How do I select a virtual SOC solution for my business?
Other than a traditional SOC (security operations center) model, which offers continuous system monitoring to improve an organization’s security posture, there is also a virtual SOC solution, which offers the same capabilities, but is a web-based tool that can be outsourced to simplify and speed up work for the in-house security team.
To select a suitable virtual SOC solution for your business, you need to think about a variety of factors.
We’ve talked to several industry professionals to get their insight on the topic.
Andrew Buldyzhov, CIO, H-X Technologies
A virtual SOC should, of course, be cheaper than a dedicated SOC, but it also must provide the same functionality.
Here are some essential functionalities one should expect when choosing a virtual SOC solution:
- Security audits and pentesting
- Monitoring and response
- Log collection, storage, and analysis
- Incident investigation
- Security training
- Security compliance
- Сloud and application security.
When choosing your SOC-as-a-service supplier, check if they provide:
- Compliance with the standards and regulatory requirements your organization has to meet (PCI DSS, etc.).
- Raw log storage during the period you need.
- Flexibility in SIEM and SOC staff location according to your preferences and restrictions.
- Security hardening services.
- SIEM platform of your preference.
- Multi-tenant management consoles.
- Cyber risk insurance.
Pay attention to the SLA, for example:
- Tier 1 – alert analysts – incident detection and initial notification should be within 1 hour. Possibility to receive initial Tier 1 notifications.
- Tier 2 – incident responders – incident verification and notification within 2 hours. In case of a no-authority SOC (monitoring only), maximum percentage of false positives. In case of a full-authority SOC, full recovery within 72 hours.
- Tier 3 – subject matter experts and threat hunters – the number of shared compromise indicators; the number of open sources, proprietary threat analytics sources, and deep web and dark web sources.
Justin Foster, CTO, Cysiv
With the cost, complexity and alert fatigue associated with traditional SIEMs, the most essential component of a virtual SOC is a modern, cloud-native platform that integrates essential technologies (SIEM, SOAR, UEBA, threat intel platform, case management) into a single unified SaaS. By leveraging data science, machine learning and automation, this platform dramatically improves the threat detection, investigation and response process. Other important SOCaaS differentiators:
Transparency: Provides full visibility into the provider’s processes, not simply summary reports and high-level dashboards. Being able to actively participate in investigations alongside the virtual SOC analysts — and create your own rules — keeps you in control.
Flexible extension of your security team: Beyond 24/7 monitoring, a virtual SOC must also include threat hunting and research, data engineering and science, and solution architects that work as a seamless extension to your team. This improves results and allows you to focus on other security and compliance priorities.
Broad data support: For full visibility into your entire environment, including cloud/multi-cloud, IoT/IIoT/OT, look for a vendor that can ingest data from virtually any source, then normalize and enrich it, without additional costs. This is especially important as your business evolves to support new initiatives.
Active response: Recommending an appropriate response isn’t enough these days. Chose a SOCaaS vendor that can implement a set of pre-authorized containment or response measures on your behalf.
Jason Lawrence, associate director, AT&T Cybersecurity
As the requirements to secure everything expands, it’s critical to identify a service provider that can offer much-needed security services, like a virtual SOC.
When seeking a virtual SOC provider, it’s important to evaluate the following:
- Availability: Does the virtual SOC provide 24/7/365 coverage with an expected uptime of 99.999%?
- Locations: While many virtual SOC providers use cloud-based solutions, the main value proposition of a virtual SOC is its people. Seek a provider with various locations, at least 200 miles apart.
- Analyst support: Every virtual SOC will have operators monitoring the environment, but a dedicated analyst or threat hunter provides a higher level of service to specific needs.
- Platform capabilities: Does the technology used by the virtual SOC support phased onboarding of data sources? One of the main goals of a virtual SOC is rapid deployment and a quick monitoring turnaround. Once there are sufficient log sources sent to the provider, monitoring should begin.
- Threat intelligence alerts: Virtual SOCs have visibility into the adversarial action across their entire customer base, producing actionable intelligence that should be shared with customers.
Virtual SOCs provide many benefits and enhance an organization’s security posture. Therefore, selecting a service provider must complement and improve security and mitigate risks.
Mark Nicholls, CTO, Redscan
When choosing a virtual SOC solution for your business it’s important to choose a provider that will not only detect but also help respond to threats.
To ensure you achieve the best outcomes, evaluate providers based on the following aspects:
Threat visibility: Threat detection increasingly demands extended visibility. Ascertain whether a virtual SOC solution supports network, endpoint and cloud monitoring and if it can unify visibility across these areas to maximise detection accuracy.
Use cases supported: To help evaluate solutions, establish which security risks pose the greatest threat to your organization. Ask providers about the coverage they provide against the threats listed in the MITRE ATT&CK framework and whether custom creation of detection rules is included.
Level of incident response: Many virtual SOC solutions vary in terms of the level of support they offer to help remediate incidents. Prioritise providers that supply high quality incident information and remediation advice as well as automated actions to disrupt threats.
Time to deploy: Some virtual SOC solutions can take months to deploy. Turnkey services are typically much faster to deploy but may not support your existing security toolsets.
Out-of-hours coverage: Cyber-attacks can occur at any time so ensure that your chosen solution provides support 24×7. If you already have a SOC, some providers will be able to augment existing capabilities and workflows.
Joe Partlow, CTO, ReliaQuest
Over the years the approach to outsourcing the SOC has evolved. The traditional MSSP model augmented organizations security programs by throwing more bodies at the problem. Unfortunately this approach doesn’t scale and worse doesn’t improve security outcomes. Many vendors address this with a rip and replace approach to technology that’s managed by their services team. Relying on a single vendor for detection and response still leaves gaps in defenses.
For customers looking for a virtual SOC, they should focus on three key elements:
- Open XDR technology and capabilities to get more value from their existing tools and provide comprehensive visibility across their security and operations infrastructure.
- Enable new capabilities like threat hunting and breach and attack simulation to move to a proactive security posture that gets ahead of threats.
- Backed by technology enabled security expertise to augment in-house teams with coverage, new skill sets and community based protection based on the latest threats hitting other orgs.
The good news is we’re seeing this new approach work. With the right layer of XDR technology we are able to reduce noise and work with customers to focus on the most impactful threats to their organization. Moreover, with less noise and busywork we can evolve cyber security from a reactive to proactive program to minimize the impact of threats, even while the volume of threats increases.
Bruce Potter, CISO, Expel
When you’re searching for a third-party security operations center to partner with your in-house security team, there are two questions to ask right away that’ll immediately let you know if you want to continue talking with that vendor: “Does your team detect the things I care about?” and “Will they investigate alerts in a timely manner?”
If you feel good about the vendor’s responses to those two questions, dig deeper. Find out if they’re willing to use the security tech you already have and if they’ll help you evaluate and procure new tech to fill any detection gaps. You should determine if their detection and response strategy differs among on-prem technology, cloud infrastructure and cloud applications. And make sure you know how their team will engage with you when a bad thing happens … because it will.
Understanding how they’ll contact you, when in the investigation they’ll reach out and what channels they’ll use is essential for setting yourself up for success when there’s an incident you and your virtual SOC need to chase down.
Drew Sanford, Senior Director, Global SOC Operations, ConnectWise
A virtual SOC solution takes on the weight of identifying, training and retraining talent to deliver to you a team ready to watch for the attackers at the gate.
Given the importance of this role, here’s how to identify the key areas to look at in evaluating a virtual SOC:
- You need a SOC team that understands your business and tools. When attacks come in, it is critical to be able to determine what is real and what is a false positive.
- Make sure you have a clear definition of what the SOC will do. It is important to consider where does their work stop and yours begin? Who will they alert and how far into an issue will they go with you?
- Consider if they have an incident support team that can help you when times get difficult. Do they do more than alert you to an attack, by providing experts who can help you walk through some of the most challenging times in your business?
- Attacks come around the clock. Anything less than 24x7x365 is not acceptable for any SOC. You cannot rely on email alerts and people hopefully waking up to protect your business.
Brad Taylor, CEO, Proficio
Since the resources required to run your own 24/7 security operations are scarce and often cost-prohibitive, many IT leaders consider using a virtual SOC or SOC-as-a-Service. The desired outcome – to better protect their organization and minimize business risk through accurate detection and remediation of critical threats.
But how do you find the right SOC partner? Consider the people, processes, and technology.
People
As an extension of your team, it’s critical your partner has the skills and expertise to keep your organization safe. Consider things like:
- SOC locations and availability
- Security team experience and certifications
- Response times and SLAs
Processes
Equally important are the processes in place for your environment. Questions to ask:
- Are they using industry standards, like MITRE ATT&CK framework?
- Do they filter out noise, only sending actionable alerts relevant to your business context?
- Can they automate response, quickly containing credible threats?
Technology
This is the last piece of this security services triad. Look for things like:
- What in-house security products are they employing?
- Can they help maximize your investment in your own security tools?
- Will they improve your overall security posture?
While the primary reason you’re looking to outsource is 24/7 monitoring and alerting, many organizations want a more comprehensive security solution. My best advice – don’t settle, find the SOC partner who truly understands and fits your needs.