SOC-as-a-Service promises threat protection in a world of scarce resources

Despite more than a few decades’ worth of technological advancement and millions of dollars’ worth of research, cyber threats continue to flourish. The situation has been wreaking havoc—and creating financial nightmares—in virtually every industry around the world. In fact, the average cost of a data breach has risen 12% over the past 5 years and now costs $3.92 million on average —according to Ponemon. And if your company is like most of the ones I know, you’ve got far better things to do with that kind of money.

At the same time, there are nearly 1,000 cybersecurity technologies on the market today. That should be great news, right? It would be, except for two significant problems: The hardware and software necessary to create a security operations center (SOC) can be costly; and there’s a severe shortage of skilled security analysts to drive those technologies.

In fact, roughly 80 percent of organizations say they don’t have enough analysts to run their SOC. And 48 percent of organizations say they don’t even have a SOC. The companies that do have them are typically among the Fortune 500 organizations that can afford the necessary resources—including a complete, tuned security information and event management (SIEM) system, which provides the visibility foundation for the SOC. All in all, it’s a highly resource-intensive undertaking.

And that’s why an alternative approach is gaining traction right now—because it can be both practical and affordable: the SOC-as-a-Service. This approach augments your internal staff, and your organization-specific goals and tolerances, with an outsourced SOC team that brings together most—if not all—the essential security monitoring technologies, including SIEM, on a single platform.

This is not simply a managed SIEM with a one-size-fits all, preconfigured set of security controls. It’s a SOC that allows you to maintain your focus elsewhere, while offering you the peace of mind that comes with knowing you’ll be alerted with clear instructions should a threat arise. And because you know the nuances of your own network and have deep knowledge of your business, you remain the subject matter expert on “what’s normal.”

By sharing that knowledge, you accelerate the outsourced SOC team’s ability to understand your business and environment. As a result, you get the best of both worlds: advanced threat protection, at a low total cost of ownership. You’re in control of your organization’s risk tolerance. Some of these services let you specify which threats are important to you and dictate how issues should be escalated and prioritized. Meanwhile, the costs and complexity of the people, process, and platform issues decrease dramatically as you pass those off to an outsourced team of security specialists.

But what happens when your network connection goes down? Certainly, any SOC-as-a-Service that’s collecting network event data and correlating it elsewhere—in a cloud-hosted environment or data center for a remote SOC team to leverage, for example—will need to rely on network connectivity between your business locations and wherever its service resides. That’s why it’s important to ask a potential provider what exactly will happen when this network connection goes down. Ideally, the outage itself should act as an alert to the SOC, which will allow the SOC team to identify any non-responsive systems and help you determine the scope of the outage and the specifics of any vulnerability it may have created.

At the same time, it’s important to recognize that user and entity behavior data collection should not skip a beat during an outage—as long as a software-based sensor on each endpoint is still running. And as a result, such data would still be collected, thus preventing gaps in the audit trail once connectivity is restored. Of course, it’s always important to review your contract and recognize that service levels typically scale up and down with cost.

And speaking of contracts, every SOC-as-a-Service provider will likely offer unique packaging and contract terms. But these are typically subscription-based services with either annual and/or monthly payment terms and options for scaling features and functionality up or down to meet your specific needs. You should be sure to ask whether the service:

• Protects east-west network activity—in addition to north-south network traffic only—in order to detect lateral movement of an attack
• Allows customer access to the SIEM and reports
• Includes regulatory compliance support along with threat detection

Because many cybersecurity firms are currently offering various flavors of SOC-as-a-Service, there can be a lot of variation in terms of what they can deliver. Some of those companies are managed security service providers that have the staff but standardize on a particular SIEM platform for their technology. Others are managed detection and response providers that will rely on the customer to choose a SIEM—which they will drive.

Still others use various network traffic analyzer tools in place of a full-fledged SIEM platform and choose to offer a “concierge” service that typically won’t allow the customer any visibility or participation in the security strategy. And finally, some are SIEM platform vendors that have staffed their own SOC team to deliver a co-managed SOC service to do the heavy lifting for the customer, while involving the customer’s own IT staff to address the unique intricacies of the customer environment.