If you don\u2019t currently have your own security operations center (SOC), you have two ways to get one: Build your own or use some managed collection of services. In past years the two paths were distinct, and it was relatively easy to make the call based on staffing costs and skills.Now, the SOC-as-a-service (SOCaaS) industry has matured to the point now where the term is falling into disfavor as managed services vendors have become more integral to the practice. As cloud-based security tools have gotten better, data centers and applications have migrated there as well. Some of the services discussed here call themselves SOCaaS, while others use other managed services designations.One measure of this maturity is that the market has seen a lot of mergers and acquisitions in the past few years, starting with AT&T buying AlienVault several years ago. Next up was CrowdStrike acquiring Humio, then eSentire acquiring CyFIR, Sophos acquiring Braintrace, Rapid7 acquiring IntSights, HelpSystems acquiring Alert Logic and Google announcing the acquisition of Mandiant (after the company was separated from FireEye). These mergers illustrate that there has been a \u201cblurring occurring in the security services market, and the line between MSS, MDR, and SOCaaS can be quite confusing,\u201d as\u00a0 IDC\u2019s Martha Vazquez writes in this blog post and explains the evolution of managed security services and the associated acronyms.You can find further evidence of this evolution with another acronym -- secure access service edge (SASE). That term usually refers to consolidated security tools as hybrid cloud environments have taken hold. Let\u2019s not get lost in all the tool differentiation. The key is the ability to use all these tools in some integrated whole and not get buried or bogged down in all the various alerts. Having a SOCaaS can help fill the gaps between the tools and present an integrated view of your security landscape.To make matters more complicated, each vendor has a different origin story based on a business that focused on a particular security specialization. They carry that lineage through to their tools, their marketing, and how they package the particulars. Some vendors start out as managed security event purveyors (Alert Logic), others as managed detection vendors (Network Technology Partners, now merged with Business System Solutions) or managed endpoint security vendors (Symantec, now part of Broadcom, and Trustwave). Some have developed their own SOC-type consoles to manage their own products and then have made them more general utilities that can connect to a wider range of tools (Critical Start uses a mobile application, for example, while Arctic Wolf and DigitalHands have both developed their own tools). Some came from the services divisions of the larger computer makers (IBM, Dell and HP). Others start out running their own managed network operations centers (NOCs) and then branch out into security (AccountabilIT). \u00a0Managed security service vendorsAccountabillT MDRHelpSystems\/Alert Logic MDR Essentials\/ProfessionalAlienLabs\/AT&T MDRArctic Wolf MDRCritial Start Mobile SOCCrowdStrike\/Humio Log ManagementDell Technologies MDRDigitalHands SOCaaseSentire MDRGoogle\/Mandiant MDRHP Wolf Security Services XDRIBM Security QRadar SIEM and SOARNetwork Technology Partners\/Business System Solutions, MDRRapid7\/IntSights Threat IntelligenceSophos\/Braintrace XDRSymantec\/Broadcom SOCaasTrustwave MDRA modern security operations center modelGartner has tried to bring order to this and has been refining its \u201dSOC Hybrid-Internal-Tiered model\u201d guides for many years, with . \u201cA modern SOC is whatever a client needs it to be,\u201d they wrote. It has to be flexible, including a variety of protective tools to examine fraud, network-based and physical intrusions, security event monitoring, log analysis, vulnerability scanning and incident response. What has changed is that many IT managers \u201chave moved from whether or not to outsource their security to realizing that they can\u2019t keep up with the latest threats and technologies,\u201d says Charlotte Baker, the CEO of DigitalHands, a Tampa-based MSSP.Gartner recommends that each enterprise honestly ask themselves the question: How many security functions can be done in-house and done effectively? That requires figuring out where the gaps lie and whether a potential managed services vendor can fill them. \u201cYou can\u2019t keep up with the demand for experienced information security professionals,\u201d says Andrew Dutton, who runs his own security consulting firm in Tennessee. \u201cYou just can\u2019t pay them enough, especially if you are a smaller company.\u201dThe goal should be what Splunk\u2019s white paper says -- i.e., for an organization to empower their SOC staffers to get ahead of threats, meaning they have to grow and evolve as the threat landscape changes. Splunk has a ten-step outline that includes ingesting data, detecting security events, automating and orchestrating the response and making further recommendations. If that seems overwhelming, given your current staffing models, then some form of a managed SOC should be your choice.In its 2021 Market Guide for Managed Detection and Response (MDR) Services, Gartner recommends that rather than focus on wide-scale data collection, businesses should start with evaluating their risk and objectives and what their goals should be. By 2025, they predict that half of organizations will be using MDR services for threat monitoring, detection and response functions that offer threat containment and mitigation capabilities. They lay out several differences between MDR vendors and other managed security services, including what context the services use to monitor event logs, how they manage devices remotely, whether they provide a portal for their service and how they handle incident response.\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a010 questions to ask a SOC-as-a-Service providerAs you put together your requests for proposals (RFPs) or questionnaires, here are a few pertinent questions to ask.What is your SOC mission, and does it match your overall business goals to reduce your risk? Is your SOC addressing your current threat landscape? \u201cThere has been a shift from features of a SOC or managed service to understanding what problems businesses need to solve,\u201d said Tom Gorup, vice president of security operations at Alert Logic.How will any managed SOC augment your existing security infrastructure? If you already have a physical, on-premises SOC, will you need to staff it as your organization moves back into the office once you make your SOC completely virtual? Do you need additional technologies to monitor threats that originate in your collection of cloud apps? How will these interact with your existing tools to identify and resolve these threats? How will you define and monitor normal network behavior and keep your eye on the changing work environment?How does it differ from a purely monitored services approach? The answer should help you understand nuances from the vendor and how it differentiates itself. For example, Alert Logic began with an SIEM and then added other protective technologies based on its own global telemetry and threat monitoring programs.How many legacy SIEMs and service desk systems does it support? Some vendors want you to switch to their own in-house solution. Others (like DigitalHands) offer wider support for your legacy systems on both technologies, while some (like Network Technology Partners) have their own API set that either you or they must write programs to use.What agents and servers do customers need to install on their premises? Most vendors require two items to monitor your infrastructure: agents and a custom server that collects traffic and runs the vendor\u2019s proprietary apps. Some require multiple agents for particular tasks, such as one for pure monitoring and another for remediation.How often does a vendor reassess\/scan your infrastructure? Monitoring varies between continuous to quarterly scans, and it can differ for your cloud versus on-premises equipment. You want more frequent monitoring -- and the associated notifications -- if possible. Also, confirm that the SOC will have total data visibility across your enterprise, including both mission-critical and customer-critical data.How will you produce compliance audits? Some vendors include audits as part of their price, some charge extra, and some refer you to a third party so that you can get a completely independent view of what they are doing. Others, such as Bolton Labs, don\u2019t offer any compliance services at all. There are good reasons for each approach; just make sure you know what you are paying for.What is the typical target size of their customers? Some vendors are more focused on mid-market or even smaller businesses. Others can grow and scale up to very large networks across many continents. Again, find out what their sweet spot is and know when you might outgrow it.Who is staffing their SOC? You\u2019ll want to know what kind of training, certifications and other skill levels the people watching your network and endpoints have. People often matter more than the actual equipment. After all, that is why you are hiring a vendor anyway, so you don\u2019t need your own staff.What is the price tag? Part of the problem is that you may not know how many servers, endpoints or apps you will be protecting, monitoring, or otherwise placing under the purview of your vendor. Many companies start small with proofs-of-concept with a few endpoints to see how the program works and what traffic is captured by the SOC before expanding to wider deployment. We tried to obtain pricing ranges, but most vendors weren\u2019t cooperative. Alert Logic will sell a 250-node license of MDR Professional for $9,000\/month or a 250-node license of MDR Essentials for $550\/month. DigitalHands offers monthly packages from $2000- $250,000, including a broad collection of tools with integrated dashboards and reports. That gives you at least a range to aim at, depending on the features and level of responsiveness you require.