Dismissed by some as a “marketing term”, security operations centre as a service (SOCaaS) is gaining traction and emerging as a discrete market because it addresses some key challenges facing most organisations, while also meeting other security and financial objectives.
What is SOCaaS?
Essentially, the term SOCaaS refers to a type of managed security service (MSS) that is cloud-based, built on a multi-tenant software-as-a-service (SaaS) platform, and goes beyond the managed security service (MSS) offerings of traditional managed security service providers (MSSPs).
Like MSS, SOCaaS includes all the monitoring and management of intrusion detection systems, firewalls, antivirus and antispam systems, virtual private networks (VPNs), endpoint protection (EPP), and endpoint detection and response (EDR). However, SOCaaS also provides:
- Access to a team of analysts to resolve every alert, identify and analyse indicators of compromise (IoCs), and analyse and respond to attacks to minimise the impact of security incidents.
- Assistance in optimising an organisation’s protection, detection and response capabilities through continual assessment and reporting, including guidance on security strategies and policies.
SOCaaS, therefore, includes services that typically make up managed detection and response (MDR) solutions and can be considered as an evolution of both MSS and MDR.
Although the term SOCaaS tends to be favoured by newer service providers, older organisations tend to offer services that meet the definition of SOCaaS as part of their MDR offerings. It is therefore important for user organisations to focus on the benefits of services that meet the SOCaaS definition rather than worry about whether those services are called SOCaaS or not.
With increasing demand for a comprehensive detection and response capability that is cloud-based and includes monitoring and analysis, the SOCaaS term is gaining currency in Europe and is likely to emerge as the dominant term to distinguish these services from standard MDR and other more generic managed security services.
Why is SOCaaS necessary?
The drive towards digital transformation and cloud services to improve efficiencies, increase agility and cut costs has rapidly and vastly expanded the attack surface of most organisations.
Cyber attackers have taken advantage of these trends as workforces become increasingly mobile and remote, accessing applications, systems, services and data both on-premise and in the cloud from outside the corporate network. The rapid increase in the number of people working from home through the Covid pandemic has accelerated this trend and compounded the risk.
In an effort to secure sensitive data to comply with a growing raft of data protection regulations around the world, and to protect intellectual property and other commercially sensitive information, most organisations have invested heavily in security monitoring tools on-premise and in the cloud.
For many organisations, however, this has resulted in an avalanche of security alerts being generated on a daily basis. For most of these organisations, especially small and medium-sized enterprises (SMEs), it is difficult or impossible to investigate and analyse every alert.
The emergence and adoption of SOCaaS has been driven by a combination of:
- The inability of most organisations to deal with security alert overload.
- The desire to get more value out of existing security investments.
- The need to expand security monitoring to include cloud, operational technology (OT) and internet of things (IoT) devices.
- The desire to achieve continual improvement by measuring the effectiveness of current security investments.
In addition, SOCaaS solutions provide the means of demonstrating to auditors a concerted effort to cover all cyber security risks and enable a comprehensive and standardised threat detection and response capability.
Another key driver has been the shortage of cyber security skills affecting organisations of all sizes. SOCaaS provides a way of tapping into the benefits of a security operations centre (SOC) or additional SOC resources without the challenge of finding and retaining people with the necessary skills. SOCaaS also provides a way of scaling up capacity quickly and at a much lower cost than maintaining additional capacity in-house.
What are the benefits of SOCaaS?
In the face of an increasingly challenging and rapidly changing business, IT and cyber threat environment, there is growing demand for SOCaaS as most organisations see the value of the benefits on offer, which include:
- Uninterrupted and comprehensive centralised monitoring and analysis of enterprise systems for suspicious activity at a fixed and predictable monthly or annual cost.
- Improved incident response times and practices.
- Faster detection of security events such as compromises and containment of threats.
- Resolution of all alerts to get maximum value out of existing systems.
- Reduced cost and business impact of security incidents.
While MSSPs provide a wide range of services, they tend to generate too many alerts that need to be investigated. They also tend to lack advanced threat detection and remediation skills, require fixed and long-term contracts, and require a specific technology stack.
MDR providers, on the other hand, can provide round-the-clock monitoring and address the skills gap, but a narrow reliance on endpoint telemetry results in a high rate of false positives. MDR providers also typically require a specific technology stack, provide limited visibility and do not include remediation.
For many organisations, especially SMEs, SOCaaS is the only way to:
- Consolidate all security threats, tools and systems into a single point of control to address and resolve all alerts.
- Monitor and respond to all indicators of potential compromise by analysing all security data.
- Evaluate the effectiveness of existing controls to identify how this can be improved.
- Get additional value from existing security investments.
Taken together, these four factors are what distinguish the SOCaaS market from standard MSP or MSSP offerings, which typically:
- Do not all cover cloud environments.
- Are not all built on cloud-based SaaS platforms.
- Do not provide any analysis or guidance on developing a more effective security posture.
What size of organisation benefits from SOCaaS?
Although the requirements of user organisations vary widely according to size and industry sector, SOCaaS has something to offer all of them.
While micro and small businesses tend to need SOCaaS to fulfil all SOC functions, large enterprises tend to use SOCaaS analyst teams to supplement internal teams, while medium-sized organisations typically fall somewhere in between these extremes.
As a result, most SOCaaS providers typically specialise to focus on one or two of these sub-segments, with very few catering equally to all market segments. The trend of specialising to serve the needs of a particular market sub-segment is expected to continue.
SOCaaS suppliers focusing on SMEs will hone offerings to provide insights and guidance to enable organisations to co-manage their security with external SOC teams, for example, while suppliers focusing on medium, large and very large enterprises will expand their capabilities around risk, edge security, and OT and IoT security.
Recommendations
While SOCaaS has emerged as a discrete market, and no organisation can say it has no need for a centralised, coordinated view of its security posture and the ability to respond to threats and incidents, not all services provide all things to all organisations.
It is therefore important that each organisation:
- Recognises the importance and benefit of consolidating all security threats, tools and systems into a single point of control to address and resolve all alerts, to monitor and respond to all IoCs, and to evaluate the effectiveness of existing controls.
- Develops a thorough understanding of its current and future cyber security monitoring and response requirements from an MSSP.
- Recognises that some SOCaaS offerings are better suited to organisations of a particular size and industry sector, with some offering specialised support for regulated industries.
- Identifies which service providers best meet those needs, regardless of whether the service is called SOCaaS or not.
SOCaaS offerings as defined above meet important challenges facing most organisations in the digital and post-Covid era. They provide benefits to organisations of all sizes and types, and therefore deserve consideration as part of any cyber security strategy.