For years, security leaders have debated the advantages of building in-house security operations centers or outsourcing the SOC function to a third party. Both options have their pros and cons. The best choice for each organization depends on a few factors: the type of threats it encounters, the resources it has at its disposal, the complexity and breadth of their attack surface, and the commitment it wants to make to advanced threat hunting.
The popularity of each option has shifted back and forth over the years. In the 1990s and early 2000s, many businesses outsourced most IT functions, including security. But as cyber threats grew more frequent and expensive, most organizations pulled security functions in-house and built comprehensive SOCs to monitor for breaches and sniff out weaknesses in security coverage.
The pandemic pushed organizations to outsource IT tasks, including security, to third parties. But now the trend is swinging back the other way, according to a recent survey conducted by SANS Institute and sponsored by Devo. The survey noted that only 22% of organizations outsource some or all threat hunting activity – a critical SOC component – down from 37% in 2021.
Pros and cons of outsourcing SOCs
The biggest argument for outsourcing SOCs is that it rids an organization of the burden of setting up and maintaining an operations staff. Smaller organizations often don’t have the resources to build a SOC from the ground up. Bringing on a third party to monitor for threats 24/7 and at least assist with the complicated task of threat hunting allows internal staff to concentrate on core projects.
The biggest benefit of keeping SOC operations in-house is that internal staff members tend to be more effective in the threat hunting function. They usually know the IT and business operations better, giving them an edge in tracking down threat actors that may be intentionally staying very quiet and producing very little alerting inside an environment. Internal SOCs can be custom designed to suit an organization’s needs. They also offer greater transparency and accountability.
How satisfied are organizations with outsourced SOCs?
Just about two-thirds of the organizations that get third-party help on threat hunting are satisfied with the results, according to the SANS survey. This is a positive sign. But the numbers likely would be higher if organizations in the neutral level of satisfaction and dissatisfied categories invested further in internal tooling and knowledge for their threat hunting teams.
As organizations mature their cybersecurity postures, they tend to see less benefit from outsourcing threat hunting entirely and better outcomes when they tap the knowledge of their internal team members to perform threat hunting.
Effective threat hunting is an essential component of a successful SOC. Used to augment a SOC’s automated cyber defense solutions, the practice helps organizations identify any gaps that an organization may have in their threat detection capabilities. It also ferrets out undetected threats and compromised systems.
Organizations looking to develop internal SOCs need skilled staffers to carry out their hunts. For many, this is a high hurdle. Hiring has become significantly tougher since 2021 when only 51% of organizations described skilled staff as a challenge. Today, that number is up to 73%. Several factors could be affecting this such as challenges associated with finding already skilled staff, lack of funding for training, or even finding skilled staff with outsourced providers.
Organizations also need to measure the effectiveness of their threat hunting initiatives. In the past two years alone, the percentage of firms formally measuring the success of threat hunting has dropped from 60% to 34%. Even those who do measure tend to do it manually, significantly impairing their ability to record, share or collate findings from a hunt. How can you improve what you don’t measure?
With security threats increasing, organizations must build their SOC capabilities to arm themselves for the battle ahead. Some will bring in third parties while others will staff their own SOCs. While either option gets the job done, those who have the resources to do so can exercise more control and develop a more robust practice by building from scratch. Read through the survey data by downloading the full SANS Threat Hunting guide.