Utkarsh Srivastava discusses different models for security operations centers (SOCs): - In-house SOCs are preferred by regulated industries like defense and banking due to privacy concerns, but challenges include high costs and difficulty retaining skilled analysts. Experienced providers can help set up in-house SOCs. - Outsourced SOCs offer immediate benefits through a provider's infrastructure and intelligence, but organizations lose control over sensitive log data. Providers have skilled analysts and build expertise across clients. - Hybrid SOCs store raw logs internally but send relevant logs to providers for analysis, gaining expertise while satisfying data privacy requirements. This balances oversight and outsourced capabilities.

1. Author: Utkarsh Srivastava
CISSP, CISA, CEH, ITILv3F, CoBIT3, MCSE, CCNA
Security Operations Center Models
In-house SOC:
Certain industries, especially defense and BFSI, operate under tight regulatory obligations. Hence it is uncomfortable for
these industries, to wholly or partially outsource security operations, as it is an integral part of their processes and
business.
In-house SOC mitigates security risks of sensitive activity log data loss. In contract, in an Outsourced SOC, organizations
do not place the highest importance to the confidentiality of their security logs or analysis data, after the completion of
the SOC contract. While building and operating a SOC in-house over a period of time, organizations gain capabilities in
their security and incident handling process.
Challenges in operating an in-house SOC: Organizations may take years to realize the cost-benefit ratio and thus may
find it difficult convincing the board. SIEM tool licensing, threat intelligence, infrastructure setup and scaling up ongoing
operations are some considerations. One more possible risk is of not being able to procure skilled SOC analysts and
incident handlers.
However, many experienced Security Service providers help organizations build in-house SOC services for their clients in
perspective of the framework, technology selection, process, and skill sets thus making an in-house SOC implementation
easier.
Outsourced SOC:
Many organizations are choosing Managed Security operations (MSSP). In an outsourced model, customer can see the
immediate benefits of implementing SOC in their environment by leveraging service provider’s infrastructure,
intelligence and capability. Further, businesses need not worry about the core competency of SOC analysts and
attrition. MSSPs have ability to retain, train and develop skilled analysts. Undeniably, service providers with multiple
clients in different business verticals and geographies, are able to build a knowledge base and tested processes for
managing security incidents.
Service providers also have the capacity of investing to build and generate threat intelligence to detect real time
targeted and persistent attacks. To meet the log security requirements of the customer, as a compensatory control,
service providers sign stringent SLA’s and contracts with the organizations.
Hybrid SOC:
These are a combination of In-House and Outsourced SOC. Due to regulations, customers may prefer log data to be
stored within their own infrastructure. However, the selective and normalized log data which is security relevant may be
forwarded to MSSP providers. In turn, SOC provider will provide expertise, intelligence and infrastructure to provide the
filtered, compressed, correlated, analyzed and prioritized alerts and reports.
A Hybrid SOC enables customer to fit the solution to their requirements and arrive to a sustainable capacity plan. This
balance helps businesses satisfy its auditors and also showcase the value an outsourced SOC service provider.