There have been a few announcements from popular technology providers about managed service options. Microsoft just made an announcement a few weeks ago, Cisco entered the market last November and Google just announced their SOC of the future offering. This post will help you better understand the SOC managed service market and how to apply such offerings to your security operation center. I highly recommend you become familiar with this trend as SaaS delivered security and managed service offers are quickly replacing traditionally deployed and managed security tools.
The first and most important point to make is most managed service offerings I’m seeing being announced are not designed to be a SOC replacement. I’ve heard people make statements such as “can we just outsource our SOC requirements to XXXXX vendor or service provider?”. For the right price … sure but the reality of most managed service offerings for a SOC is to target specific deliverables based on the agreed upon statement of work. What is key to understanding is most manage service providers are going to rotate teams that will only perform the work outlined in the service level agreement unless you pay top dollar for dedicated support. Such contracted teams won’t have local “tribal knowledge” about the environment being protected or aware of organization politics. The value of such teams however, is they can leverage lessons learned from managing security for multiple customers.
I find many technology providers that sell security tools are aiming at helping organizations adopt thier technology by also providing the people power behind the technology rather than a full SOC replacement. The most common SOC service being address is incident monitoring and response typically leveraging a combination of an endpoint defense and response (EDR) tool and security information and event management (SIEM) tool. If the service provider doesn’t sell these tools, they tend to have requirements for the tools they will managed based on their analyst skillsets. Usually there are some established agreements to payout the service provider for positioning certain technologies. If it’s a technology provider, they tend to require their own technology. For example, you can have Crowdstrike manage their own technology, but they won’t have their manage service monitor Microsoft Defender along with the SIEM QRadar from IBM.
Other SOC services could be outsourced such as vulnerability management or digital forensics but many of the recent announcements tend to focus on incident monitoring and response. The intent for many of these offerings is to free up the existing SOC team to have time for other services while incident monitoring and response is handled by the service provider. So, its key to understand a lot of these new SOC manage service offerings are not designed to threaten existing SOC team jobs. Instead, these services are designed to help adopt technology as well as allow the SOC to be more effective with the people they currently have on staff.
I highly recommend a blend of manage service and local SOC team members giving your organization the best of both worlds. This brings on another topic for manage service which is which tier you are looking to have outsourced. Tier 1 is the first line of defense that handles all first calls and sees the most volume. Tier 2 validates if what is found is a real concern and performs from incident response. Tier 3 are the expert threat hunters and incident response members that limit their time to qualified events. I’ve seen customers focus on one or more of these tiers for managed services. I had one customer looking to outsource Tier 1 so the local SOC team can focus on real events. I had another customer do the opposite claiming their staff is pretty good but needed expert level hunters whenthe local team discovers a real event. I’ve also seen a true hybrid approach where the local SOC and manage service experts team up on qualified events. Many manage service providers making these announcements are flexible and can adopt the service level agreements (SLAs) around the company they are protecting needs.
To summarize, many technology and service providers are entering the SOC manage service market. They are targeting helping organizations that don’t have the people power to run the latest technology rather than targeting mature SOCs that can build playbooks and execute XDR functions. The focus tends to be monitoring and incident response based on an XDR platform (EDR and SIEM). The service can be for tier 1, 2, 3 or a combination of these depending on the SLA. In my experience, I’m finding 8 out of 10 organizations I speak with are looking at a hybrid approach for their furute SOC based on the challenges to find and retain security talent. This need is fueling the SOC manage service market growth, which I predict will become a common option for most security technology providers in the near future. The idea of buying, building and managing your own technology is quickly being replaced by either SaaS or managed service offerings. Check out announcements from Google, Cisco, Microsoft to get a better idea of what I’m speaking about in this post.