What We Do
How we do it
Resources
TRU INTELLIGENCE CENTER
Our Threat Response Unit (TRU) publishes security advisories, blogs, reports, industry publications and webinars based on its original research and the insights driven through proactive threat hunts.
View Threat Intelligence Resources →
SECURITY ADVISORIES
Aug 17, 2022
Increase in Observations of Socgholish Malware
THE THREAT Starting in early August 2022 and continuing through the month, eSentire identified a significant increase in Socgholish (aka. FakeUpdates) malware incidents. Socgholish is a loader type…
Read More
View all Advisories →
Company
ABOUT ESENTIRE
About Us
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 1500+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
Read about how we got here
Leadership Work at eSentire
LATEST PRESS RELEASE
Sep 20, 2022
eSentire Recognized as Top Global MDR Provider by MSSP Alert, CrowdStrike and G2
Waterloo, ON - September 21, 2022 – eSentire, Inc., the Authority in Managed Detection and Response (MDR), celebrated multiple industry recognitions as the leading global MDR provider, over the last week: Named #9, and the top pure play MDR provider on MSSP Alert’s Top 250 MSSPs global rankingRecognized as the CrowdStrike 2022 Global MSSP Partner of the Year Earned G2’s industry-renowned status…
Read More
Partners
PARTNER PROGRAM
e3 Ecosystem
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
Learn more
ECOSYSTEM PARTNER RESOURCES
Apply to become an e3 ecosystem partner with eSentire, the Authority in Managed Detection and Response.
Login to the Partner Portal for resources and content for current partners.
Search
Resources
Blog — Dec 07, 2021

Security Operations Center (SOC): Build or Buy?

7 minutes read
Speak With A Security Expert Now

Over the past year we have witnessed some truly destructive cyber attacks occurring on a global scale. Although cybersecurity teams have tried their best to keep up with the onslaught of activity, threat actors have demonstrated their expertise in how they target and deploy cyber attacks time and time again. From the shift towards using a ransomware-as-a-service model to the use of tactical experts as a result of role differentiation within ransomware groups, cybercrime has evolved significantly.

As a result, many organizations are left scrambling to protect themselves against these inevitable cyber threats. Although large enterprises typically have the resources to manage cybersecurity programs in-house, small to mid-size enterprises (MSEs) don’t have this luxury. According to a 2021 Gartner study, the average MSE has allocated only 5% of their IT budget to security.

As a business leader, you must evaluate how to scale your existing IT operations to prioritize cybersecurity and consider which areas of expertise should be outsourced as part of the overall cybersecurity program.

What is a SOC and Do You Really Need One?

A modern Security Operations Center (SOC) is a facility where security analysts utilize forensic tools and threat intelligence to hunt, investigate and respond to cyber threats in real-time. According to Gartner, a modern SOC must have four capabilities: detection engineering, monitoring, incident response, and threat intelligence.

The role of the SOC is to protect an organization from known and unknown cyber threats that can bypass traditional security technologies. While every organization should have access to a SOC facility, not many have the resources required to build their own in-house SOC. In fact, a 2020 study by 451 Research shows that only 44% of organizations with under 10,000 employees have access to their own Security Operations Center (SOC).

So, now you must decide: should you build your own SOC in-house using your own staff, technology, and resources or should you outsource SOC capabilities by enlisting the help of a Managed Detection and Response (MDR) partner?

Are You Ready for an In-House SOC?

Building an in-house SOC facility isn’t an overnight decision. In addition to years of commitment into designing the facility, your cybersecurity team must consider the financial investment required to arming it with the best people, processes, and technology. By a conservative estimate, the costs associated with building a SOC in the first year alone for 1,000 employees can be upwards of $2.2M.

Considering the up-front and ongoing investment involved with building an internal SOC, a growing number of organizations have turned to a Managed Detection and Response (MDR) provider.

However, if you’re still thinking about building an internal SOC, start by asking these critical questions:

1. What is the annual budget you have allocated toward the SOC?

Is your organization prepared to spend millions of dollars and several years of time investment into building a SOC? The ongoing CapEx and maintenance of an in-house SOC is costly, so you need to have the financial and organizational buy-in for the project.

On the other hand, it is significantly more cost-effective if you use an external SOC provider. So, work with your internal stakeholders to determine budget, responsibilities, and timing prior to making your decision.

2. Can your team of security analysts support 24/7 in-house SOC operations?

Keep in mind that although you need 24/7 coverage, you don’t need 24/7 in-house operations. Depending on your current risk tolerance, staffing a 24/7/365 SOC becomes a costly endeavour.

If you outsource your SOC operations, you have the option of splitting time with your SOC provider (i.e., your security analysts work from 8-5 while the provider covers your team outside of those hours) or simply rely on the provider for full 24/7 operations. The latter option also helps your team get access to expert analysts so you don’t have to worry about attracting and retaining skilled analysts yourself.

3. Who is going to design the SOC?

Do you have the skilled expertise necessary to design this in-house or the required budget to attract the right person for the role? Considering that building a SOC is a multi-year project, you need to be confident that you can retain the talent needed to see the project through from start to finish.

By leveraging an external SOC provider, your team can access a fully operational 24/7 SOC within weeks of deployment. Plus, you don’t have to plan for attracting and retaining the required expertise – your SOC provider shoulders that responsibility.

4. Who will document SOC processes and procedures?

There are governance, risk, and compliance frameworks you need to consider as you set up your internal SOC. You need to make these considerations prior to scaling your SOC operations, so it’s your responsibility to learn about the regulations facing your business or industry and map out your requirements from the very beginning.

5. How will you interpret and deliver threat intelligence insights?

Detection engineering is a key capability in a modern SOC, which requires that your team is able to innovate at the same pace as cyberattackers. On the other hand, an external SOC provider will afford you the expertise of a Threat Intelligence team to help correlate and enrich intelligence from daily SOC investigations to deliver key insights.

An added benefit of working with an external MDR provider is that you can take advantage of their robust customer base to drive further threat intelligence. Lastly, consider the importance of response times as part of your SOC operations. Without good threat intelligence or reduced SOC operational capacity, it can take several hours (even days) to detect and respond to threats.

Engaging an external MDR provider will drastically impact how fast a potential threat will be detected, investigated, and contained. What’s more is that your team will even get full incident response and remediation support with digital forensics capability.

6. How will you demonstrate value to the executive team and board of directors?

Since setting up a SOC is a multi-year commitment, you need to report on critical KPIs such as the Mean Time to Contain, Mean Time to Detect, number of threats disrupted, and the impact on the overall business is key to justify the investment and demonstrate its value.

On the other hand, if you work with an external SOC and MDR provider, it’s their responsibility to report on the key KPIs and metrics based on your business objectives and priorities so that you can convey the ROI to your executive team and the board of directors.

7. Do you have enough staff to build a SOC team?

Not only must your organization be able to attract the best security analysts, you must be able to retain them year after year and grow the team as your SOC operations scale. Attracting and training this talent may even impact your Time to Value.

However, with an external MDR provider, you have access to elite cybersecurity analysts 24/7. This means SOC deployment will take a few weeks at best compared to a months-long process if you’re building it in-house.

8. How are you going to engineer and deploy the technology required to run and manage the SOC?

Building an internal SOC requires multiple product purchases and vendor contracts. Moreover, your team will also have to integrate all the tools into a single solution. So, assess your tools, people, and skills to determine whether you have the expertise to evaluate and deploy these technologies in-house.

In comparison, an external MDR provider will have all the fully integrated technologies and skilled expertise in place, which can save your team time and resources.

Try eSentire’s SOC Pricing Calculator

As cyber attacks and zero-day threats become more common, many organizations are realizing they need 24/7 SOC capabilities. Building an in-house 24/7 SOC means considering the security tools, staffing, and operational expenses it takes to effectively do this.

The eSentire SOC Pricing Calculator provides a quick snapshot of the tools, personnel, operating expenses and overall costs you should consider when deciding whether it makes sense to build an in-house SOC. We also let you compare in-house costs against eSentire multi-signal MDR with improved detection, 24/7 threat hunting, deeper investigation, end-to-end coverage and most of all, complete Response.

Try the eSentire SOC Pricing Calculator here.

The reality is that regardless of the organization’s size, the answer to protecting your business 24/7 from cyber threats lies within a SOC.

To learn more about how eSentire provides value with security operations leadership, SOC Cyber Analyst talent, and elite Threat Hunters with our 24/7 SOC, book a meeting with a security specialist today.

Skip To:

  • What is a SOC and Do You Really Need One?
  • Are You Ready for an In-House SOC?
  • Try eSentire’s SOC Pricing Calculator

Join 100,000+ Security Leaders

Get notified of the latest news, intel and helpful tools & assets. You can unsubscribe anytime.

By clicking the button below I confirm that I have read and agree to the eSentire privacy policy.

View Most Recent Blogs
eSentire
eSentire

eSentire is the Authority in Managed Detection and Response, protecting the critical data and applications of 1500+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events. Combining cutting-edge machine learning XDR technology, 24/7 Threat Hunting, and proven security operations leadership, eSentire mitigates business risk, and enables security at scale. The Team eSentire difference means enterprises are protected by the best in the business with a named Cyber Risk Advisor, 24/7 access to SOC Cyber Analysts & Elite Threat Hunters, and industry-leading threat intelligence research from eSentire’s Threat Response Unit (TRU). eSentire provides Managed Risk, Managed Detection and Response and Incident Response services. For more information, visit www.esentire.com and follow @eSentire.