Every business owner wants to be as prepared as possible to combat cyber threats. With data breaches happening all the time, it is a vitally important aspect of IT management. However, the level of time, expertise, and potential cost that can be involved is often daunting. Having an expert security team behind you can allow you to have peace of mind knowing you have individuals assessing for and helping reduce your risk against cyber attackers. SOC-As-a-Service may be the most comprehensive solution for this kind of protection.
NetGain sat down with Arctic Wolf Senior Systems Engineer Tim Smoot, who has over 20 years of experience in the IT Security industry, to provide his expertise on SOC-As-a-Service.
What is SOC-AS-a-Service?
Probably the easiest way to explain it would be to compare it to something people are aware of in the IT world – a Network Operations Center, or NOC. Most people look at their existing IT department as a NOC – the NOC monitors and maintains systems, makes sure technology is up and running, reacts to outages, things like that.
A Security Operations Center (SOC), is exactly the same thing, but the difference is the SOC is security centric. They still look at logs and monitor things, but from a security standpoint. A SOC is a completely separate task and responsibility set than a NOC.
The other difference between a NOC and a SOC is that a NOC has standard operating procedure actions and reactions, whereas a SOC is much more dynamic. You typically don’t have the same leadups to outages, you don’t have indicators that are typical, end users are not as commonly associated with the impact or recognition of the issue. The people that work in a SOC are typically reviewing multiple pieces of information to determine whether something needs addressing to keep the business secure. The SOC is a dynamic operation that reacts to abnormalities, whereas a NOC is just handling normal operations.
A good analogy would be the NOC is like visiting your primary care doctor for a checkup, and the SOC is like an emergency room.
What are the business benefits of using SOC-As-a-Service?
The biggest business benefit of a SOC is that the SOC is focused on a specific operational aspect – security. When you try to take your existing IT department and convert them into security professionals, they typically don’t have the ability to focus on it, or the research and certifications needed, which prevents them from being as effective in that security space.
SOC-As-a-Service eliminates a couple of really painful aspects of trying to build your own SOC within your organization. The first is personnel – it’s hard to find good security folks. The security industry is growing rapidly and talent is limited so once you hire someone with the expertise required it’s hard to keep them. Because security is in such high demand, compensation can be easily negotiated, so there’s usually a short period of time before they look for a new position.
If you sign up for SOC-As-a-Service, that’s no longer your issue. The SOC-As-a-Service organization is responsible for maintaining those staff; they can provide resources to advance in their career and education, and the organization understands the security industry better, so security personnel are more likely to stick with the SOC-As-a-Service organization. And lastly, it really all comes down to money. We like to pretend things move the needle more, but when we talk about it from a cost perspective, the truth is a SOC-As-a-Service Provider is going to be able to provide the same functionality as a 3-5 person SOC you would build in-house. They can provide the same outcome with just the cost of one security professional you would hire as an individual organization. It’s much more cost effective not only from the people side but also from the outcome side.
Why do your clients typically choose to use the solution?
The decision is multifaceted. Without question the biggest reason is cost. If they take the time to do the research, it’s very easy for them to quickly recognize it’s much more cost effective to invest in SOC-As-a-Service.
The second part is speed. What I mean by that is their business is changing dynamically, and different vendors, partners, or customers are requiring different compliance scenarios or security standards. It’s very difficult for an organization to first find, then hire, then train security individuals, and then for those individuals to understand the vertical the organization works in, and how their vendors, suppliers, and customers are changing and what the requirements are. When you hire a SOC-As-a-Service organization they typically bring along with them multiple certifications already, so you as the customer inherit those certifications, and can tell your customers, vendors, etc that you are SOC II, type 2 compliant, or HIPAA certified, or FIEC certified, the list goes on and on. Effectively, using a SOC-As-a-Service organization, you didn’t have to do as much work to provide those kind of security results and certifications versus if you had done it in-house.
That relates back to cost as well, as before SOC-As-a-Service existed, there would be multiple consultants that would be hired for things like that. So there would be a HIPAA consultant, or CIS consultant, and they can get extremely expensive extremely quickly. And typically it is a time based retainer, so once they’re done they’re done; so if something changes dynamically and you get a new requirement, now you have to bring another consultant back on, and it turns into this ongoing bleed of money. With SOC-As-a-Service, when your situation changes dynamically, they can provide those controls and certifications, and can also guide you if you do have changes that need to be made.
Why do you, yourself, recommend SOC-As-A-Service?
It all comes down to protection. There’s a lot you need to know from a security aspect. All of the security challenges continue to evolve. That is truthfully why I believe SOC-As-a-Service is very relevant and actually more security focused and security capable than folks that build their own internal SOC. A SOC-As-a-Service provider has signed up to be your intelligence with respect to security. So as the security landscape evolves, it’s a SOC-As-a-Service provider’s job to stay relevant to that evolution.
Analogies are king so here’s another one – there are a multitude of drugs on the shelf at a drugstore to solve different issues. If you have an ailment, you could take every one of those, or parse through them individually to see if any work. But at the end of the day, you’re probably better off going to the doctor to have them run tests and use their intelligence to instruct you to go back to the drug store and try this specific treatment, or give you something more targeted and effective. That’s what I believe SOC-As-a-Service is providing – an targeted solution to an actual problem.
If you’re hiring your own SOC, you’re burning through money at an amazing rate, and it does not matter how much you spend or how much time those people have, they still will not have the ability to have the laser focus that SOC-As-a-Service will have for your security as a whole. In your own SOC, your people will become very good at one specific vertical like banking or legal. But that’s not the way hackers work. They may try some things that work for a specific vertical, but they recognize they can put in a little extra work by targeting something not standard. I’m not saying if you hire your own SOC those people aren’t great at what they do, but they won’t have the luxury of coming at it from an outsider perspective like a SOC-As-a-Service provider.
Some people ask me, well Tim, what about NOC engineers? And I’m not knocking those folks, I used to be one! But in a NOC there are very typical standards. Now if you have an engineer with an expert in VMWare, that will change from time to time but they’re not reinventing the wheel. With security, those standards do not exist. From a security standpoint, you must assume it’s going to be something new, because more often than not the things that get through are the new things. That’s a big differentiation between IT and IT security, and I believe SOC-As-a-Service is one of the best ways to fill that gap and be effective at an actual security posture.
What are examples of competitors?
I’ll keep it general. The differentiation between Arctic Wolf and our competition is the outcomes. Arctic Wolf is going to take the time to do the research, eliminating those false positives, confirming there is a threat, providing remediation steps in an SOP format, so your team can do the remediation, and then we are your security team in addition to all that. If you look at most of the competitors that we’re up against, they don’t focus on the outcomes. They will eliminate some false positives but are still asking the customer to confirm it, they don’t provide specifics when they detect something, they still rely on the customer to confirm what asset is infected and what the remediation steps are, and they certainly don’t have a named security team. They may have a call center you can call in to, but you’re going to have to provide all of your information for them to help you.
Arctic Wolf isn’t going to do that. We do all of the front-end stuff and then provide that backend outcome to the customer. I do want to clarify, I’m not knocking our competitors, they are good at what they do. I’m more interested to help customers arrive at an informed decision based on the difference between services. It can depend on a customer’s situation. For example, if you have a small in-house SOC but need assistance handling compliance, some of Arctic Wolf’s competitors will hand off 50-70% of the security responsibility back to the internal SOC, that competitor will probably work out just fine, as your internal folks now have resources to make it through those extra burdens. Conversely, if you only have a NOC but no security investments, or are trying to share security responsibilities with your on-premise IT team, a security organization that puts 50-70% of the responsibility back on you is a bad idea; you just spent money for no reason because you didn’t gain any assistance. That business needs to invest in something like Arctic Wolf that will do an endzone to endzone type approach.
And the named security team that understands the granularity and individuality of each customer, because every customer is different, is important too. Out-of-the-box security solutions are not customized enough. A customer typically needs that granularity that a company like Arctic Wolf provides. If you don’t have customized security, any custom software in your environment that throws up security alerts can cause security alert fatigue. Once you start ignoring that alert, you start ignoring other things. Then the next thing you know you’re ignoring everything. With customized security like at Arctic Wolf, we learn and understand everything about that custom software that would create an alert, build a security fence around it, and then we won’t bother the customer about it unless it does something it isn’t supposed to do. Knowing the granularity of a customer’s business allows us to know what should and should not happen inside an organization’s environment, which gives us a better way of eliminating false positives and doing more informed investigations.
Security isn’t something you want to find a simple solution for; because there is no simple solution. You want a solution that is completely focused on security, that evolves as threats do.
Tech Talk Series: NetGain has a variety of subject matter experts on aspects across the technological spectrum. In our series, Tech Talk, we gain insights from these experts to bring you insight and understanding on topics such as security, IT infrastructure, and more.
Editor’s Note: This post was originally published in 2020 and has since been updated for accuracy and relevance.