SIEM and SOC for MSPs: DIY or outsource?

To be effective, a SOC needs to be operational 24/7 and staffed by experienced analysts so threats can be detected and investigated around the clock. In addition, a SOC team will need to utilise SIEM technology to collect security log data and raise alerts, which will need to be licenced and managed across your client environments.

So, if you’re looking to build a SOC team and manage a SIEM deployment in-house, here are three main challenges that you’re likely to encounter:

1. People and technology costs

Building and operating an in-house SOC can cost a significant amount of money. 10-12 analysts are required to properly staff a SOC team and achieve 24/7 coverage. The average salary of a SOC analyst is £50,000 per year in the UK, or $90,000 in the US. That means you’re looking at a minimum annual cost of £500,000, or almost $1 million, for your team to be operating effectively.

When you consider the cost of hiring and retaining people, including any ongoing training requirements, the costs can quickly get out of hand. It also takes time for a SOC team to get up and running, so it could be many months before any real-world security improvements are seen.

In addition to the people, a SIEM platform would need to be licenced and deployed in order to collect logs and generate alerts for your customers. This in theory is simple, as there are many SIEM platforms out there. When you dive into the details, it’s clear that the costs of these tools can become astronomical when you factor in the log ingestion volumes across all of your clients.

As an example, if you chose Splunk as your platform of choice, under a consumption-based model you’d be charged around $630,000 per year for a maximum of 300GB log ingestion per day. Additional hardware and software licencing fees for on-premises deployments could set you back an extra $157,000 on top of that, and that doesn’t include the cost of any additional infrastructure you might need to set up.

For some context, 300GB equates to around 1.6 billion log messages, if the average message is 200 bytes in size. At Defense.com we have individual customers who send us in the region of 800 million logs per day, therefore when you consider all of the logs that could be sent by your clients, this could quickly add up if you have a platform that is priced on a consumption-based model. Storage costs can also start to spiral when you’re ingesting and retaining a large volume of log data.

When you total it all up, the minimum cost to get your service off the ground would be in the region of £1 million (or $1.6 million) per year, without taking any other infrastructure costs into account. However, even if you did have this budget to deploy a SIEM tool yourself, and recruit and maintain your own SOC team, you’d still need to find analysts to hire to in the first place. That brings us onto the next challenge.

2. Cyber security skills shortage

For several years, the cyber security industry has been tackling a skills shortage. In fact, a recent (ISC)² study showed that the cyber security profession needs to grow by 3.4 million people to close the gap. That's a lot of roles to fill!

This makes it challenging to build and grow a SOC team, as it's hard to recruit and retain people with the required skills in a very competitive market. As a result, security professionals are in high demand, especially more experienced analysts. How do we know? Well, we have our own SOC team at Defense.com, so we know first-hand about the challenges of recruiting the right talent!

If you’re not able to find people with the right experience, then the next best option is to find less-skilled analysts that you can train over time. This approach can open up the talent pool of applicants, but you’ll need to ensure that you have a defined training process in place. This of course takes time, which is another contributing factor to why building a fully functional SOC team from scratch can take many months or even years.

When you engage with a Managed SIEM provider you can avoid the burden of ongoing recruitment and training. A Managed SIEM provider will take these responsibilities off your plate, so you can focus on other areas of your business. That leads us onto our third and last challenge.

3. Focus on core business

Managing a SOC team and a SIEM platform can be complex and time-consuming activities that can distract you from your core business activities. By outsourcing these functions to a third-party provider, you can focus on your core competencies and leave threat detection and response to the experts. You can utilise your internal resources more effectively and focus on fixing issues for your customers instead of spending time identifying and investigating alerts.

For example, monitoring a client’s environment for cyber threats is no easy feat. To be effective, a SIEM platform needs to ingest vast amounts of log data from many sources to identify suspicious activity across an organisation's attack surface. An average SOC team can expect an average of 11,000 security alerts per day, so it’s clear to see how this can quickly become overwhelming.

Such a large number of notifications can cause alert fatigue for security teams. This is where genuine security risks will be missed, ignored or not dealt with in a timely manner, mainly due to the sheer volume of alerts being received. Alert fatigue typically occurs due to configuration issues, SOC teams not using their resources efficiently due to lack of skills/training, or that the SIEM platform being used does not have the automation needed to reduce the manual triage of security alerts.

To avoid alert fatigue it’s necessary to properly configure a SIEM deployment in the first place and tune it to the needs of your clients over time. This process takes time and will be required for each of your customers individually. This can place a considerable burden on your internal resources and, especially when your clients will all have different security requirements.

Outsourcing to a Managed SIEM provider also offers far more scalability than building the function yourself. This is because your chosen vendor will already have the necessary infrastructure and people in place to deliver the service and cater for any fluctuations in demand from your customers.

Instead of worrying about resource planning and scaling operations up or down depending on your customer needs, you can simply provide a consistent service offering and let your vendor do the hard work for you. This is a much more flexible approach and means you don’t have to worry about investing in additional technology or resources.

Don’t just take our word for it! Codestone Group are one of the UK’s fastest growing MSPs, supporting over 10,000 users. Watch the following video to find out why Codestone outsource their SOC and SIEM functions and how they seamlessly integrate Defense.com with their own customer support team. Codestone rely on the Defense.com SIEM platform and our expert SOC analysts to detect and respond to security events across their customer base.

With Defense.com you can deliver an end-to-end security operations solution to your end users, protecting them from advanced cyber threats and enabling them to focus on running their business.