If you don’t currently have your own security operations center (SOC), you have two ways to get one: Build your own or use some managed collection of services. In past years the two paths were distinct, and it was relatively easy to make the call based on staffing costs and skills.
Now, the SOC-as-a-service (SOCaaS) industry has matured to the point now where the term is falling into disfavor as managed services vendors have become more integral to the practice. As cloud-based security tools have gotten better, data centers and applications have migrated there as well. Some of the services discussed here call themselves SOCaaS, while others use other managed services designations.
One measure of this maturity is that the market has seen a lot of mergers and acquisitions in the past few years, starting with AT&T buying AlienLabs several years ago. Next up was CrowdStrike acquiring Humio, then eSentire acquiring CyFIR, Sophos acquiring Braintrace, Rapid7 acquiring IntSights, HelpSystems acquiring AlertLogic and Google announcing the acquisition of Mandiant (after the company was separated from FireEye). These mergers illustrate that there has been a “blurring occurring in the security services market, and the line between MSS, MDR, and SOCaaS can be quite confusing,” as IDC’s Martha Vazquez writes in this blog post and explains the evolution of managed security services and the associated acronyms.
You can find further evidence of this evolution with another acronym — secure access service edge (SASE). That term usually refers to consolidated security tools as hybrid cloud environments have taken hold. Let’s not get lost in all the tool differentiation. The key is the ability to use all these tools in some integrated whole and not get buried or bogged down in all the various alerts. Having a SOCaaS can help fill the gaps between the tools and present an integrated view of your security landscape.
To make matters more complicated, each vendor has a different origin story based on a business that focused on a particular security specialization. They carry that lineage through to their tools, their marketing, and how they package the particulars. Some vendors start out as managed security event purveyors (AlertLogic), others as managed detection vendors (Network Technology Partners, now merged with Business System Solutions) or managed endpoint security vendors (Symantec, now part of Broadcom, and Trustwave). Some have developed their own SOC-type consoles to manage their own products and then have made them more general utilities that can connect to a wider range of tools (Critical Start uses a mobile application, for example, while Arctic Wolf and DigitalHands have both developed their own tools). Some came from the services divisions of the larger computer makers (IBM, Dell and HP). Others start out running their own managed network operations centers (NOCs) and then branch out into security (AccountabilIT).
Managed security service vendors
A modern security operations center model
Gartner has tried to bring order to this and has been refining its ”SOC Hybrid-Internal-Tiered model” guides for many years, with its latest 2021 report. “A modern SOC is whatever a client needs it to be,” they wrote. It has to be flexible, including a variety of protective tools to examine fraud, network-based and physical intrusions, security event monitoring, log analysis, vulnerability scanning and incident response. What has changed is that many IT managers “have moved from whether or not to outsource their security to realizing that they can’t keep up with the latest threats and technologies,” says Charlotte Baker, the CEO of DigitalHands, a Tampa-based MSSP.
Gartner recommends that each enterprise honestly ask themselves the question: How many security functions can be done in-house and done effectively? That requires figuring out where the gaps lie and whether a potential managed services vendor can fill them. “You can’t keep up with the demand for experienced information security professionals,” says Andrew Dutton, who runs his own security consulting firm in Tennessee. “You just can’t pay them enough, especially if you are a smaller company.”
The goal should be what Splunk’s white paper says — i.e., for an organization to empower their SOC staffers to get ahead of threats, meaning they have to grow and evolve as the threat landscape changes. Splunk has a ten-step outline that includes ingesting data, detecting security events, automating and orchestrating the response and making further recommendations. If that seems overwhelming, given your current staffing models, then some form of a managed SOC should be your choice.
In its 2021 Market Guide for Managed Detection and Response (MDR) Services, Gartner recommends that rather than focus on wide-scale data collection, businesses should start with evaluating their risk and objectives and what their goals should be. By 2025, they predict that half of organizations will be using MDR services for threat monitoring, detection and response functions that offer threat containment and mitigation capabilities. They lay out several differences between MDR vendors and other managed security services, including what context the services use to monitor event logs, how they manage devices remotely, whether they provide a portal for their service and how they handle incident response.
10 questions to ask a SOC-as-a-Service provider
As you put together your requests for proposals (RFPs) or questionnaires, here are a few pertinent questions to ask.
- What is your SOC mission, and does it match your overall business goals to reduce your risk? Is your SOC addressing your current threat landscape? “There has been a shift from features of a SOC or managed service to understanding what problems businesses need to solve,” said Tom Gorup, vice president of security operations at AlertLogic.
- How will any managed SOC augment your existing security infrastructure? If you already have a physical, on-premises SOC, will you need to staff it as your organization moves back into the office once you make your SOC completely virtual? Do you need additional technologies to monitor threats that originate in your collection of cloud apps? How will these interact with your existing tools to identify and resolve these threats? How will you define and monitor normal network behavior and keep your eye on the changing work environment?
- How does it differ from a purely monitored services approach? The answer should help you understand nuances from the vendor and how it differentiates itself. For example, AlertLogic began with an SIEM and then added other protective technologies based on its own global telemetry and threat monitoring programs.
- How many legacy SIEMs and service desk systems does it support? Some vendors want you to switch to their own in-house solution. Others (like DigitalHands) offer wider support for your legacy systems on both technologies, while some (like Network Technology Partners) have their own API set that either you or they must write programs to use.
- What agents and servers do customers need to install on their premises? Most vendors require two items to monitor your infrastructure: agents and a custom server that collects traffic and runs the vendor’s proprietary apps. Some require multiple agents for particular tasks, such as one for pure monitoring and another for remediation.
- How often does a vendor reassess/scan your infrastructure? Monitoring varies between continuous to quarterly scans, and it can differ for your cloud versus on-premises equipment. You want more frequent monitoring — and the associated notifications — if possible. Also, confirm that the SOC will have total data visibility across your enterprise, including both mission-critical and customer-critical data.
- How will you produce compliance audits? Some vendors include audits as part of their price, some charge extra, and some refer you to a third party so that you can get a completely independent view of what they are doing. Others, such as Bolton Labs, don’t offer any compliance services at all. There are good reasons for each approach; just make sure you know what you are paying for.
- What is the typical target size of their customers? Some vendors are more focused on mid-market or even smaller businesses. Others can grow and scale up to very large networks across many continents. Again, find out what their sweet spot is and know when you might outgrow it.
- Who is staffing their SOC? You’ll want to know what kind of training, certifications and other skill levels the people watching your network and endpoints have. People often matter more than the actual equipment. After all, that is why you are hiring a vendor anyway, so you don’t need your own staff.
- What is the price tag? Part of the problem is that you may not know how many servers, endpoints or apps you will be protecting, monitoring, or otherwise placing under the purview of your vendor. Many companies start small with proofs-of-concept with a few endpoints to see how the program works and what traffic is captured by the SOC before expanding to wider deployment. We tried to obtain pricing ranges, but most vendors weren’t cooperative. AlertLogic will sell a 500-node license of MDR Professional for $9,000/month or a 250-node license of MDR Essentials for $550/month. DigitalHands offers monthly packages from $2000- $250,000, including a broad collection of tools with integrated dashboards and reports. That gives you at least a range to aim at, depending on the features and level of responsiveness you require.