Cybersecurity has gravitated away from preventative measures and toward threat detection and response, pulling the security operations center (SOC) deeper into the limelight.
This is primarily in response to a combination of failing perimeter-based security and businesses’ ongoing struggle to detect threats early and respond to them swiftly. According to a report by the Ponemon Institute and IBM, organizations took about six months on average to detect breaches and an additional 66 days to contain the breach post discovery.
The benefit of a SOC is that it puts threat detection and response front and center through a combination of continuous network monitoring and real-time incident response from dedicated security engineers. Given the average time to detection and long remediation cycles associated with today’s breaches, these benefits have the potential to catalyze improved security posture.
Nevertheless, before organizations invest in these capabilities, they need to understand the different types of SOC offerings on the market.
The 5 SOC models
By definition, a SOC is an information security team that manages, monitors and maintains an organization’s security posture. According to Gartner, there are five primary models of SOC:
- Virtual SOC: A decentralized SOC model that relies on a virtual team to manage reactive security measures. This model works well for very small businesses and boutiques that are less risk-averse.
- Multifunction SOC/NOC: A dedicated team of security engineers that has its own facility and infrastructure. They are staffed and resourced to perform additional IT operations, and also manage risk, making them ideal for SMBs with limited risk exposure.
- Co-managed SOC: MSSP vendors provide 24/7 monitoring for medium to large companies that lack core IT and security competency. These offerings are fairly balanced and have potential to be very effective, but also risk the tradeoff of limited control and customization on the organization’s part.
- Self-contained SOC: A self-sustaining, centralized SOC that typically serves multinational organizations and government agencies. It is usually run by an in-house security team that is staffed 24/7, making it one of the least affordable of all SOC models.
- Command SOC: The largest enterprises and defense agencies rely on a command SOC, which is made up of a very large team of security engineers that is seasoned in threat hunting and forensics.
If there is clear drawback present in the construction of these models, it’s the difficulty in acquiring affordable, 24/7 monitoring and incident response backed up by on-demand security expertise.
In response, a sixth, more recent model of SOC has developed in the past few years.
The emergence of SOC-as-a-Service
SOC-as-a-Service, also known as a managed SOC, provides SMBs with a fully staffed team of security engineers that provides 24/7 monitoring (not unlike a co-managed SOC). This team also provides incident response services.
Where SOC-as-a-Service departs from the co-managed model is that it provides the equivalent of an in-house SOC that is dedicated to the total betterment of an organization’s security posture. This means it is vendor-agnostic, and will make security recommendations based on what it perceives to be truly best for the organization.
In other words, a SOC-as-a-Service offering is as close to having an actual in-house SOC as it gets for SMBs. The only real difference is the concierge security experts work off-site in their own dedicated facility. In this way, SOC-as-a-Service is the most sensible selection for SMBs.
A hybrid-friendly model
“SOC-as-a-Service is not limited to any one type of IT infrastructure.”
Additionally, SOC-as-a-Service is not limited to any one type of IT infrastructure. Vendors such as Arctic Wolf Networks, makers of the CyberSOC product, are becoming increasingly accommodating to organizations with hybrid cloud IT deployments. This is primarily in response to market conditions. Around 90 percent of businesses are using cloud resources to some degree, which has drastically increased the rate of hybrid IT adoption. While this has facilitated new business opportunities, it has also made it more difficult for these companies to integrate disparate data flow logs into a single point of truth.
Aware of this issue, SOC-as-a-Service providers have evolved to maintain comprehensive, turnkey threat detection and response services for clients, regardless of their IT infrastructure setup.
Therefore, it’s safe to say that while the largest organizations may benefit from self-contained and command SOCs that are owned and operated in-house, and that the smallest, least risk-averse organizations can get away with a virtual SOC, everyone in between is best-suited for SOC-as-a-Service.
To learn more about the SOC models, click on the banner below.