8 'SOC-as-a-Service' Offerings
These new cloud services seek to help companies figure out what their traditional SIEM alerts mean, plus how they can prioritize responses and improve their security operations.
![](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/bltde8c0a49a58de071/64f0d44f717d606764b86f28/Slide1.jpg?width=700&auto=webp&quality=80&disable=upscale)
At the RSA Conference in San Francisco last month, several vendors were on hand touting security operations center (SOC)-as-a-service.
But Anton Chuvakin, distinguished vice president and analyst at Gartner, summarily dismisses the term as vendor hype. He says he was first intrigued when pointed to the websites of several companies that market SOC-as-a-service. So Chuvakin took an informal poll of Gartner security analysts and found each thought SOC-as-a-service was either vendor hype or another way of positioning a managed security service provider (MSSP) or managed detection and response (MDR) services.
"My mini-research here on SOC-as-a-service confirmed what I told you: There is no such well-defined technology or market," Chuvakin says.
Interestingly, vendors offering SOC-as-a-service echoed the same sentiment: Traditional security information and event management (SIEM) systems create too much noise, and companies are left figuring out what all of the alerts mean. In addition, the industry had to do more to help enterprises figure out what the alerts mean, prioritize what they need to focus on, and help them create a plan to improve over time.
Christina Richmond, a principal analyst at the Enterprise Strategy Group, says she has seen two types of companies that offer this. The first uses a SaaS-based – usually multitenant – approach that focuses on monitoring/alerting in a cloud environment. The second type is a consulting-based company that builds a SOC on behalf of the client and then runs it. But Richmond sees the SaaS-based model as the one that has caught on in the market.
"I do think this is a niche and a 'feature' of the [MSSP] market, but I wouldn't call it a buzzword," Richmond says. "The feature is that it's more hands-off, providing automated detect/alert capabilities."
Most of these vendors have people monitoring security alerts and information, she says. "Will it become a full part of the [managed security services] market? Likely," Richmond says. "Some of the reason that this feature is useful is that it provides a platform for machine learning and algorithmic detection in the cloud environment."
SOC-as-a-service offerings may well become just another element of the managed security services sector in the end, but the concept resonates for many organizations that don't have or can't afford to build their own SOCs. According to recent ESG research, 53% of enterprises report a problematic shortage of cybersecurity skills at their organizations.
Check out these eight companies touting SOC-as-a-service, and let us know what you think in the Comments section.
Jack Danahy, senior vice president of security at Alert Logic, says the company's SOC-as-a-service strategy boils down to three factors: a platform that offers visibility into security events, a strong background in threat intelligence, and the 24x7 security expertise to monitor, triage, and escalate the most relevant threats.
Arctic Wolf Networks focuses its AWN CyberSOC service on a main goal: With all the noise from the various security alerts, companies can't figure out what's really important. Brian NeSmith, CEO and co-founder of Arctic Wolf, says AWN CyberSOC looks to take managed detection and response one step further.
"We built our own technology stack that looks at risk and business dynamics," NeSmith says. "We run an analysis and tell our customers this is what matters and what it would take to fix the issue. We'll give you a prioritized view of what you should fix and what's important, if it's intellectual property or otherwise critical to the company."
Arctic Wolf typically ranks both risk and alerts at four different levels of severity. he adds. As part of the service, the customer's network gets reassessed every 90 days.
Arctic Wolf offers 24x7 security monitoring for both on-premises and cloud environments. These are supported by its Concierge Security team, which acts as a trusted security adviser. The company has SOCs in Waterloo, Ontario, and Provo, Utah.
BlackStratus offers CyberShark, a cloud-based SOC-as-a-service that CEO Dale Cline says targets midtier managed service providers (MSPs) that want to offer a security service but can't afford an ArcSight or IBM Security.
"In terms of the end users, many companies spend a ridiculous amount of time focusing on cybersecurity events and compliance," Cline says. "During that time, they are not selling one new thing to move the business forward. We look to find ways to help the MSPs work with their customers to reduce costs and prioritize security in a way they can understand."
BlackStratus goes to market through resellers, the vast majority of which runs through Tech Data. Look for it on the Tech Data site as Recon SOC. BlackStratus has 24x7 coverage and runs SOC facilities in the US, UK, and India.
Patrick Linton, chief operating officer of Bolton Labs, says while all the technical points people make about companies being overwhelmed by alerts and needing a SOC-as-a-service are true, it takes experienced people to deliver new security services.
The company recently acquired Pandora Labs and incorporated its proprietary training program into Bolton Labs' own training operation, Bolton Academy. Moving forward, Bolton Academy will deliver training services as well as certification and deployment for the security analysts that staff Bolton Labs' SOC-as-a-service offering.
Bolton Labs runs its SOC in the Philippines and focuses on MSPs looking to make the transition from a network operations center to a SOC.
"The real crisis in security is not having the staffing to get the work done," Linton says. "We are focusing on the people. Our customers tell us that they need people in a model that's realistic and scalable."
Cygilant has a two-phased approach to security, according to Mike Cote, vice president of products and solutions.
In the first phase, a cybersecurity adviser works with the customer from two weeks to 30 days to set things up. From there, the customer and adviser have weekly status meetings during which the adviser shares metrics on network activity.
The second phase revolves around the SOC itself, which monitors the customer's network. Cygilant has 24x7 coverage, with facilities in Boston, Vancouver, and Hyderabad, India.
"The quantity of the alerts has become overwhelming for customers," Cote says. "We help them manage and make some sense of it. Most of our customers are cost-constrained, so for the cost of less than a full-time employee, we give them a SOC capability."
Michael Evans, Expel's chief marketing officer, says the company has made a conscious decision to staff its SOC, at its headquarters in Herndon, Va., as a 24x7, three-shift facility. The company finds it more efficient to have just one SOC to manage in the US, he says, versus having to administer multiple SOCs around the world.
"We were founded about two-and-a-half years ago by former Mandiant/FireEye employees, so we have a good understanding of what works and what doesn't work," Evans says.
Evans points out that most SOC-as-a-service companies will only integrate with one, or maybe two, SIEMs. Expel can integrate with all the leading SIEMs, including IBM QRadar, LogRhythm, Splunk, and Sumo Logic, he says, and if there's a SIEM a customer wants to use, the Expel team will learn and support the product, as well.
"Customers have a challenge in terms of taking all the alert messages and figuring out what's important," Evans says. "We help customers prioritize what they need to focus on and tell them what they need to do to get better at security."
Evans says Expel targets customers with roughly 500 employees and larger, and at least one full-time security person.
Proficio CEO Brad Taylor says his company aims to give its customers insight into the reams of log data that SIEMs produce.
"With SIEMs, there were too many false-positives. The alerts didn't mean anything," Taylor says.
And because customers couldn't make sense of all the log data, they couldn't react fast enough to plug holes, he says. A work ticket with a traditional SIEM could often take four hours to take care of something simple, such as block an IP address, he says.
Proficio's fully managed SOC-as-a-service gives its customers insight into the log data, pointing out what the IT team may have missed, what the root cause of the attack was, the attacker's lateral scope, and how to contain and recover from an attack, Taylor explains.
The provider targets larger companies with sales between $500 million and $5 billion. While most of its customers hire Proficio for the service, Taylor says some use the company to supplement an existing SOC. The company offers 24x7 coverage with facilities in the United States, Singapore, and Spain.
Proficio CEO Brad Taylor says his company aims to give its customers insight into the reams of log data that SIEMs produce.
"With SIEMs, there were too many false-positives. The alerts didn't mean anything," Taylor says.
And because customers couldn't make sense of all the log data, they couldn't react fast enough to plug holes, he says. A work ticket with a traditional SIEM could often take four hours to take care of something simple, such as block an IP address, he says.
Proficio's fully managed SOC-as-a-service gives its customers insight into the log data, pointing out what the IT team may have missed, what the root cause of the attack was, the attacker's lateral scope, and how to contain and recover from an attack, Taylor explains.
The provider targets larger companies with sales between $500 million and $5 billion. While most of its customers hire Proficio for the service, Taylor says some use the company to supplement an existing SOC. The company offers 24x7 coverage with facilities in the United States, Singapore, and Spain.
At the RSA Conference in San Francisco last month, several vendors were on hand touting security operations center (SOC)-as-a-service.
But Anton Chuvakin, distinguished vice president and analyst at Gartner, summarily dismisses the term as vendor hype. He says he was first intrigued when pointed to the websites of several companies that market SOC-as-a-service. So Chuvakin took an informal poll of Gartner security analysts and found each thought SOC-as-a-service was either vendor hype or another way of positioning a managed security service provider (MSSP) or managed detection and response (MDR) services.
"My mini-research here on SOC-as-a-service confirmed what I told you: There is no such well-defined technology or market," Chuvakin says.
Interestingly, vendors offering SOC-as-a-service echoed the same sentiment: Traditional security information and event management (SIEM) systems create too much noise, and companies are left figuring out what all of the alerts mean. In addition, the industry had to do more to help enterprises figure out what the alerts mean, prioritize what they need to focus on, and help them create a plan to improve over time.
Christina Richmond, a principal analyst at the Enterprise Strategy Group, says she has seen two types of companies that offer this. The first uses a SaaS-based – usually multitenant – approach that focuses on monitoring/alerting in a cloud environment. The second type is a consulting-based company that builds a SOC on behalf of the client and then runs it. But Richmond sees the SaaS-based model as the one that has caught on in the market.
"I do think this is a niche and a 'feature' of the [MSSP] market, but I wouldn't call it a buzzword," Richmond says. "The feature is that it's more hands-off, providing automated detect/alert capabilities."
Most of these vendors have people monitoring security alerts and information, she says. "Will it become a full part of the [managed security services] market? Likely," Richmond says. "Some of the reason that this feature is useful is that it provides a platform for machine learning and algorithmic detection in the cloud environment."
SOC-as-a-service offerings may well become just another element of the managed security services sector in the end, but the concept resonates for many organizations that don't have or can't afford to build their own SOCs. According to recent ESG research, 53% of enterprises report a problematic shortage of cybersecurity skills at their organizations.
Check out these eight companies touting SOC-as-a-service, and let us know what you think in the Comments section.
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024