Without a doubt, knowing when to outsource and when to do something yourself is one of those conundrums that any company faces. Some say to outsource what you lack experts on or those areas where you are weaker; others advocate for investing in hiring if the company ever wants to master them.   

This is familiar in cybersecurity, where small- and medium-sized businesses face the dilemma of building a Security Operations Center (SOC) team in-house or outsourcing to Managed Security Service Providers (MSSPs). In view of this difficulty in choosing, some outsource only certain functions, moving towards a hybrid approach. According to the latest SANS SOC Survey, penetration testing, and forensics are the most common activities to be outsourced. In contrast, security system architecture, engineering, planning, and administration tend to stay in-house.   

Sergio Lozano Álvarez
Sergio Lozano Álvarez

Product Marketing Manager

What is a hybrid SOC model?  

A hybrid SOC model combines an in-house SOC and an MSSP to leverage the strengths of both options and achieve optimal security outcomes. This way, organizations can create a SOC team despite their members sitting in different places.  

With this quid pro quo between both companies, security strengthens with the best of both worlds. The in-house team has good organizational context and can work on those functions where this knowledge is required, whilst the MSSPs contribute with skills, experience, and extensive resources.  

Why is the hybrid SOC model so popular?  

This hybrid approach is gaining in popularity amongst many organizations and for different reasons. It’s logical to think that it’s related to the boom of managed services, such as Managed Detection and Response (MDR).   

In Gartner’s report Market Guide for Managed Detection and Response Service, it is predicted that “by 2025, 50% of organizations will be using MDR services for threat monitoring, detection, and response functions that offer threat containment and mitigation capabilities”. Security technology, architecture, and allocated personnel have contributed to this growth.  

How hybrid SOC models mitigate the lack of resources   

This so-called hybrid model enables organizations to streamline how they allocate resources for security and reduce overall costs. MSSPs can handle routine monitoring and less pressing tasks, so they free up resources for the in-house team to focus on more strategic initiatives and pressing tasks, such as incident response and threat analysis.  

Lack of resources is a constant in organizations; occasionally, it also reflects in their security. This is broadly referred to as the cybersecurity skill gap. Technology, architecture, and the number of employees is also contributing factors to this skill gap, which outsourcing can minimize through a hybrid SOC model.  

Technology as factor  

Business executives must empower those within Security Operations to decide on the security tech stack if they want to succeed in their investment. According to the SANS SOC 2023 Survey, management and SOC leads collaborate to allocate resources for cybersecurity in only 24% of companies.   

So, adopting newer security technology without consulting those in-house responsible for taking care of it can take a toll on the security posture. Even those organizations with SIEM technology and other security solutions can lack the maturity and the know-how to use it properly.   

Outsourcing some of the functions the in-house team struggles with can solve this problem. So, finding an MSSP that can work with your cybersecurity solution is essential.  

Architecture as factor  

How a SOC team is organized and expected to function is also a contributing factor to which a hybrid SOC model can help. Centralizing the SOC team in one region and, therefore, keeping the data in the same region might be necessary due to regulatory frameworks. So, cloud-based SOC services can be a solution MSSPs can help.  

Another architectural aspect is the availability. Companies will always be far from adopting a strong security posture if they can’t achieve 24/7 security operations. The decision to run operations non-stop requires a workforce that is not always available to all businesses and ends up being fully or partially outsourced to MSSPs.  

Personnel as factor  

In addition, the organization’s inability to adequately staff the SOC team also translates into a lack of resources. When that happens, they push security into the background or integrate it into IT Operations.  

When the SOC team is less likely to perform a function, the possibility of outsourcing it increases. This relates to a need for more resources for in-house personnel for those time-consuming tasks. However, there is also another correlation between the specialization of the function and the likability of outsourcing. And because penetration testing, threat intelligence, or forensics require specialized knowledge, MSSPs tend to take care of them.  

On the other hand, in-house SOCs can leverage more value when they operate other functions that need organizational context, such as alert triaging. This distribution of tasks allows the in-house SOC team to work in perfect harmony with the MSSP and maximize resources.  

How Logpoint can help companies in a hybrid SOC model  

If your organization lacks resources to manage your security operations and you are considering hiring an MSSP, Logpoint can help organizations in several ways. Logpoint works with MSSPs across Europe and the US that offer different levels of flexibility with their customers.  

Companies can manage certain functions from Converged SIEM, while the outsourced part of the SOC team can handle the rest through the Director console. This centralized console helps MSSPs manage deployment across customers and geographies and operate multi-tenant threat detection, investigation, and response solutions.  

Because Converged SIEM standardizes the security data, it is easier for an MSSP to integrate with the customer’s environment and start providing services. It provides enhanced visibility across the entire IT architecture and automatically enriches the data with threat intelligence and organizational context, facilitating the TDIR process in a hybrid SOC model.   

Whether you outsource your SOC, keep it in-house, or go for a hybrid SOC model, Logpoint can help you. You can reach out to our team to know more.