Cyber threats are increasingly sophisticated and numerous, and the consequences of a successful attack are usually disastrous for companies, both in financial and image terms. One of the most effective defenses organizations can use to counter threats is the Security Operations Center (SOC), a team of cyber experts with high-level skills, proven processes and highly effective security solutions. A system that must be available and operational at all times, 24 hours a day all year round. The SOC can be created in-house or it can be used "as a service" using an external provider.
Internal or external?
Having an internal SOC composed of an adequate number of competent people who are always up-to-date on the latest cyber security news and who can have the latest and most effective IT security solutions at their disposal has some advantages. In fact, it allows for quicker responses in the event of an attack because communication takes place by internal means and employees, knowing better the composition and objectives of the organization, can implement highly customized solutions.
However, in almost all cases, the focus on business rather than IT security, the lack of specialized personnel (or the difficulty in finding them) and a limited budget make companies focus on SOCs used in outsourcing as a service.
The benefits of SOC as a service
In an enterprise, CIOs and CISOs opt for a SOC as a service because they are aware of the complexity of implementing a Security Operations Center as it involves acquiring many tools that need to be set up and used competently, as well as seeking out experts in the field and in incident and forensic analysis. Instead, all of these characteristics can be found in an external provider, which sees as one of its strengths the expertise and experience of analysts who have monitored many environments.
Another aspect that makes the choice towards SOC as a service is the access to threat intelligence, that is the possibility to use a threat intelligence service that is very challenging to adopt in house. In contrast, it is easier for an SOC provider to achieve this goal because they can bring together data from many sources, both external and internal.
Using an SOC as a service also allows you to define precise SLAs (Service Level Agreements) that the provider must meet, such as 24-hour presence. All service levels are detailed with precision and this ensures that the client company does not incur in unpleasant surprises, especially during possible attacks.
Finally, the costs. A SOC as a service is much cheaper than an in-house SOC because most of the equipment, solutions and experts are shared. Also, don't underestimate the fact that an external service is an operational expense (OPEX) and not a capital expense, so it is more "easily manageable" within the budget.
Selection Criteria
Once you have decided to go with SOC as a service, what criteria are used to make the selection that will define the best provider? Here are some suggestions.
First of all it is good to analyze the operating model: it is necessary to verify if the work of the provider essentially foresees the notification of the events or if instead it arrives to offer a proactive answer to the events. In the first case, the response to an attack must come from inside the company, which must therefore have competent people and sophisticated tools. In practice, you have to set up a sort of internal SOC that acts in conjunction with the external one, synchronizing your communication plan and incident management playbooks with those of the provider. And that may not be easy.
Likewise, will the tools the SOC provider will use best integrate with the company's existing solutions? Will the provider be able to get the data it needs? This is a crucial point: the provider must have the tools and ability to integrate with technologies already in use, and must be able to easily transfer useful data within their own solutions.
Another important aspect is aligning the provider's service offerings with the company's internal capabilities. If the provider can offer multiple service levels, you may have to develop new workflows to align your IT and security operations to accommodate the provider's services.
Last but not least, contractual arrangements. The service provider should secure a service level agreement (SLA) that ensures maximum throughput and formalizes engagement and response times. These agreements should be clearly defined and should align with the company's practices and goals.
