When you are not in a position to have a self-managed SOC, the second option is to have a co-managed SOC. In a co-managed SOC model scenario, you are partnering with another service provider to share your workload, technology, or the operational overload. In this model, you can optimize your operations by offloading some of the responsibilities to the SOC service vendor, for example you may choose to monitor the daytime shift, and let the vendor manage the night shifts, you can have the SIEM owned by the vendor and have your resources manage the operations, or you can own the SIEM and offload the operations to a vendor. In a co-managed way of running SOC, you have the opportunity to be more agile and maintain a high level of operational excellence by applying service-level agreements on the vendor and bring up the SOC in less time than is required in a fully owned SOC; you almost tap into a matured operating SOC. One of the other factors that will work in your favor is that you will be able to almost immediately tap into the resource skill pool of your vendor, should you lose your own, or in the case of vendor-managed analysts, you never have to worry about losing a talent, as they will maintain the pool. If you choose a service provider that has a well-trained and experienced analyst pool, this automatically benefits your security operations. On the other hand, if you choose to co-manage the SIEM, you can share the cost of the license, maintenance, and operations. This eases your business to some extent, but not completely, as you might still be responsible for the incident response and analysis with shared resources between you and the vendor, manage the governance from your end, and also own the risk management of your business, monitor the SLAs with the vendor, and monitor the quality of service from the vendor so that the quality of detection and operation is not degraded. The following diagram shows the layers in a co-managed SOC:
