How to evaluate SOC-as-a-service providers

Not every organization that needs a security operations center can afford to equip and staff one. A number of providers provide SOC as a service. Here's what you need to know about them.

If you don’t currently have your own security operations center (SOC), you are probably thinking of ways you can obtain one without building it from scratch. The on-premises version can be pricey, more so once you factor in the staffing costs to man it 24/7. In the past few years, managed security service providers (MSSPs) have come up with cloud-based SOCs that they use to monitor your networks and computing infrastructure and provide a wide range of services such as patching and malware remediation. Let’s look at how this SOC-as-a-service (SOCaaS) industry has grown up, what they offer and how to pick the right supplier for your particular needs.

What is SOC as a service?

The definition of SOCaaS is fluid and can range from service providers that offer basic 24/7 network monitoring up to full-blown threat detection and mitigation. This means that each vendor has their own collection of services that they may label as a SOCaaS or as a traditional MSSP. Getting to the bottom of this will consume a lot of time, unfortunately. Some of this is just inconsistent definitions of each acronym, some is a matter of perception, some boils to down to product and service offerings, and some has to do with the origin of the provider.

Part of the problem is that each SOCaaS vendor comes from businesses that were created to focus on different security specializations. Some start out as managed security event purveyors (AlertLogic), others as managed detection vendors (Network Technology Partners) or managed endpoint security vendors (Symantec and Trustwave). Some have developed their own SOC-type consoles to manage their own products and then have made them more general utilities that can connect to a wider range of tools. Some came from the services divisions of the larger computer makers (IBM, Dell and HP).

Others start out running their own managed network operations centers (NOCs) and then branched out into security (AccountabilIT). What is the difference between a managed NOC and a managed SOC? The former is mostly concerned with keeping the packets flowing through the pipes. The latter is mostly all about making sure you are using the right packets and the right pipes. The tool sets are also completely different: network latency vs. processes that suck up CPUs. The key point is what actual services they provide, what do they monitor and how their stuff will interact with your existing servers and network infrastructure.

The goal here is to have equipment that will alert you when you have suffered a breach or data leak or some other security incident, so that you don’t have to build your own SOC or have to hire experienced staff to run any of your protective security equipment. Ideally, the vendor should be able to identify an incident in a timely fashion (subject to their service level agreements) and make the needed corrections to neutralize the threat.

Gartner’s February 2018 report on managed security services includes for SOCaaS things like security event monitoring, network-layer threat monitoring and detection, log analysis, vulnerability scanning and incident response — all of which are delivered as managed services from a central SOC-type entity. That is the minimum, which already is a big collection of tools to handle. That report listed 17 global providers, including the likes of AT&T/AlienVault, BT, Century Link and NTT. All of these got their start as telecoms, which tells you that these are the folks that understand best how to keep the world’s largest network infrastructures up and running 24x7x365.

If you operate a global business with staff and servers on multiple continents, then these latter folks you probably already know about. If you have a small business that isn’t as widespread, you may want to consider one of the dozen or so vendors that are specializing in SOCaaS, such as ArcticWolf, RadarServices or DigitalHands.

How to evaluate SOC as a service

Perhaps the most frustrating part of a SOCaaS evaluation is in figuring out what (and how much) you will eventually be paying for. Given the nature of cloud services, the pricing models are complex to begin with, but get downright obscure in this market sector.

AlertLogic is one of the few vendors that actually has a meaningful and public pricing page, showing three different pricing tiers that range from $550 to $4,500 a month. Unfortunately, almost no one else is as forthcoming, and I had to pry this information out of many of its competitors.

Network Technology Partners and AccountabilIT both start out at the low end (respectively, $1,500 per month and $1,600 per month for their most basic services) and go higher when a customer adds more monitored assets and as network traffic volumes increase. For the most part, the other vendors are somewhere between coy and downright paranoid about revealing their prices. One told me “our pricing is a very sensitive subject.” Many will only provide prices to potential customers willing to sign agreements not to disclose them. Clearly, there is a need for more transparency here.

soc as a service vendor comparison table CSO / IDG

These are the only SOCaaS vendors that would provide information on pricing

Part of the problem is that you may not know how many servers, endpoints or apps you will be protecting, monitoring, or otherwise placing under the purview of the SOCaaS vendor. Many companies start off small with proof-of-concepts with a few endpoints to see how the program works and what traffic is captured by the SOC before expanding to a wider deployment. 

Next, how important is geographic distribution for your actual SOC location? Some vendors focus on a single SOC. Others place them in different continents to follow the sun or take advantage of better internet connectivity. Network Technology Partners has a second SOC that is located a few hours away from its main office in St. Louis because they could acquire staff with the needed skills more readily in that location. Bolton Labs focuses on the Asian market, which is why two of its three SOCs are located there.

What is the vendor’s secret sauce? Given the various origin stories of each vendor, it helps to understand what proprietary technology they use to monitor, remediate and alert you when you have suffered an outage or a breach. Some knit together a series of open-source tools but have written a proprietary dashboard that you can use to see their performance and security posture. Others have written their own packages for threat hunting or other tasks. AccountabillIT is a reseller of AlienVault’s technology, which is another model.

Questions to ask a SOC-as-a-service provider

As you put together your RFP or questionnaires, here are a few pertinent questions to ask.

  1. How does what is offered differ from a purely monitored services approach? The answer should help you understand nuances from the vendor and how it differentiates itself. AlertLogic began with an SIEM and then added other protective technologies based on its own global telemetry and threat monitoring programs. You may wish to start with a pure MSSP and see what you experience before deciding on whether to go full-bore into a SOCaaS.
  2. How many legacy SIEMs and service desk systems are supported? Some vendors want you to switch to their own in-house solution. Others (like offer wider support for your legacy systems on both technologies, while some (like Network Technology Partners) have their own API set that either you or they have to write programs to take advantage of.
  3. What agents and servers do customers need to install on their premises? Most vendors have two items that they require to monitor your infrastructure: agents and a custom server that collects traffic and runs the vendor’s proprietary apps. Some require multiple agents for particular tasks, such as one for pure monitoring and another for remediation.
  4. How often does a vendor reassess/scan your infrastructure? Monitoring varies between continuous to quarterly scans, and it can differ for your cloud versus on-premises equipment.
  5. How will you produce compliance audits? Some vendors include audits as part of their price, some charge extra, and some refer you to a third party so that you can get a completely independent view of what they are doing. Others such as Bolton Labs don’t offer any compliance services at all. There are good reasons for each approach, just make sure you know what you are paying for.
  6. Does the vendor have a reseller or direct sales model? Some have well-developed partner networks. Others use large distributors like Ingram Micro for their reach, while some want to deal with you directly. Some SOCaaS providers also resell their services to other MSSPs, which is an interesting business model. Make sure you are comfortable with whichever approach you use.
  7. What is the target size of their customers? Some vendors are more focused on mid-market or even smaller businesses. Others can grow and scale up to very large networks across many continents. Again, find out what their sweet spot is and know when you might outgrow it.
  8. Who is staffing their SOC? You’ll want to know what kind of training, certifications and other skill levels the people who are watching your network have. People oftentimes matter more than the actual equipment. After all, that is why you are hiring a SOCaaS anyway: so you don’t have to have your own staff.