A Security Operations Center (SOC) is a facility that is home to a team of certified security experts who are responsible for preventing, monitoring, detecting, investigating, and responding to all cyber threats.
When selecting a SOC solution for your business, it’s important to choose a partner who is qualified to support the needs of your organization. Here are five questions to ask when evaluating a potential SOC solution.
- Is this a cost-effective solution for my business? Most organizations allow for 3 full-time employees dedicated to security. Keep in mind, this doesn’t always cover after hours and holidays, which is when most cyber incidents are likely to occur. It usually takes six to seven full-time employees to effectively manage your security operations 24/7/365 with tools, hardware, software, and continued training. The high cost to maintain that staff is more than double the cost of what most organizations permit for security staffing. A SOC solution as a service provides the most value for your organization because it comes with the expert team, tools, and continuous coverage at a fraction of the cost of employing your own.
- What should I expect from this service? A SOC provider should be an extension of your team. Once you onboard your SOC solution, little effort is needed from you. They should not just respond to active threats; they should be proactive in their approach to minimizing threats. Your SOC should be utilizing endpoint detection and response (EDR), extended detection and response (XDR), and other proactive tools. They should be up-to-date on the latest threat intel as well. Security Information Event Monitoring (SIEM) should be included with the SOC service and be leveraged with their tooling.
- How does a SOC price their service? There are typical ways to price out a SOC. Most SOC pricing is based on nodes. A node is anything that sends a log to the system such as a firewall, server, or PC. The more nodes you have, the larger the price. Ingest pricing monitors the SIEM and you’re charged per the amount of data you send into the SIEM. You can be charged more depending on how much data you send vs. using the node-based pricing.
- Where is the SOC located? Your SOC should be US-based. More attacks come from foreign nation states and you don’t want to leverage something outside the US due to the escalation of supply chain attacks we’re seeing. Additionally, if you are a federal contractor, your SOC has to be located on US soil and operated by US citizens.
- What types of tools does a SOC use? The SOC should be well versed in tools such as a Security Information and Event Management (SIEM), Endpoint Detection and Response (EDR) Threat Management, Detection & Incident Response (MDR), Vulnerability Management and Patch Management and Penetration Testing. All of these tools and services are a success factor of a fully functioning SOC.