6 Tips for Outsourcing to a SOC Provider

The decision to build or outsource your security operations center is complex and requires careful consideration. Here are tips for making the right choice.

Stephen Lawton

March 14, 2023

5 Min Read
employees at desktops in control room

The decision to build a security operations center or outsource to a SOC-as-a-service provider involves more than the obvious concerns of cost, staffing, and basic operations. Other factors must be considered before making the decision.

The decision to build vs. buy is strategic, involving the board, C-suite, and senior IT executives. The choice can affect the DNA of an organization. However, it is the SOC analysts and managers who must implement the strategy made by top decision-makers.

Here are six tips for outsourcing to a SOC provider — plus, considerations for when building an in-house SOC may be the better option.

1. Find a SOC partner you can count on

The first thing to do is identify a service provider you can trust. “The service provider is the most important relationship that you are going to have — much more so than the technology itself,” said Allie Mellen, senior analyst covering SecOps for Forrester.

Allie Mellen Forrester quote

Allie Mellen Forrester quote_0

Your SOC provider will be privy to some of the private inner workings of the enterprise and its operations. If you can’t trust your closest technology partner, you should find someone else, Mellen said.

2. Match technology stacks with SOC provider for best results

Determine if your SOC service provider has developed their own applications or if they use off-the-shelf software. Self-developed applications are often optimized to deliver the provider’s best results.

Related:5 Types of Cybersecurity Skills That IT Engineers Need

However, the provider’s technology stack must match yours to avoid issues with identifying threats, noted Josh Lemon, director of the managed detection and response (MDR) team at Uptycs and a SANS Institute instructor, based in New South Wales, Australia.

Having technology stacks that are in sync lead to the best results. Likewise, having a service provider analyst manage too many separate stacks simultaneously can increase the possibility of missed alert signals.

3. Reduce analyst burnout through SOC outsourcing

If you already have an in-house SOC, you must always consider the risk of analyst burnout. Analysts are among a company’s highest-paid staffers. Outsourcing the most mundane tasks, such as MDR functionality — the top of the potential alert funnel — could reduce stress for corporate SOC analysts. (MDR can refer to a specific application used by a security team or a generic term for SOC-as-a-service provider.)

Outsourcing the initial analysis of threats can change the incentive of the service provider. Instead of demonstrating how good they are at finding threats, which can overwhelm your low-level analysts with unproductive alerts, the SOC provider is incentivized to pass along only vetted alerts, Mellen said. This benefits your organization’s SOC analysts, as it frees them of mundane and routine tasks. Staff can instead work on more complex projects and advance their careers, she noted.

4. Define expectations for SOC partnership

What does your organization expect from a service provider? If service providers are incentivized to show that they are ‘working hard to find threats,’ they may provide an avalanche of false positives and “threats” that are nothing more than internet noise. Instead, if the expectation is to stop threats before they become incidents, the SOC partner will focus on threat hunting and detection.

To obtain highly accurate results, your SOC provider must have deep knowledge of your organization’s internal infrastructure; ongoing knowledge of systems changes, updates, and new strategies; and insight into the company’s activities. That requires a strong working relationship.

5. Contextualize data to support threat-hunting activities

Data is all about context. Whether you use an outsourced or in-house SOC, modern threat hunting requires moving between data sources, including cloud-based sources, noted Sushila Nair, vice president of cybersecurity services at Capgemini Americas.

“If the monitoring service is sending everything to a repository in their environment, then the service provider may not have enough context when looking at the logs,” Nair said. “The SOC-as-a-service provider or your in-house SOC team needs context to do false-positive reduction, and that might be pulling firewall packet captures through APIs or searching through endpoint logs.”

6. Balance cost and quality

Selecting a service provider based on price alone is generally unwise because it can lead to poor service quality. Your organization will suffer as a result. Similarly, if you set up an in-house SOC without investing in talent development, tools, and innovation, you can struggle with service quality, coverage, and scope, Nair noted.

Service providers can spread investment across multiple clients and inject more automation and innovation than an average client can do on their own. However, it is important to establish requirements for year-on-year cost savings to maximize the cost-benefit and drive the SOC-as-a-service provider to automate, Nair added.

When To Consider an In-house SOC

If persistent issues arise with your outsourced SOC partnership, building an in-house SOC might be the best solution.

An in-house SOC could make sense, for example, if your network has become too complex for a SOC partner to provide the necessary services or if your internal team is unwilling to cooperate with service providers (e.g., to keep them informed about the network design, updates, and operations). When the feedback loop between the client organization and service provider fails, it can result in the SOC partner sending inappropriate or misidentified alerts, noted Jacob Ansari, director and PCI practice leader at Mazars US LLP.

A SOC must identify and anticipate threats, hunt for threats in the wild, and quickly communicate potential vulnerabilities. If an outsourced provider cannot meet these requirements, consider building your own SOC.

Careful Planning and Relationship Building

Deciding between an in-house or outsourced SOC is not a quick and easy process.  Finding the right partner and building relationships and technology connections requires planning for both your company’s growth and the changes the provider may undergo, including their ability to cope with evolving regulatory compliance and potential acquisitions.

As Forrester’s Mellen noted, if you choose to outsource, “It really is a marriage when you consider how much time you're going to be spending with your providers and how much you rely on them.” 

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like