of looking of having core competent people. As most mature service providers, with SOC offerings being their core business, have ability to retain, train and develop skilled analysts. Also Service providers with their different engagements with other clients are able to build a sound knowledge base and repeatable process of identifying and escalating security incidents. Service providers also have the capacity of investing to build and generate rich threat intelligence to detect real time sophisticated and targeted attacks thus fulfilling the promise a SOC brings to the enterprise. To meet the insecurities of customer, regarding the security logs and analysis data being misplaced or lost, Service providers sign stringent SLA’s and contracts with the organizations.
Hybrid SOC: The concept came into limelight with customers looking for best of both the worlds. While Indian customers due to regulations prefer logging of data of their security and infrastructure to happen in their own infrastructure, they are open to share the normalized data which would be relevant to the security analysis to the SOC provider. In turn SOC provider will provide with its expertise, intelligence and infrastructure to provide the correlated, analyzed & relevant alerts and reports. Hybrid SOC helps customer tailor their demands and do a rational and sustainable Capacity planning. This balance helps organizations satisfy its auditors and also leverage the value proposition an outsourced SOC service provider would bring in.