If your business is serious about adopting SOC-as-a-Service (SOCaaS), the next step is finding a provider whose offerings align with your needs and goals. A detailed request for proposal (RFP) lays the foundation for a fruitful relationship between your business and a SOCaaS provider.
The importance of a good RFP as an expectation-setter goes both ways. Not only is it a way for your business to set out its needs, priorities, and plans, it’s also a prospective SOCaaS partner’s first chance to get to know your business and decide whether their services are a good enough fit to pursue the relationship further. Designing an RFP boils down to knowing what you need and asking specific questions in order to find a partner who can get you there.
What Every SOC-as-a-Service RFP Should Include
SOC-as-a-Service has its own unique place within the cybersecurity industry. For example, it helps you go beyond basic managed detection and response (MDR) and provinces advanced security operations center (SOC) capabilities that managed security services provider MSSPs lack.
When starting your SOCaaS RFP process, consider these seven categories to ensure that yours is as well-rounded as it needs to be to get a thorough RFP response.
An RFP response should show your company what technologies a SOCaaS provider uses and give you an idea both how they will serve your company now and over time. Asking about the technology stack can show you whether they are using a modern, cloud-native next-gen SIEM platform that integrates and combines essential SOC technologies, or whether they rely on a previous generation of SIEM and other SOC technologies. Make sure to also ask whether you can co-manage your security alongside the provider’s analysts, by logging directly into their SOCaaS platform, or whether they simply give you access to a portal that just shows summary reports and dashboards. There’s a big difference in value between the two approaches.
The RFP should also address the scale for which the SOCaaS solution is designed, such as the events-per-second levels the platform can handle. This helps ensure they can fit you now and grow with you later.
Learning about reporting options also matters. You’ll want to understand what dashboards a provider has and whether the reporting platform displays information in formats useful to different groups of stakeholders that will have to see and act upon the information.
Fewer than half of medium and large enterprises are highly confident in their security solutions’ ability to detect the adversary TTPs included in each of the matrices of MITRE ATT&CK. Will the SOCaaS provider have the capacity to handle your company’s current data?
Providers need to be able to collect telemetry from a broad range of data sources across the organization, normalize, correlate and analyze it to uncover potential threats — then actually respond to the real threats. Do they implement data science and automation methods to make sense of what’s going on in your environment, generating high fidelity alerts and supporting information at scale? Are they data and vendor-agnostic in their ability to ingest and leverage a broad range of security data and other essential infrastructure, application and related data?
Do they charge extra for essential up-front data science activities that are required to do effective threat detection and response, including:
- Use case definition
- Analyzing the required data sources to effectively support these use cases and identifying any data gaps
- Mapping the detection value of the data to the MITRE ATT&CK framework
- Installing and configuring the connectors, pullers and other technologies that may be required to ingest the data
- Configuring and optimizing the various log sources
The RFP is also the right time to start asking questions about how a SOCaaS provider puts data in context. Key areas to consider are how they share and obtain threat intelligence information, how they enrich the telemetry data, and how they stay informed about trending issues.
An RFP is your first chance to get to know a SOCaaS provider’s procedures. Do they have playbooks that document responses to common issues? Learn how analysts identify and verify real incidents versus false positives. Data privacy regulations are as strict as ever, so be sure to dig into questions about data privacy and governance to ensure compliance standards are met. You will want to ensure sensitive data is well protected.
You should also ask about what procedures they have in place for collaborating and sharing knowledge with your security team, including how well their platform integrates with case management software already in place.
Though cutting-edge technologies are a must for a modern SOCaaS provider, they mean little without the right people behind them. An RFP should also give your company a clear picture of the team who will be delivering the services.
A best-in-class SOCaaS provider not only has experienced and well-trained security analysts, but also a full-service security staff including security engineers, threat hunters, incident responders, and data scientists and engineers. Furthermore, a SOCaaS provider should invest in training. Use the RFP as a first chance to learn how a provider stays up-to-date with the newest technologies and threats, including training opportunities, research, and publication activity.
Information about the infrastructure and the people behind the solution matters, but can only get you so far. Examples and case studies of that technology and expertise in action give you a window into how a potential partner actually approaches situations as they arise. Specific examples can also shed light on how they have handled issues that concern your business’s specific line of work, or specific types of security incidents and emerging threats that concern your company.
Examples also give your company an idea of how well-equipped a company is to collaborate with your security and operations teams. Since your company will ideally be working closely with the SOCaaS partner to respond to incidents and secure the business, you’ll want to be sure their processes and procedures mesh with yours.
Pricing Structures and Packages
RFP responses should give your business a clear idea of pricing. Request specifics about a potential partner’s pricing structure, including capital and licensing costs and any required professional services or implementation costs. Make sure to get information about how adapting for any expansion or changes that your business has planned will affect the pricing structure for SOCaaS.
Finding out specifics about managed services packages also matters. It makes sense to find out what services a respondent provides that your business needs, and how well-integrated they are in the SOCaaS platform. It also matters to find out whether there are any packaged services they require that your business may not need or want, in order to make sure that you’re not locking into something you don’t need.
The RFP is an opportunity for a potential partner to put their best foot forward, but also a chance for your company to do so as well. Make sure that the RFP contains a detailed scoring rubric. Doing so helps begin the relationship between your business and your SOCaaS partner on a transparent footing, and gives them important preliminary insight about your company’s priorities.
Learn More About Crafting a SOC-as-a-Service RFP
Following these tips will get you started creating an RFP that conveys your SOCaaS priorities, helps the companies who respond explain their services clearly, and allows you to make an educated decision about the provider that best fits your goals.
For even more detailed information about how to design a SOCaaS RFP, including specific questions to incorporate, download the Cysiv white paper. An additional valuable resource is Gartner’s 2020 Market Guide for Managed Detection and Response Services, which highlights key capabilities that buyers should look for when choosing an MDR vendor. Download a copy of the guide here. Or, contact us directly for a SOCaaS RFP template that you can customize and use.