How to assess SOC-as-a-service benefits and challenges
While in-house SOCs are costly and complex to build and maintain, SOC as a service provides a more affordable, cloud-based alternative. Explore benefits and challenges.
Security operations center as a service is a cloud-delivered, subscription-based offering that lets an enterprise outsource cybersecurity functions to a third-party vendor.
While individual SOCaaS offerings vary, they can include any function an on-premises SOC traditionally handles, such as network monitoring, threat detection, threat intelligence, incident response and vulnerability assessments.
Organizations considering SOCaaS, in lieu of an in-house SOC, should understand its key features, benefits and challenges.
What is SOC as a service?
In the SOC-as-a-service model, a third-party provider delivers SOC functionality to its customers via the cloud. The core purpose of the SOC -- whether in-house or outsourced -- is to act as a centralized hub from which analysts provide 24/7 security monitoring and prevent, detect, identify, prioritize and respond to cyberthreats.
The SOC team gathers real-time data from cybersecurity systems across the IT ecosystem, including those that secure identities, data, endpoints, networks, applications, servers, data centers and cloud environments. This usually involves collecting, managing and analyzing log data and alerts from systems such as firewalls, cloud access security brokers, identity management systems and endpoint protection platforms.
To aid in these objectives, a SOC-as-a-service offering might rely on tools such as a security information and event management system or an extended detection and response (XDR) system, either its own or the enterprise customer's. The SOC could also deploy security orchestration automation and response to standardize and accelerate responses to unfolding security events.
SOCaaS vs. MDR
Some providers offer solely XDR-based services or managed detection and response (MDR) -- in effect SOCaaS-lite. Full SOCaaS offerings have more extensive features and capabilities.
Key SOC-as-a-service features
Any SOC-as-a-service offering should provide its customers the following key features:
- A dashboard view of the current state of the environment.
- Performance against any key security metrics defined in the contract.
- The status of any security events in progress.
- Access to reporting on both security events and historical performance data.
In addition, the SOCaaS offering should define clear handoffs between the provider's own staff, processes and systems and the customer's, based on their clearly defined roles and responsibilities.
The SOCaaS provider should also have a well-defined process for flagging any problems its SOC analysts see in the customer environment that they do not have access to fix.
For those problems it sees and can respond to, the provider should have clearly defined and consistent procedures for engaging the customer's own change management process to resolve them.
SOC-as-a-service benefits
The key benefits of SOCaaS are similar to those of many outsourcing arrangements and reflect the general reasons enterprises adopt the cloud model. They include the following:
- Lower costs. The SOCaaS model gives CISOs the opportunity to shift SOC costs to nonstaff operating budgets.
Additionally, it is sometimes more cost-effective to subscribe to a full SOCaaS offering than it is to maintain a SOC of similar capabilities in-house. The costs of staffing a 24/7 SOC are considerable, as is the burden of hiring, retaining, training, certifying and managing those professionals. Moving to the SOCaaS model shifts all that to the outsourcer and provides more predictable Opex. - Scalability. SOC-as-a-service subscribers can often choose to scale resources up or down as their needs evolve. This is typically vastly easier and more cost-effective than scaling in-house security infrastructure.
- Access to advanced security technologies and expertise. SOCaaS may give organizations more affordable access to sophisticated new services and tools, such as AI-driven SOC technology, along with relevant expertise.
Deploying new tech is also typically far more efficient for SOCaaS users. It could, for example, take many months to choose and deploy an XDR system in an in-house SOC, while SOCaaS with XDR capabilities can be brought online in a fraction of the time. - More effective use of in-house security expertise. By outsourcing the most repetitive SOC tasks, such as processing security alerts and ruling out false positives, organizations can free up their in-house security experts for other activities.
The less day-to-day operational work an organization's security analysts engage in, the more time they have for high-level strategic pursuits, such as hardening the overall security posture, accelerating the retirement of dated systems and implementing proper identity-centric, zero-trust architecture. Security teams that focus on these kinds of initiatives are also at a lower risk of alert fatigue and burnout. - Faster detection and response. With an effective SOC-as-a-service offering, an organization may see faster detection of security incidents, better response times and fewer serious cyberattacks.
SOC-as-a-service challenges
As with any outsourcing arrangement, potential challenges could ultimately offset potential benefits. Organizations considering SOCaaS should stay alert to the following possible downsides:
- Cost concerns. Depending on the service contract and how much it was previously spending on its SOC, an enterprise could theoretically see security costs increase.
In that case, instead of redeploying its existing in-house security specialists to other, more strategy-oriented cybersecurity roles, the organization might have to let staff go to maximize savings or offset higher costs. - Provider-dependent technical capabilities. Instead of providing a steady flow of state-of-the-art technologies, the SOC-as-a-service provider might slow-roll new capabilities to reduce its own costs.
- Provider fit. The search for a provider willing and able to accommodate a company's unique requirements can be challenging. It can be difficult, for example, to find one with sufficient expertise in a particular industry -- manufacturing, say, or logistics -- and one that understands an organization's specific potential threats and regulatory compliance requirements.
- Process integration. In some cases, organizations could encounter frustrations in integrating their technical and workflow processes with SOCaaS providers', especially if handoff procedures and responsibilities between third-party teams and in-house teams are not well defined.
How to decide: In-house SOC vs. SOC as a service
A SOC used to be something only the largest companies considered. Today, however, as digital transformation continues and the threat landscape worsens, the SOC is becoming a necessity for organizations of diverse sizes.
Each organization should choose its SOC model based on a variety of considerations, starting with cost and the overall cost structure strategy. If the organization as a whole is prone to outsourcing, then outsourcing the SOC may be a natural option. If the organization can't afford an in-house SOC, then outsourcing managed SOC services is the only option -- and a complete SOC as a service may even prove unaffordable. In that case, the company should consider SOCaaS-lite options, such as the various types of MDR offerings.
Another crucial consideration is effectiveness. Nemertes research has found a good metric for judging overall security success is the time it takes a company to contain a compromise, or mean time to contain (MTTC).
Over the years, Nemertes has also found that, for smaller companies, the challenges of developing a solid SOC internally -- especially from a staffing perspective -- are so great that outsourcing is generally more successful for minimizing MTTC. For large companies, however, a DIY, in-house SOC is usually more effective.
A full evaluation must weigh a variety of additional factors, some of them specific to individual organizations. At a minimum, consider the following:
- Availability of providers working in the geographic regions where the company operates.
- Availability of providers with expertise in relevant industries.
- Availability of providers with experience complying with relevant legislation, such as HIPAA and GDPR.
- A provider's willingness to commit to favorable staffing requirements -- e.g., minimum experience levels for staff assigned to the organization's account.
- A provider's commitment to maintaining specific certifications.
John Burke is CTO and principal research analyst with Nemertes Research. With nearly two decades of technology experience, he has worked at all levels of IT, including end-user support specialist, programmer, system administrator, database specialist, network administrator, network architect and systems architect. His focus areas include AI, cloud, networking, infrastructure, automation and cybersecurity.
Alissa Irei is senior site editor of TechTarget Security.