How to evaluate SOC-as-a-service providers

Not every organization that needs a security operations center can afford to equip and staff one. A number of providers provide SOC as a service. Here's what you need to know about them.

If you don’t currently have your own security operations center (SOC), you are probably thinking of ways you can obtain one without building it from scratch. The on-premises version can be pricey, more so once you factor in the staffing costs to man it 24/7. In the past few years, managed security service providers (MSSPs) have come up with cloud-based SOCs that they use to monitor your networks and computing infrastructure and provide a wide range of services such as patching and malware remediation. Let’s look at how this SOC-as-a-service (SOCaaS) industry has grown up, what they offer and how to pick the right supplier for your particular needs.

What is SOC as a service?

The definition of SOCaaS is fluid and can range from service providers that offer basic 24/7 network monitoring up to full-blown threat detection and mitigation. This means that each vendor has their own collection of services that they may label as a SOCaaS or as a traditional MSSP. Getting to the bottom of this will consume a lot of time, unfortunately. Some of this is just inconsistent definitions of each acronym, some is a matter of perception, some boils to down to product and service offerings, and some has to do with the origin of the provider.

Part of the problem is that each SOCaaS vendor comes from businesses that were created to focus on different security specializations. Some start out as managed security event purveyors (AlertLogic), others as managed detection vendors (Network Technology Partners) or managed endpoint security vendors (Symantec and Trustwave). Some have developed their own SOC-type consoles to manage their own products and then have made them more general utilities that can connect to a wider range of tools. Some came from the services divisions of the larger computer makers (IBM, Dell and HP).

Others start out running their own managed network operations centers (NOCs) and then branched out into security (AccountabilIT). What is the difference between a managed NOC and a managed SOC? The former is mostly concerned with keeping the packets flowing through the pipes. The latter is mostly all about making sure you are using the right packets and the right pipes. The tool sets are also completely different: network latency vs. processes that suck up CPUs. The key point is what actual services they provide, what do they monitor and how their stuff will interact with your existing servers and network infrastructure.

The goal here is to have equipment that will alert you when you have suffered a breach or data leak or some other security incident, so that you don’t have to build your own SOC or have to hire experienced staff to run any of your protective security equipment. Ideally, the vendor should be able to identify an incident in a timely fashion (subject to their service level agreements) and make the needed corrections to neutralize the threat.

To continue reading this article register now

FREE Download: Get the Spring 2019 digital issue of CSO magazine today!