So you want a SOC? (Flavours of providers Part 1/3)
- Ashraf Aboukass
- Jan 31
- 6 min read
Updated: Feb 8
So you need to find a SOC provider and want to know how you should go about evaluating your options, then it’s your lucky day! In this series of blogs, I will share my experience in evaluating companies that provide SOC as a service and give you some pointers as to what you might want to consider.
In Part 1, We will cover what type of companies offer SOC services
In Part 2, We will cover the people, process and technology from a SOC perspective
In Part 3, We will cover the pricing models and the hidden costs to be aware of
Let's start by first stating that a SOC is not an MDR service
A SOC(security operations center) is a comprehensive monitoring service that attempts to utilise all available security logs and security technology at its disposal to have a comprehensive view of the weaknesses and computer activity in an organisation in order to detect and respond to cybersecurity threats.
An MDR is monitoring service that is predominantly focused on threat detection and response using XDR/NDR technology and is typically offered by the vendor of the security technology implemented.
Now for arguments sake let's imagine there is no hybrid version so that we can have a clear delineation between them and make for an easier discussion. Thus, in this blog we will be mainly focusing on SOC as a service rather than MDR services.
So what are MSSPs then?
Managed security service providers are companies that provide outsourced cybersecurity services to organisations, and one of those services are SOC services. Some are small cybersecurity companies that focus purely on SOC services, while the larger MSSPs offer full range of services from implementing and managing security devices to around the clock digital forensics and incident response services.
Smaller MSSPs are typically privately owned and tend to be founded by a handful of experienced CyberSecurity experts and supported by investment companies or wealthy individuals.
Pros: What they lack in size, they make up for in agility and price. They run a tight ship with a small, multi-skilled teams that are eager to learn. Resources are ready to impress for the chance to jump over to customers team or a larger service provider. They are always happy to help and go the extra mile, and you are likely to get more done for less. They understand the challenges that small companies have very little red tape. They are also likely to offer the lowest priced service.
Cons: They are usually operating from a single region and may only understand local cultures and norms, they might struggle to understand customers outside the region. They have limited budgets and find it hard to attract the best talent, therefore they will not have the most experienced resources. Likely to have high attrition rates of employees as they seek to work for larger companies, this will result a lack of consistency on who are talking to. Unlikely to create the polished reports created by big firms, expect tactical reporting focused on numbers rather than insights.
The largest of MSSPs are typically divisions from large consultancy firms and managed security is a subset of services they offer.
Pros: They can attract the best talent and have a relatively unlimited training budgets, which would result in high quality analysis of threats. They have experience working with large companies and can support a multitude of technologies. They are multinational companies and can draw resources from all around the world. Mature process which result on good handover from one shift to another They have access to rich threat intelligence and experience in responding to incidents due to large customer base , therefore you can expect contextualised and actionable reports.
Cons: Experienced resources may not be open to criticism and might be stuck in their ways. You will be charged extra for anything requested that isn't covered in the contract or worst still, you will have to wait for contract to be changed before getting anything extra. Unless you are their largest customer, don't expect white glove service. And even if they have some of the best talent in the industry, you are unlikely to reach them when you need most, since the companies are so big, it becomes hard to find the right people.
And then we have Security Vendors
The security vendors mainly offer MDR services rather than SOC services, as the latter is resource intensive . And if they do offer SOC services, in nearly all cases it will only be offered using their own technology stack. Which is a good thing really, I mean let's be honest; who knows a security product better than its creator? very few!
Pros: If you are using their products, they should be able to yield the best results.
You won't struggle with configuration/integration. They are at heart a cyber security company and should understand the domain very well. Expect excellent troubleshooting support and training. Likely to be a cheaper alternative especially if MDR service is procured. Less false positives as they have a tried and tested set of use cases.
Cons: They are technology focused, don't expect high quality consultancy services. Can't help but be biased, they will see everything through the lens of their own product. Since the service is bundled with their own technology, you may end up in a messy divorce if you are no longer happy with the service, as you will need to rip out their technology. Not as flexible as an MSSP when it comes to requests for additional services.
Unless you have a strong requirement to have a SOC, you might want to consider buying a MDR service from the Security Vendor you already use (if they offer it of course).
An MDR service will provide you with reasonably good threat detection and response service without the cost and complexities of running a SOC. Please don't rip out your current stack, just because you like the MDR service on offer, but more on that in Part 2.
The table below might help you figure out if an MDR service is better for you:
Requirements | MDR | SOC As A Service |
|---|---|---|
Security Log Consumption | Only what is needed to run the service. Typically enriched logs such as EDR/NDR | Everything that is meaningful |
Scope of coverage | Endpoints and Network | Entire infrastructure and Business Applications |
Service Flexibility | Lower | Higher |
Automated Response | Higher | Lower |
Cost | Lower | Higher |
Interaction with customer | Limited to Cybersecurity team | Potentially any user |
Threat Hunting | Regular and Focused | Ad hoc |
Use Cases | Relatively Limited | Most use cases possible |
Support any Security Stack | Only theirs | Pretty much anything |
Regardless of type , does size matter?
The reality is if you are large organisation you will want to work with a large cybersecurity company as they have cash flow reserves, high amount of resources, diverse offerings, and experience in dealing with larger companies.
If you give your business to a small cybersecurity company, you are likely to crush them, which will serve no benefit to either you or them. This is because your organization will generate so much noise and administrative load that they will be overwhelmed and unlikely to maintain a quality service. The services offered will become “experimental” and, at best; best effort.
Likewise, if you are a relatively small organization on a tight budget, you will want to work with a small cybersecurity company as they can provide you with basic monitoring services plus direction, care and attention all within your budget.
Even from a business perspective, you are both striving for efficiency and trying to grow your business. Therefore, the mindset is going to be the same. For sure, one of you will outgrow the other, but until that time comes, it’s a match made in heaven if you ask me.
One thing is for sure
Regardless of who you choose to work with, you will find that most are compliant with international standards. However, I would advise you to dig a little deeper to find out if they practice what they preach and have effective controls in place. I would say they are a critical supplier—I mean, they only have access to all your security logs internal data, and privileged access to your systems!
Companies offering SOC services are highly targeted by threat actors due to the amount of information and access they hold on other companies.
So you will definitely want to push them through your Third-Party Risk Management process.
What about references?
One often overlooked activity is the Are you really going to give the keys to your kingdom to a company without speaking to its current customers and finding out what their experience is? Surely you can talk to at least three of their customers? Ideally you would want to speak to similar sized companies in the same industry, however if that's not possible, any customer will do.
Please note that as humans we are never happy, therefore if any negative feedback is given you need consider the circumstances and give the benefit of doubt if it wouldn't be an issue for you as a customer.
Be sure to ignore any negative feedback about people, the customer might have a personal issues, pay more attention to feedback such as the following;
Overall happiness with the service delivered
Level of automation achieved
Percentage of false positives
Quality of communication
Level of proactiveness of provider
That's all for now, in Part 2, we will cover People, Process and Technology with topics such as:
People:Roles & responsibilities, vetting, interviews e.t.c
Process: Use cases and log source , handovers and metrics, escalations e.t.c.
Technology: Core capabilities, integration and automation, AI agents e.t.c
Recent Posts
See AllAI vs Cybersecurity: Why I'm Worried About the Talent Shortage
Comments