Source: David Strom - CSO Online.
Not all organizations that need a security operations center can equip and equip them. Several providers provide SOC as a service. Here is what you need to know about them.
If you don't have your own security operations center (SOC), you are probably thinking of ways to get one without building it from scratch. The on-site version may be more expensive as you consider staffing costs 24 hours a day, seven days a week. In recent years, Managed Security Service Providers (MSSPs) have created cloud-based SOCs that they use to monitor their networks and computing infrastructure and provide a wide range of services such as patching and malware patching. Let's look at how this SOC-as-a-service (SOCaaS) industry has grown, what they offer, and how to choose the right provider for your specific needs.
What is SOC as a service?
The definition of SOCaaS is fluid and can range from service providers that provide 24/7 basic network monitoring to full threat detection and mitigation. This means that each provider has its own collection of services that they can label as a SOCaaS or as a traditional MSSP. Getting to the bottom of this will take a long time, unfortunately. Some of these are just inconsistent definitions of each acronym, some are a matter of perception, others boil down to product and service offerings, and some have to do with the origin of the provider.
Part of the problem is that each SOCaaS provider comes from companies that were created to focus on different security specializations. Some start as managed security event providers (AlertLogic), others as managed detection providers (Network Technology Partners) or managed endpoint security providers (Symantec and Trustwave). Some have developed their own SOC-type consoles to manage their own products and then made them more general utilities that can connect to a wide variety of tools. Some came from the service divisions of major computer manufacturers (IBM, Dell, and HP).
Others start running their own managed network operations centers (NOCs) and then branch out to security (AccountabilIT). What is the difference between a managed NOC and a managed SOC? The first is concerned primarily with keeping packets flowing through the pipes. The last one is mainly about making sure you are using the right packages and the right tubes. Toolkits are also completely different: network latency versus CPU-sucking processes. The key point is what real services they provide, what they monitor, and how their things will interact with their existing servers and network infrastructure.
The goal here is to have equipment that alerts you when you have experienced a data breach or leak or some other security incident, so you don't have to build your own SOC or hire experienced personnel to perform any security equipment protection. Ideally, the vendor should be able to identify an incident in a timely manner (subject to its service level agreements) and make the necessary corrections to counteract the threat.
Gartner's February 2018 report on managed security services includes SOCaaS information such as security event monitoring, network layer threat detection and detection, log analysis, vulnerability scanning, and incident response & #8211; all provided as managed services of a central SOC entity. This is the minimum, which is already a large collection of tools to manipulate. This report listed 17 global suppliers, including those from AT&T / AlienVault, BT, Century Link, and NTT. It all started as telecommunications, which indicates that these are the people who better understand how to keep the world's largest network infrastructure running 24x7x365.
If you operate a global company with employees and servers on multiple continents, these people probably already know you. If you have a small business that is not as widespread, you may want to consider one of about a dozen specialized SOCaaS vendors such as ArcticWolf, RadarServices or DigitalHands.
How to evaluate SOC as a service
Perhaps the most frustrating part of a SOCaaS assessment is figuring out what (and how much) you will end up paying for. Given the nature of cloud services, pricing models are complex to begin with, but are quite obscure in this market sector.
AlertLogic is one of the few providers that actually has a significant public pricing page, showing three different price levels ranging from US $ 550 to US $ 4,500 per month. Unfortunately, almost no one else is so close, and I had to extract this information from many of its competitors.
Network technology partners and AccountabilIT start at a minimum (US$1,500 per month and US$1,600 per month respectively for the most basic services) and increase when a customer adds more monitored assets and increases network traffic. For the most part, the other suppliers are somewhere between paranoid and downright paranoid about revealing their prices. One of them told me that & #8220; our price is a very delicate matter & #8221 ;. Many only provide prices to potential customers willing to sign contracts not to disclose them. Clearly, there is a need for more transparency here.
Part of the problem is that you may not know how many servers, endpoints, or applications you are protecting, monitoring, or placing under the purview of the SOCaaS vendor. Many companies start small with proof of concept with some terminals to see how the program works and what traffic is captured by the SOC before expanding to a broader deployment.
Then how important is geographic distribution to your actual SOC location? Some vendors focus on a single SOC. Others place them on different continents to follow the sun or make better use of Internet connectivity. Network Technology Partners has a second SOC that is located a few hours away from their main office in St. Louis because they could get staff with the necessary skills more readily there. Bolton Labs focuses on the Asian market, which is why two of its three SOCs are located there.
What is the vendor's secret sauce? Given the various source histories of each vendor, it is helpful to understand what proprietary technology they use to monitor, remediate, and alert when you have experienced an outage or breach. Some have put together a number of open source tools, but have written a proprietary dashboard that you can use to see your performance and security stance. Others have written their own packages to hunt down threats or other tasks. AccountabillIT is a reseller of AlienVault technology, which is another model.
Questions to request a SOC-as-a-service provider
When drafting your RFP or questionnaires, here are some pertinent questions to ask.
- How does what is offered differ from a purely monitored approach to services? The answer should help you understand the supplier's nuances and how they differ. AlertLogic started with a SIEM and then added other protection technologies based on its own global telemetry and threat monitoring programs. You can start with a pure MSSP and see what you experience before deciding whether or not to go for a SOCaaS.
- How many legacy SIEMs and call center systems are supported? Some vendors want you to switch to your own internal solution. Others (like DigitalHands.com) offer broader support for their legacy systems on both technologies, while some (like Network Technology Partners) have their own set of APIs that you or they have to write programs to leverage.
- What agents and servers do customers need to install on their premises? Most vendors have two items needed to monitor their infrastructure: agents and a custom server that collects traffic and runs vendor-owned applications. Some require multiple agents for specific tasks, such as one for pure monitoring and one for remediation.
- How often does a provider reassess their infrastructure? Monitoring varies between continuous and quarterly scans, and may differ for your cloud and on-premises equipment.
- How will you produce compliance audits? Some vendors include audits as part of their price, some charge extra, and some refer them to others so you can have a totally independent view of what you are doing. Others, like Bolton Labs, do not offer any compliance services. There are good reasons for each approach, just make sure you know what you are paying for.
- Supplier has a dealer or model of direct sales? Some have well-developed partner networks. Others use large distributors like Ingram Micro for their reach, while some want to deal with you directly. Some SOCaaS providers also resell their services to other MSSPs, which is an interesting business model. Make sure you are comfortable with the approach you use.
- What is the target size of your customers? Some vendors are more focused on midsize or even smaller businesses. Others may grow and expand to very large networks on various continents. Once again, find out what your sweet spot is and know when you can overcome it.
- Who is allocating your SOC? You will want to know what kind of training, certifications and other skill levels the people who are watching your network have. People often matter more than the actual equipment. After all, that's why you're hiring a SOCaaS anyway: so you don't have your own team.
Meet our SOC in 1 minute!
Regarding the [SAFEWAY]
SAFEWAY is an Information Security company, recognized by its customers for offering high value added solutions through Information Security projects that fully meet business needs. During these years of experience, we have proudly accumulated several successful projects that have earned us credibility and prominence in our clients, which constitute in large part the 100 largest companies in Brazil.
Today through more than 17 strategic partnerships with global manufacturers and our SOC, SAFEWAY is considered a one stop shopping with the best technology solutions, processes and people.
Let's make the world a safer place to live and do business!
