The Good, the Bad and the Ugly of Building Versus Buying

December 6, 2016 Arctic Wolf Networks

A question we frequently come across in our dealings with businesses is whether they should build a threat detection and response framework such as a SIEM and security operation center, or purchase these solutions as part of a subscription-based service model.

The first answer we give them is always, “that depends on you.” Both models have pros and cons, so the right selection is based on your business’s priorities.

What do we mean by that? Let’s take a closer look:


The build option tends to be more conducive to enterprises that have the resources to construct and deploy a SIEM or SOC within a reasonable timeframe, and then manage it continuously.

The good
Banks, law firms, health care organizations, government agencies and other industries that are at high risk of cyberattacks and must abide by stringent compliance codes want and need greater control over their security posture. By keeping SIEM or SOC management in-house, these organizations can be confident that they are neither shirking compliance nor implicitly placing too much trust in a managed security service provider.

The bad
Log data management is an incredibly complicated endeavor. SIEM, for instance, is notoriously “noisy.” Analytics can bring some order to the din of daily cyberthreat alerts; however, false alarms cannot be completely eliminated. SIEM and SOC alike require unyielding management and ongoing maintenance that can only be performed by an experienced cybersecurity professional.

The ugly
Building is expensive, not just in terms of the initial costs of actually creating a solution, but also in deploying at scale, managing it and maintaining it on a 24/7/365 basis. For example, SIEM management is straining the IT budget for nearly 70 percent of businesses. Bear in mind that full-time management means round-the-clock staffing.


Going with an MSSP is much more alluring to the majority small and medium-sized businesses that lack the resources to build, manage and maintain a SOC, and are willing to relinquish some control over their security posture.

The good
Managed SOC or SIEM can be deployed quickly, easily and with little to no effort on the part of in-house IT staff. More importantly, there’s no need to hire round-the-clock security engineers – threat detection is left entirely in the hands of the vendor. Hands down, this is the lower-maintenance, more cost-effective option for SMBs.

The bad
Compliant businesses may not have the desired level of control when working with an MSSP, since they don’t have access to or understand the full extent of cybersecurity tools being used to protect them. SLAs can help here, but that’s assuming you have a thorough enough understanding of what needs protecting to know whether or not this is the right service for the job, or if it’s a service that can actually do what it claims. A lot goes on faith with an MSSP.

“A lack of transparency makes IR much more difficult.”

The ugly
The vast majority of MSSPs can defend against and/or detect cyberthreats. What they don’t do is provide you with the complete lifecycle of a threat. This lack of transparency makes incident response to breaches much more difficult. Even if you detect a threat early, you may not have the wherewithal to neutralize that threat swiftly and efficiently.

How to learn more

This a high-level overview of a subject that deserves much more granular analysis, which is why we’ll be releasing a white paper later this month that dives into greater detail about the economics of cybersecurity. Keep an eye out for that document, coming soon from the AWN library.

In the meantime, read what Gartner says about “build versus buy” in their updated guide for managed detection and response.

Previous Article
The MSSP Dilemma: What Services Do You Actually Need?
The MSSP Dilemma: What Services Do You Actually Need?

Should you keep your cybersecurity strategy in house? If not, what should you for in an MSSP? 

Next Article
Webinar: The Inside Scoop on IR
Webinar: The Inside Scoop on IR

Here are a few of the highlights of the recent webinar "Incident Response from the Inside Out."


Want cybersecurity updates delivered to your inbox?

First Name
Last Name
Thanks for subscribing!
Error - something went wrong!