Inhouse SOC vs Managed SOC
What is a SOC ? SOC stands for Security Operations Center . In an organization it is a type of Centralised Unit ( in most cases a special Physical Secure premises) .
Within SOC are SOC Engineers , SOC Analysts , SOC Manager and now with more Modern/Advanced SOC’s have Threat Hunters , Forensic Experts ,Incident Handling Experts . These different roles are important for the smooth functioning of the SOC’s .
The goal of a SOC is to monitor /Analyse/Detect and then Respond /Contain/Eliminate a Cyber Threat .
So for any SOC to work efficiently — PPT are very important .
PPT Stands for People , Process , Technology
Primarily there are 2 SOC Types -Inhouse SOC and Managed SOC
Inhouse SOC is majorly for Large organisations having huge presence globally with networks distributed across Different geographies .These organizations have Budget to support PPT part .They can invest in people — for their Trainings , for the latest technology to support the SOC functioning , Infrastructure etc.
Managed SOC or Outsourced SOC is when any organisation has either lack of Proper Skillset , no Infrastructure and they let another specialised company or Partner to manage their Infrastructure Security remotely . This Specialised Company has proper Skillset , technology , Incident Management Processes , proper communication channels to respond , Highly skilled people to provide the Top Security Services to any Organization . This special company also called Managed Security Services Provider or MSSP or Managed Detection and Response Provider MDRP or SOC Provider has Cyber Security Analysts working as Defenders to monitor the Traffic for different customers and they look for anomalies and are ready to respond or handle if there is any attack .
Functionality wise ,in technical terms, inhouse and Managed SOC end goals are to prevent any malicious threat vector to attack the organization .
Now we talk about the differences :
Inhouse SOC
Pros and Cons :
- Inhouse SOC , as they have invested heavily on PPT ,you will get to learn about modern technologies but as you are only monitoring your own (Single) Organisation , you may have less visibility in terms of Attack vectors or different kind of Anomalies hitting other organisations .
or sometimes , it can be boring for an Analyst ( This is my personal View :))
2) The advantage is that as the scope (only 1 organisation) is comparatively limited ,the Process are more defined and organised.
3) Another Important point is that Threat Hunters or Red Teamers can help more proactively to make the Defenders ( Blue Teamers) run for their money and challenge them to have an effective OPSEC . from my view there is more fun when Blue teamers and Red Teamers work in Inhouse SOC and build an Hypothesis of an Assumed Breach and try to go deep to the investigations and use AI or different Analytical tools to dig into the specific network area ( for eg Network Segment where Crown Jewels are located)
The reason ( again my view) is that for Inhouse SOC , you have more time( comparatively ) for these collaborative activities .
Now lets talk about Managed SOC
Managed SOC
This is again looks similar to Inhouse but generally there are many different customers (their infrastructure Security) being managed from this SOC type .
As there are different customers being managed remotely , each customer most likely have minimum 1 or 2 different Security product .for example Customer A uses Splunk SIEM , PANW firewall ,Crowd strike EDR and Customer B uses say FortiGate Security and has Microsoft Security Stack ( EDR)
Pros and Cons
- As there are different technologies , it will be more breadth of traffic monitoring types , rules , playbooks ( SOAR) which this type of SOC has to handle .So you need a people with mixed Skillsets to handle your customer pool . Also these kind of SOCs follow a Strict hierarchy for Tier 1 to Tier 3 as they provide the same escalation matrix to customers .
I personally have experience of working in this type of SOC environment back in early days of my career and i can tell you that it is challenging .
2) With Alert fatigue ( yes we have better tools now with Gen AI and better automation tools and blah blah ..) but still Analysts have a challenging job to keep up with the pace of Alerts coming in continuously .
3) For Managed SOC , processes may be different for each customer .There could be chances ( i have seen this personally) that processes are not defined properly when onboarding a customer and this leads to major issues
Here there are chances that an alert may be missed by the analyst ;
4) Also as Managed SOC team is dealing with different customers , some customers may use Legacy tools and Managed SOC teams often focusses on Latest technologies and only few analysts know about the Legacy tools .
So managed SOC can be more fun as it make the environment more challenging .
The Analysts are More focussed with hard hitting SLAs
Disclaimer : these are my personal views :)
