I received an email notifying me of a Webcast by SecureWorks titled Building and Sustaining a Security Operations Center. I'd like to highlight a few aspects of the Webcast that caught my attention.
First, the slide below shows the functions that SecureWorks considers to be in scope for a SOC. I noticed it includes device management. I think that function is mostly integrated with regular "IT" these days, so your SOC might not have to worry about keeping security devices running. Configuration is probably best handled by the SOC however.
Second, I liked seeing a slide with numbers of events being distilled into incidents.
Third, I thought this slide made a good point. You want to automate the early stages of security operations as much as possible (90% tech), but the response processes tend to be very skill-intensive (which translates into higher overall salary costs, i.e., you may have fewer IR handlers, but they could cost more than the event analysts). The "Adapt" section on the right seems to depict that mature operations end up spending about half of their budget on tech and half on people. Mature operations realize that their people must keep up-to-date with attacks and vulnerabilities, or they fail to "adapt" and become dated and ineffective.
Finally, SecureWorks spent a lot of time talking about "co-sourcing," or having an in-house team meeting its core security competencies, while an outside group (like SecureWorks, hey!) fills in the gaps. This is the MSSP industry response to the recent trend for companies to move their security function back in-house. I think it makes sense, however. Using outside vendors for security intelligence and high-end attack and artifact analysis is a smart way to spend your money.