How SOC as a Service can help Sarah in Operations

Published on 7th October 2021 Author: Samantha Rutledge

Sarah in Operations has had a rough go of things lately. The new email gateway and security monitoring systems are doing a great job at catching threats and alerting her to problems. Except that they’re almost doing their job too well – there are far too many new alerts and tasks for her to keep up with everything! Especially when alerts are triggered at 3 a.m. This is a growing pain many organizations hit when they try to cover their expanding infrastructure – and it’s a growing pain that might be relieved by SOC as a Service.

Bonus: In addition to providing Sarah some much-needed help, using Security Operations Center (SOC) as a Service will also reduce her company’s cybersecurity risk!

What is a Security Operations Center (SOC)?

A Security Operations Center (SOC) is a unit that is responsible for continuous monitoring of an organization’s cybersecurity posture. A SOC unit is composed of a security team, a strong set of processes and technological security solutions. Various technological security solutions are implemented throughout an organization’s environment to monitor and detect potential security issues. These solutions’ findings are continuously funneled to the organization’s SOC unit, where the security team uses them and a set of processes to quickly detect, analyze, and respond to any cybersecurity incidents.

The key benefit of a SOC is real-time response. If Sarah in Operations is the only person on her organization’s cyber response team, there will be significant portions of the day (and night) when she can’t respond to alerts. Sarah needs to sleep!

SOC’s have a 24/7 centralized real-time view of a company’s entire environment, which allows the SOC to provide fast response times to any potential security events.

According to the Cost of a Data Breach Report 2021, it took an average of 287 days for an organization to identify and contain a data breach. That is a nine and a half month average before the breaches were contained. A quick response time to any detected security breaches can greatly reduce the cost of the incident, or may even catch the incident quickly enough to stop it before real damage is done.

So why doesn’t every company have a SOC?

They aren’t cheap.

Between the hardware, software, staffing for 24/7 coverage, and training, organizations are spending an average of $2.86 million per year on their in-house SOC unit. While this is a pretty high spend, the average cost of a data breach is twice that. So relatively speaking, setting up a SOC is likely more than worth the investment.

However, many large organizations don’t have the resources to build this level of infrastructure, much less small and medium-sized businesses. So what can an organization do to give Sarah in Operations a break if they don’t have the funds for an in-house SOC?

Use a SOC as a Service!

The -as-a-Service concept is becoming increasingly popular across the technological landscape. -as-a-Service is the concept of outsourcing or subscribing for a service as opposed to running it in-house. Many are already familiar with software (SaaS), infrastructure (IaaS), and platform (PaaS) -as-a-Service solutions, so why not a SOC as a Service (SOCaaS)?

How does SOC as a Service work?

SOCaaS outsources the technology, people, and processes required to run a SOC unit and delivers them to organizations as a cloud service subscription. This provides companies with a fully implemented SOC solution that is simple to manage. And by providing one service to a multitude of smaller organizations, SOCaaS vendors can offer the SOC at a fraction of the cost of a traditional in-house SOC unit.

What sort of companies would benefit from using SOCaaS?

Typically, medium-to-large organizations can benefit from using SOCaaS. Small to midsize businesses generally have a small enough environment for Sarah in Operations to manage everything in-house without the help of a SOC.

Larger companies with more employees and larger environments necessitate more widespread and robust technological security monitoring solutions, as well as more people to manage them.

In general, if your in-house security team is to the point of needing a Security Information and Event Management (SIEM) solution to help manage security tools and services, then your organization could probably benefit from using a SOCaaS. You might feel some level of pain as your relatively small team tasked with security monitoring can’t keep up with the requests. Alternatively, your small team might feel that they have an appropriate level of work but be missing all sorts of alerts that actually need extra attention!

That is not to say that small businesses shouldn’t have a scaled down version of a SOC! Small businesses should definitely have a strong set of security processes in place, but the smaller environments require less resources to manage them, making the associated costs of managing security in-house more economical. Without a complex network, Sarah in Operations might be all an organization needs for successful coverage.

Which SOCaaS company do you use?

There are many SOCaaS providers with many different options and (as is a common phrase here at Fractional CISO) there is no one-size-fits all solution.

The most important thing to determine is what level of services you require. This will help drive your SOCaaS purchasing decision.

For example some larger corporations may already have robust technological security tools and services in place, but are lacking the manpower to manage it effectively. This company would want to find a SOCaaS that supports its existing security tools and fill the gap by providing a 24/7 security team. Other companies may need basic network monitoring, while another may be in a high-target industry and need a complete threat detection and threat hunting team.

While they can all benefit from a SOCaaS, their requirements are vastly different.

One thing all organizations should do before selecting a SOCaaS solution, regardless of their requirements, is perform a proper vendor evaluation. An organization handing over its security to a vendor with sub-par security practices would be extremely counterproductive. If you aren’t confident with vetting your vendors check out our article on vendor risk management programs.

The bottom line on SOC as a Service

All organizations will benefit from security monitoring. While small organizations can likely handle this in-house, medium and large businesses have complex environments that need the resources of a SOC to manage.

If your organization needs this help, but doesn’t have the funds for an in-house SOC, then SOC as a Service is likely for you! It’s time to give Sarah in Operations some help!

Samantha Rutledge, SSCP

Samantha is a Senior Cybersecurity Analyst - she helps clients with cybersecurity evaluations, risk management, and policy and compliance initiatives. Samantha has a background in incident response, digital forensics and cybersecurity investigations. She has worked at Hewlett Packard Enterprise’s Global Security department and Centene Corporation’s Cybersecurity Incident Response Team (CSIRT). Samantha is a Systems Security Certified Practitioner (SSCP). Samantha has a bachelor’s degree from Western Governor’s University in Cybersecurity and Information Assurance.