As organizations face ever more threats and attacks to their information systems and data, they are increasingly considering setting up security operations centers to centrally manage their detection and management of cybersecurity incidents. Properly implementing a SOC is often a complex undertaking, requiring significant time, money and staff. Plus, organizations can face challenges such as SOC talent shortages and inability to scale. As a result, many businesses are exploring outsourcing some or all of their SOC services to third-party companies, known as SOC service providers.
This buyer's handbook helps you understand the different types of services that are available from SOC vendors, which features you should look for and how to choose services that are appropriate for your organization.
What a SOC is
A SOC is a set of people, processes and technologies, often centralized, that -- at a minimum -- receives and analyzes user reports and data feeds -- logs, for example -- from information systems and cybersecurity controls. Typically, the primary goal of a SOC is to detect and prioritize cybersecurity incidents that could negatively impact an organization's information systems or data.
SOCs vary from organization to organization and are implemented per structural cybersecurity priorities and risk tolerance. Some SOCs will manage an incident from detection to remediation; others will focus on supporting and coordinating incident responders and handling incident response communication -- e.g., status updates and third-party communication.
Each organization must implement SOC services that are appropriate and reasonable for it.
How a SOC works
SOC employees and technologies are typically located in a central location that employees with different levels of expertise -- such as analysts, responders and hunters -- staff 24/7 year-round. SOCs tend to be very process-driven: They have standard operating procedures, use cases and play books to define how SOC staff respond to and communicate about various cybersecurity events and incidents.
In addition to real-time analysis of user reports and data feeds, SOCs can also provide the following:
- long-term analysis of data feeds and incident data;
- normalization and storage of security logs;
- creation and dissemination of threat intelligence;
- automation and orchestration;
- threat assessment; and
- vulnerability detection or management (e.g., vulnerability scanning and remediation).
Organizations may consider outsourcing all or some of their SOC services to a SOC service provider for one or more of the following reasons:
- an inability to hire enough SOC staff with necessary skills;
- the desire to gain better value from existing cybersecurity products by having experienced specialists manage them;
- a requirement to quickly expand SOC services due to changes in an organization's threat landscape or business model (e.g., adding e-commerce);
- a preference or requirement to use cybersecurity budget dollars for operating expenses ("renting" SOC services) rather than capital expenses (buying SOC equipment and hiring employees);
- the ability to apply a third party's threat intelligence gained from monitoring many customers; and
- a strategic decision to have simpler, repetitive tasks like initial log reviews be performed by a third party so that SOC staff can focus on high-level tasks, such as incident response or vulnerability management.
For all of the above reasons, the expectation is that the SOC service provider will be able to provide specific SOC services more effectively or less expensively than the organization itself.
Features to look for
SOC vendors can provide the following:
- monitored or managed firewalls or unified threat management technology;
- monitored or managed intrusion detection systems (IDSes) and intrusion prevention systems (IPSes);
- managed or monitored web and email security gateways;
- monitoring or management of advanced threat defense technologies;
- triage and short-term analysis of real-time data feeds (e.g., system logs and alerts from applications and information systems) for potential cybersecurity incidents;
- long-term analysis and correlation of data associated with monitored or managed devices and incident response;
- managed vulnerability scanning of information systems and applications;
- monitoring or management of customer-deployed SIEM technologies; and
- current and relevant threat intelligence.
As the above list makes clear, SOC service providers offer many capabilities that could be useful for your organization's SOC. But the variety of services can be overwhelming. One way to start evaluating SOC providers is with two basic steps to identify those services of most value for your company.
First, identify cybersecurity controls (firewalls, IDS/IPS and so on) that your organization has already implemented but are not being effectively used, either because there are technical challenges or because your team lacks the expertise required. Second, identify services that your organization wants (such as threat intelligence) but cannot effectively implement due to lack of qualified staff or inability to reach necessary scale.
Be sure you're effectively managing and monitoring your existing cybersecurity systems before signing up for advanced services like threat intelligence. For instance, it will be difficult to reap the benefits of threat intelligence if your organization doesn't already have a good understanding of what's happening on its cybersecurity systems.
A key decision you should be prepared to make is whether to have a SOC service provider only monitor (for example, receive logs from some or all of your organization's cybersecurity systems) or also manage certain cybersecurity systems (such as firewalls or SIEMs). Your organization's security policy and risk tolerance will determine this.
Using a SOC service provider can lighten the load on your organization's SOC, but your company will still need to define and assign program-management resources to keep the SOC vendor on task and to evaluate its ongoing effectiveness.
Regardless of what services you choose from a SOC service provider, look for the following functional features:
- The SOC vendor should provide a customer web portal that has multifactor authentication and role-based access control. The portal should provide analytics and visuals, real-time updating, SOC service provider ticket status and reports that can be customized for different types of users -- executives, SOC personnel and so on.
- The vendor should be able to provide requested services 24/7 year-round, offer multiple communication methods -- such as phone and email -- and have proven experience quickly escalating significant events and incidents to appropriate customer staff.
- The SOC services should integrate into your organization's security incident response plan.
- The SOC should provide requested services from at least two geographically distributed sites to ensure redundancy and ability to recover from a disaster.
- The SOC service provider should have staff certified for the significant cybersecurity technologies they are monitoring or managing at your organization.
- If necessary for compliance, verify that a SOC service provider can guarantee that requested services are only provided from specific (e.g., US-based) locations.
Choosing to use a SOC service provider is an important business decision; you want to have a strong, trusted partner, so look for key business features, such as evidence that the provider is financially stable and has a strong customer-retention rate. The SOC provider should offer guaranteed performance-based service-level agreements that include the ability to terminate service in the case of poor performance. Naturally, the provider should have proven experience and expertise in your specific industry. Also, you should be able to reasonably customize provided SOC services; your organization shouldn't have to force itself into a one-size-fits-all service.
Using a SOC service provider will likely involve sharing sensitive data or giving the provider access to some of your organization's information systems. In order to prevent cybersecurity incidents and compliance gaps, require the following security features at a minimum:
- The SOC service provider should allow your organization to perform due diligence on their cybersecurity practices. For example, you should be able to add a right to audit cybersecurity practices clause in your contract with the service provider and require them to complete a cybersecurity practices assessment questionnaire.
- The SOC service provider should have a third-party cybersecurity audit plus internal and external penetration tests performed at least annually.
- The SOC service provider should be certified in at least one recognized cybersecurity standard -- e.g., PCI DSS, the Federal Risk and Authorization Management Program and ISO 27001 -- and have an SSAE16 (Statement on Standards for Attestation Engagements 16) assessment performed regularly.
- The SOC service provider should be able to receive and send data to and from your organization via encrypted methods, like TLS 1.1+.
Properly implemented and managed, outsourced SOC services can be an important part of your business's cybersecurity program; partnering with a service provider can be a smart way to efficiently and effectively improve your organization's security operations center. Be sure to carefully evaluate SOC service providers so that you end up with the right services for your company.