Enterprises can either build a security operations center inhouse, or outsource it to a managed service provider. In most cases, it might make sense to outsource the security operations center, as the typical organization lacks resources (time as well expertise) for such dedicated activity.
Organizations need to be very careful while selecting a managed service provider. These third parties will be aware of not just organizational processes and critical infrastructure, but also its vulnerabilities. So at times the best approach would be to outsource technology, but not its management. The CISO or security head should ensure that he holds the reins, as far as actions on any particular alerts are concerned.
The security operations center involves integration of different security technology and controls at a central location. Hence every organization must verify the service provider's integration capabilities, as well as the middleware which he plans to use.
Once the selection process is over, the managed service provider generally conducts a risk analysis of the enterprise's architecture. Based on the risk profile, the provider may suggest additional security controls. Organizations should take a phase-wise approach when it comes to covering different aspects of their security architecture under the security operations center. They can first start with perimeter devices, followed by servers and desktops. Apart from log management and analysis, the security operations center also provides capabilities such as threat (internal and external) and vulnerability assessment, penetration testing, phishing alert management, and patch updates.
(With inputs from Dr. Onkar Nath, the chief of information security for Central Bank of India. Dr. Nath is currently setting up a security operations center for Central bank of India.)