To MSSP or not to MSSP?

By Justin Grosfelt, Principle Security Consultant, RSA Advanced Cyber Defense Services

It’s an increasingly common question these days, and not an easy one at that. That is, do you build your security operations capabilities in house, or do you go with a Managed Security Service Provider (MSSP)? There are certainly advantages to both and bottom line wise; it is hard to say which one actually is cheaper.

Ultimately, as with all things, it is a business decision that is made with an acceptable level of risk in mind.

To make that decision easier, you should ask yourself a few questions:

• Does your organization have the right skillset(s)?
  • If not, how difficult will it be to find talent?
  • How will you train and retain that talent?
  • How much time do you have to implement your strategy?
  • Do you anticipate a high volume of incidents that will require response?
  • Is your organization under strict compliance regulations?
  • What are your overall goals for your SOC?
    • Do you want 24 x7 Coverage?
    • Is your end state goal to be world class and state of the art?
    • Is commodity-level monitoring adequate or do you need monitoring and response to be intelligence driven and customized to your business and known threats?
    • Do you need high detection rates for incidents?
    • Do you want to be more proactive instead of reactive?
    • Do want to incorporate continuous improvement into your lifecycle?
    • Do you want to perform root cause, malware and forensic analysis?

Of course, you may not know the answers to these questions or may not be able to clearly define your goals for your SOC. If that is the case, no worries, one option is to start building your Security Operations in-house for a specific period of time (usually a year) to get a baseline for normal operations. After that time, you will be able to identify areas that can be outsourced as well as clearly define requirements and deliverables from your chosen vendor. Alternatively, you will also be able to identify functions that need to stay in-house to remain effective.

Below I have included an example pro’s and con’s list which can be used to compare the two options with a final rating at the end. The sample shows an in-house solution as the best option, but that is dependent on the importance rating for each pro or con which will be different and based on the answers to the above questions.

Deciding which strategy is right for you is more complex than a simple table, especially given the long term financial considerations of either. But it can be a useful way to identify and compare the major advantages and disadvantages.

Justin Grosfelt is a Principal Security Consultant for the world-wide Advanced Cyber Defense (ACD) Practice. He is a subject matter expert on matters relating to Global Incident Response/Discovery (IR/D), breach readiness, computer forensic analysis, remediation and proactive computer network defense. Prior to RSA, Justin led network and host based malware and cyber threat analytics/investigations and incident response forensics for the Raytheon Company Cyber Threat Operations Program.