SOC as a Service is an offering from a cybersecurity company that typically acts as a customer’s entire security operations center (SOC). Due to extenuating circumstances, like a talent shortage or the fact that a business may be in startup or mid-life mode without the resources to property secure its network, SOC as a Service (SOCaaS) can act as that organization’s tactical console from which it can track security alerts, defend against cyber attacks, 提高整体安全态势.
According to IDC, organizations can outsource a set of security functionality to a SOC team, including those such as SIEM, vulnerability management, endpoint security,以及其他检测和响应工具. 客户组织也可以注册整个服务菜单. Delivered as cloud service though, operations will occur offsite and hosted in the cloud. A few real-world outcomes that SOCaaS providers look to provide on behalf of a customer are:
With this in mind, it’s also important for a business or security organization to conduct a thorough analysis of their current security program, identifying its strengths and weaknesses and practice areas they may not previously have addressed. This will help narrow the focus 将SOCaaS供应商搜索转换为客户唯一的标准.
Perhaps the biggest benefit of engaging a service provider to take on a particular area of security concern is that a customer no longer has to worry about that area. Since SOCaaS encompasses many areas, as mentioned above, 让我们来看看一些具体的好处:
如果一个团队在检测到异常时反应迟缓, 很有可能会有不同方向的优先调派人员. A SOCaaS provider will dispatch analysts dedicated to responding to cyber threats and vulnerabilities and taking them down or remediating. For an in-house SOC, 从一种情况到另一种情况的快速上下文切换可能是一种真正的浪费时间, 这是一支专门从事侦查的队伍, response, 补救措施将能够更快地进行.
SOC analysts must cover the gamut of specialties, and respond quickly on behalf of customers. SOCaaS vendors should be able to provide access to analysts who can address endpoint containment, threat hunting, malware analysis and containment, distributed alerting and escalation pathways, and much more. Understanding a SOC’s people, technology, and pathways can aid in the search for a trusted vendor.
The benefit of an accelerated evolution of a customer security program can’t be understated. soc每天都面临威胁——或者许多威胁. 有预算来解决安全计划中的不成熟问题是很好的, 但如果没有战略性的内部人才获取计划, then it might be a more efficient solution to shift that focus to finding the right SOCaaS partner.
Speaking of talent acquisition, building a SOC from the ground up can come with many additional costs than engaging a managed services partner. There are the obvious start-up costs of sourcing the right technology and personnel and there’s also the specter of churn once you have those people and operational processes in place. Around 71% 半数SOC分析师表示,他们在工作中感到精疲力竭, especially if those analysts only total around seven in number and have the weight of the company’s security world on their shoulders.
Even in the event a company or small security organization has decided to begin the search for a SOCaaS vendor, it’s still critical to know the roles and responsibilities of the analysts and staff in that SOC. 毕竟,他们是保护你的环境和声誉的人.
这个人/职位负责监督SOC, 并将负责直接管理一个由几个人组成的安全团队. The SOC manager role involves developing an overall security strategy for the company – creating a vision for hiring, building processes, 开发技术栈. 这个人应该能够提供技术指导和管理监督.
供应商SOC中的分析师将对其进行处理、警报和分类. During that investigation, they’ll determine where in the patch or remediation queue it should fall. 对于内部安全组织来说,警报可能会占用大量时间, 并且有一个团队来管理和自动化分诊过程, 它可以大大减轻那些内部团队的日常负担.
这种类型的分析师通常会从他们的一级对手那里发出警报. 如果警报出现在这个人的队列中, 这意味着已经确定它是真实的,应该优先作出反应. 对警报进行更深入的调查, identifying systems affected, and crafting of a response and/or remediation plan are key responsibilities of this role.
在这个过程的这个阶段,狩猎开始了. 如果事件被确定为更严重的性质, a threat hunter will look at how an attacker or threat was able to get past initial security checks. 威胁搜索使安全分析师能够积极地查看客户的网络, endpoints, and security technology to look for threats or attackers that may be lurking as-yet undetected.
架构师通常负责构建安全架构, engineering security systems, and implementing those systems. 他们还应该能够记录需求, procedures, 以及他们创建的体系结构和系统的协议. Additionally, they’ll weigh in on key regulatory and compliance requirements on behalf of their SOCaaS clients.
SOC是公司网络安全运营的控制中心, 因此发生了一些复杂的操作. 有些方面是自动化的,有些是人工操作. And a customer organization searching for the right partner is about to outsource some – or all of – those operations. Let’s take a look at some challenges of SOCaaS as a business decides to put their digital trust into the hands of an outside team.
一个易受攻击的阶段将跟随SOCaaS提供者的任何约定. That is, 提供商必须配置其技术堆栈以在新客户的环境中工作, and the client must ready its network for the deployment of monitoring protocols by the new provider. Testing and implementation of a template for gathering and acting upon insights will follow during the next phase of the ramp-up period.
保护客户的网络安全是一回事, 但确保数据在SOCaaS提供商端是安全的则完全是另一回事. Therefore, it’s critical for a customer to do their research to find a provider whose own defenses are fortified to protect the enterprise data of all of its clients. 这本质上变成了一个供应链问题, 应该考虑到这种方法所带来的所有因素.
Full access and autonomy to a provider’s operations – as concerns a specific customer – can be expensive for that customer. 虽然从技术上讲,它是由客户网络生成的信息, SOCaaS提供者所采取的操作和动作是他们自己的. 考虑到这一点, it’s clear why gaining full access to log data can be pricey for a security organization.
Perhaps one of the most critical considerations is regulatory standards and remaining in compliance when handing over the keys to any part of a security organization’s operations. A large part of staying in compliance is communication and reporting, inside the company and out. Company executives will need continuous reporting to communicate compliance in good standing to certain regulatory bodies. It’s key to know whether the SOCaaS provider handles compliance or if they outsource the practice to a third-party provider.
Learn more about Rapid7's Managed SOC Services