Skip Navigation
BlackBerry Blog

Build SOC In House vs. Buy MDR: Assessing Your Options

Note: This blog was updated on June 27, 2024.

A growing number of organizations pursuing extended detection and response (XDR) are choosing to buy an MDR (managed detection and response) service instead. They report saving both time and money. Which is the right approach for your organization: Should you build in-house or buy it as a service?

The Cybersecurity Complexity Problem

Today’s threat actors are smart, sophisticated, and persistent. In many cases, they no longer act alone. Instead, they build criminal enterprises that operate as dark mirrors of their targets. Some call this the enterprise model of cybercrime. These organizations have recruiters, developers, and even executive leadership. 

To make matters worse, given the mix of bring-your-own-devices (BYODs), VPNs working beyond the firewall, and specific users that cybercriminals are directly targeting to gain access, your own network is no longer the only thing under attack. 

Across this increasingly vast attack surface, threat actors are constantly probing for vulnerabilities. An oversight where the security responsibilities between vendor and client overlap, a misconfigured personal device, a careless mistake committed by a trusted partner — everything is fair game. And while your security team must fend off every attack, cybercriminals only need to succeed once. 

In addition to challenges from threat actors outside the organization, there is a growing cybersecurity issue within organizations. The complexities introduced by the technology used for securing data sources — such as endpoints, networks, mobile devices, cloud services, SIEM, Identity, and the Internet of things (IoT) — often become overwhelming for IT and cybersecurity teams. 

An organization might have dozens of different point solutions, each tailored to specific threats. This approach quickly becomes unsustainable.

Each new tool makes cybersecurity more complex, costly and challenging to maintain. Collectively, they produce an avalanche of alerts that need to be sorted through in hopes of finding the few that warrant greater investigation. Recent research reveals that 83% of security professionals suffer “alert fatigue” and struggle with managing alerts along with their other priorities. The burden of training grows in this scenario, as well.  

Additional security tools increase the chance that your security stack could become self-defeating as it buckles under its own weight. Organizations can find themselves hampered by integration and compatibility issues, a surprising lack of holistic visibility, and wasted time, as network defenders jump between multiple consoles.

The Cybersecurity Employment Gap

While “tool sprawl” is a significant security roadblock, so is staffing. Small and medium-sized organizations (SMBs) have been hit particularly hard by the cybersecurity talent shortage, and often lack resources to seek out and acquire an in-house team of security experts.

 Here are some key cyber threat defense items that most organizations lack:

  • The necessary expertise to effectively manage and respond to both current and evolving cyberthreats
  • Time and staff to keep up with the growing complexity of their security ecosystem
  •  Budget and resources to address these concerns

How Managed Detection and Response Solves Security Challenges

An increasing number of organizations are considering MDR as an approach to simplify and solve many of the cybersecurity challenges they face. MDR typically handles all of the following:

  • Collects threat intelligence from multiple sources and intelligently filters them so a security team receives only relevant, actionable alerts
  • Gives your business access to around-the-clock cybersecurity expertise at a fraction of what it would cost to do this in-house
  • Helps consolidate your security stack into a more unified and effective set of solutions
  • Addresses time and resource shortages by providing expert analysts that act as an extension of your team
  • Reaps the benefits of XDR without the significant staffing required

In-House XDR (Build) vs. MDR Service (Buy) 

So, back to our question: To realize the benefits of XDR, should you build your own XDR solution in-house or purchase an MDR service from a vendor? The right answer for your organization will likely vary based on staffing, budget, and risk appetite.

The Cost to Build vs. Buy

The chart below, created through a detailed BlackBerry analysis, can be an extremely helpful resource. It compares the cost to subscribe to a managed detection and response service and that of creating an in-house XDR team and technology stack.

Detailed analysis from the BlackBerry MDR Buyer's Guide
 

Based on an analysis of compensation and other fixed costs, a “minimal XDR build” could cost nearly $900,000 to create. In this scenario, there would be five SOC team members and the dollar amount represents each component, including deployment, product integrations, and employee salaries. The minimal build scenario will leave roles occasionally unstaffed due to sick leave, vacations, holiday schedules, and other absences. This limits costs but increases cyber risk at times, and some organizations may determine this is an unacceptable tradeoff.

On the other end of in-house XDR spectrum, the cost of creating an “optimal XDR build” comes in at roughly $2.2 million. In this scenario, higher staffing levels drive more complete coverage and result in a significantly higher price tag. (See the key in the upper right of the chart for specific staffing details.)

Many organizations would like robust coverage with a team of experts, but building that team and the related technology stack is simply outside of their budget. And the time involved for completing an internal XDR build can be significant. Also, these costs don’t account for baseline security investments like endpoint protection and endpoint management, which serve as a foundation for XDR.

Buying an MDR Solution

Should you buy an MDR solution instead? Each organization will approach this question differently. However, subscribing to an MDR platform like CylanceMDR is much more budget-friendly, making it easier to show ROI to business stakeholders.  

The chart above shows that the cost is approximately $91,000 for an organization with 1,001 endpoints and less than $500,000 for an enterprise-level managed detection and response service that covers 5,001 endpoints.

Another reason to consider “buying” an MDR solution is that it rapidly improves your security posture, because implementation is much faster than building this approach yourself.

In very short order, your organization can leverage advanced threat detection, endpoint protection, and incident management, with 24x7x365 support delivered by highly experienced security analysts and professionals. The right managed XDR service will provide experts who give you everything you need to implement a mature, effective cybersecurity strategy. And many organizations see their internal security team’s workload decrease dramatically, allowing analysts to spend more time on your most important projects.

Evaluating MDR Solutions

While the case for buying MDR services is compelling, evaluating the best service provider for your organization is critical, and it can seem daunting. Where should you start?

In our opinion, narrowing your list down to providers with 24x7x365 coverage is crucial. That way your in-house team gets breaks while your security posture remains strong, with no gaps in coverage.

Beyond that, there are other key considerations, and how you view them will depend on your organization. That is why we’ve created an easy-to-read, highly shareable Managed XDR Buyer’s Guide for your reference.

About CylanceMDR

CylanceMDR™ provides around-the-clock detection and protection. Our team is comprised of world-champion experts, and our platform is powered by pioneering Cylance® AI technology for threat protection augmented with proprietary threat intelligence. CylanceMDR also is available at several different levels, so it's a great fit for organizations with SOCs and those without. 

Bruce Sussman

About Bruce Sussman

Bruce Sussman is Managing Editor Director at BlackBerry.