A 24/7 security operations center (SOC) has long been considered an essential part of an effective cybersecurity strategy. A SOC, supported by both technology and people, introduces the capability to identify, investigate, and resolve targeted cyber threats.
With an expanding attack surface, alert fatigue, the cyber skills shortage, and compliance top-of-mind for CISOs, a modern SOC is more necessary than ever. In 2020, 80% of surveyed IT and security practitioners said their SOC was essential, according to the Ponemon Institute, "Second Annual Study on the Economics of Security Operations Centers."
The market is shifting — and for good reason — but there are roadblocks. Building, staffing and operating an effective SOC is time-consuming, expensive, and complex for all but a few organizations. This is why companies are increasingly turning to SOC-as-a-Service providers to clear the way.
Why Is SOC-as-a-Service Growing in Popularity?
SOC-as-a-Service (SOCaaS) delivers all of the benefits of a dedicated 24/7 SOC, but without the high costs, complexity, and frustrations that come with building, staffing, and managing one. With a managed SOC service, organizations are able to outsource the people, processes, and technology needed for a SOC, which is operated and managed offsite and delivered as a cloud-based service.
An outsourced SOC will work as an extension of your team and carry out critical security functions. Before choosing a SOC-as-a-Service partner, be sure to investigate exactly what level of technology and expertise is provided and know what you're paying for. One important area to consider is compliance. It's important to ensure third-party suppliers of SOC-as-a-Service or other related security services have completed SOC 2 Type II and ISO 27001 certification. With it, you and your customers can be confident the vendor has processes and procedures in place to protect your data and that they are in active use.
Why a SOCaaS Provider & Not a Managed Security Service Provider?
Because a SOC is so critical for today's enterprises, organizations are looking for more robust managed security than a traditional managed security service provider (MSSP) can provide.
For example, a legacy MSSP often provides more basic services, such as:
- 24/7 remote monitoring and managing of firewalls
- Endpoint detection and response (EDR) solutions
- Virtual private networks and intrusion detection systems (IDS)
- Alerting on basic events
On the other hand, SOCaaS ups defensive capabilities by offering advanced threat detection services and access to highly trained in-house security analysts and experts who operate as a true extension of your IT or security team.
For a more in-depth look at this topic and the value that SOC-as-a-Service provides, download our white paper: "7 Key Attributes of SOC-as-a-Service and How It Differs from Traditional Managed Security Services."
How to Evaluate SOC-as-a-Service Providers
When choosing a SOC-as-a-Service provider, there are several important factors to consider. Let's take a look at each of them in turn.
Advanced technology platform
An effective SOC-as-a-Service provider must go beyond the basic capabilities of a traditional Security Information and Event Management system (SIEM). Instead, it needs to combine a broad range of essential functions in a single, cloud-native technology platform. The platform must accelerate and improve the effectiveness of threat detection, hunting, investigation, triaging, case management and remediation.
The platform should also be able to search efficiently against massive amounts of data captured from a variety of sources to quickly identify the data most pertinent to forensic investigation.
A SOC-as-a-Service provider should ingest logs, data, and other telemetry from as many relevant sources as possible. With more data the system (data science / automated detection engine) will have a full and clear picture of what's going on so it can more confidently identify genuinely suspicious or malicious activity for closer scrutiny.
Specifically, each of the following log sources and data types should be leveraged by the platform:
- Security events
- Infrastructure and authentication
- Enrichment data
- Application data
- SIEM data (optional)
Data science and automation
Once data is captured, the top SOC-as-a-Service providers are able to apply advanced data science techniques to automate and improve the detection process to make important correlations, reduce false positives, and improve confidence in the detections to be investigated.
To do this well, it must leverage a blend of supervised and unsupervised machine learning, rule-based and signature-based criteria, and behavior pattern-match detection methods to automatically identify potential threats. It should seamlessly leverage comprehensive and timely threat intelligence to identify malicious behavior and increase protection over time.
Technology is important, but a tool is only effective with a team of bright security minds behind it. A SOC-as-a-Service partner is also a provider of human skills, knowledge, and expertise that are a vital asset to any security team. The following experts should be a part of that team and will complement your existing team, acting as an extension to it:
- Data Scientists to help with data acquisition and enrichment
- Data Engineers to build and deploy data pipelines that ingest data
- Security Analysts to monitor environments and investigate suspicious activities
- Security Engineers to deploy and integrate security products
- Threat Hunters to proactively anticipate, detect and eradicate threat actors
- Threat Researchers to collect and process threat intelligence
- Incident Response Specialists to take on triage investigations
Right-sized pricing model
SOC-as-a-Service providers offer various pricing models, and some provide greater value and flexibility than others. If a license is required for endpoint or server security controls, or network IPS devices, look at when and how the license fees charged:
- At the beginning of the contract with a flat fee in advance. This model charges the same rate, regardless of whether the licenses are used during that period.
- At the end of each billing period, based on the licenses that are actually used. This is far preferable, as it will lead to lower costs.
Also find out if there are any capital costs associated with services provided, and if there is a minimum term (period) for a committed contract. Monthly billing is highly desirable, particularly in the current economic climate.
As you research and speak to top SOC-as-a-Service providers, continue to map out how they compare with this guide: Evaluation Criteria for SOC-as-a-Service.
In particular, Cysiv provides a comprehensive SOC-as-a-Service solution that can augment an existing SOC or operate as a virtual SOC for organizations that lack the resources to build, staff, and operate one on their own.
Cysiv SOC-as-a-Service has several factors that set it apart:
- A modern, cloud-native SaaS platform that accelerates, and improves the effectiveness of, threat detection, hunting, investigation, triaging, case management and remediation.
- Deep data expertise. Cysiv owns our ETL and EDA process. As a result, we generate higher quality (more usable) data. And we have a deep understanding of the detection value of different data sources, which optimizes the consumption of logs, improves the threat detection process, and ensures we support your security use case priorities in the most effective and efficient manner.
- A team of highly-trained experts that operate as an extension to your security operations team.
- Comprehensive and timely threat intelligence and research.
- Transparency: Clients have full client visibility into, and the ability to actively participate in, the threat detection and investigation process.
- The option of active response measures that can be taken when a security incident is uncovered.
- Rapid time to value, as SOCaaS can be fully operational in as little as one month.
Interested in learning more? Let's discuss what Cysiv SOC-as-a-Service can do for you.