The decision to build an internal Security Operations Center (SOC) versus selecting a Managed SecurityService Provider (MSSP) to handle operational information security concerns can be a difficult and time consuming task for organizations seeking to improve their security posture. This post will explore advantages and disadvantages of both options and provide context around my personal experience with helping build a SOC and select an MSSP.

Building a SOC:

A SOC is a centralized function that deals with security incidents on an organizational and technical level. Typically, it involves a combination of tools, processes, and personnel, dedicated to discovering, triaging, and investigating security incidents. It is important to understand the key building blocks of a SOC, so you set expectations on what key pieces need to be involved throughout the build out. An example utilizing the triad of security operations is listed below:

At a high level, the security operations triad consists of:

  • PeopleEmployees who will be assisting with security incidents, such as your SOC Analysts and Incident Responders.
  • Processes – Help your staff know how to effectively investigate/manage an incident, ensuring all tasks have been completed successfully and on time.
  • Technology – Enables that you have visibility of your network and the proper tools in place to monitor and detect signs of evil.

Before you begin building out your SOC, it is essential to determine what budget your organization has set forth, as a SOC can be a very costly investment. A good information security budget should be 5 percent or more of the global information technology budget. Next, develop a roadmap containing structured phases of what you plan to accomplish on a quarterly basis or a time frame that fits best for your organization. For example, one phase may be to improve visibility by implementing a Security Information and Event Management (SIEM) system, such as Arcsight‍, Splunk‍ or QRadar to help bring your data under a single pane of glass and improve your analysts’ ability to spot malicious activity. In other words, a SIEM helps form the core of the SOC from a technology perspective. Another phase may be to develop use cases/playbooks to help your analysts detect and respond to malicious activity. Development of this roadmap will help lay out and prioritize the most critical pieces to implement. The phases should focus on helping to establish or mature teams that make up a SOC, such as the monitoring and detection, forensics, data loss prevention and threat intelligence teams.

Below are some advantages of a SOC as compared to an MSSP:

  • Limited customization, but some may offer the ability to manage your SIEM
  • Logs stored locally
  • Dedicated personnel
  • Personnel responsible for monitoring multiple networks

A properly implemented SOC can greatly reduce the time to remediate security issues, but it requires well trained SOC analysts and Incident Responders to resolve these critical incidents.Time to resolve is a key metric of a functioning SOC, and the number will trend upward once you begin tracking it. However, it trends downward over time with improvements to the SOC.

If you’re able to accept these conditions, then choosing to build a SOC may be a good fit for your organization:

  • Functional Processes/Policies – analysts have tested the content that is documented and validated all steps are error free.
  • Suitable Budget – 5 percent or more of your global information technology budget.
  • Well trained SOC Analysts/Incident Responders – established internal training program to develop analysts skillsets or a budget in place for them to receive external training(e.g. SANS Institute)
  • Quality technical leadership/SOC management – ability to follow through on the phases outlined within the roadmap.

Choosing an MSSP:

Choosing an MSSP is a difficult decision for any organization. An MSSP can augment a SOC, but an MSSP is never a replacement for an internal security operations capability. Before you decide to partner with an MSSP, you must first understand your needs. A few examples of why companies choose to pursue an MSSP as a solution for security operations support include:

  • Your information security team is understaffed and is in need of assistance to monitor your network
  • Your organization needs to implement a 24X7X365 environment for compliance purposes
  • You can’t afford to build an internal SOC

A good approach is to list out your needs before contacting an MSSP. Therefore, you are more knowledgeable on what MSSP service would fit your needs best. Below, are examples of services MSSPs offer:

  1. Monitor Only – alerts and advises client about security events
  2. Monitor and Manage – monitors log data and can make changes to client’s environment
  3. Manage Product – makes changes to a security device (e.g. firewall)

As you begin to evaluate vendors, be sure to ask what types of services are offered, as MSSPs vary in their execution methodology. Establishing a list of questions to send to the MSSP is a good first step to help them understand your requirements. In return, MSSPs may provide you with their own documentsthat are used to better understand your network (devices, log volume, etc.) Once they have a good understanding of your requirements, they will recommend services to fulfill your request. The cost of each service will vary depending on the number of devices or log volume you want them to monitor and/or manage. For example, some MSSPs store raw log data at the client’s location, which may require additional fees. Typically, an additional cost doesn’t apply if you’re willing to store your logs off-site at the MSSPs location.This information is used to assist in the development of the quote. Here is an example of implementing a SIEM and the ongoing maintenance involved versus choosing an MSSP:

Credit: NTT Security

As pictured above, it is less expensive to choose an MSSP up-front, but over time a SOC maybe come more affordable for your organization. In addition, I recommend reviewing the Gartner Magic Quadrant for SIEM, which provides a very detailed evaluation of SIEM vendors, such as HP (ArcSight), IBM Security (QRadar), Splunk, etc. This includes a company overview, strengths,cautions and a rank to compare against other SIEM providers. A great way to learn about each MSSP and what makes them unique or less attractive compared to their competitors.

Below, are some advantages of an MSSP as compared to a SOC:

  • Hard to find good quality SOC analysts
  • Established 24X7X365 SOCs to validate and send alerts on potential security threats
  • Difficult to implement a 24X7X365 SOC environment up-front
  • Often cheaper than building SOC internally
  • Requires a larger investment up-front,but over time may become more valuable


Determining whether to build an internal SOC, choosing to go with an MSSP, or implementing both is a challenging task for anyone, but the fact that you’re having this conversation within your organization means you’re attempting to improve your security program, which is a positive first step. Organizations need to understand their budget, expertise, security posture, etc. before making a decision. I believe most organizations should choose to retain MSSP support first prior to developing a SOC because it provides the quickest return on investment. A SOC is a long term investment from which organizations will reap significant benefits over time, but for most organization’s it is more practical to choose an MSSP, so that you can understand the health of your network quickly and affordably. Establish goals each year to make sure that an MSSP is still a good fit for your organization or if it’s time to begin planning the build out of a SOC. I hope this post provided value to all organizations currently evaluating to build a SOC or choose an MSSP. Good luck!