As cyber threats continue to impact businesses of all sizes, the need for round-the-clock security monitoring also grows. Being able to detect and respond to threats quickly is essential for preventing attacks and mitigating losses if a breach does occur. Establishing a Security Operations Center (SOC) is an effective way to ensure a team of experts is proactively monitoring your environment. But building and maintaining a 24/7/365 SOC in-house is a difficult and expensive task. As a result, many organizations are tapping into their security partners for SOC-as-a-service capabilities. SOC-as-a-service allows an organization to get the same benefits without having to build and maintain their own SOC team. However, not all SOC providers are created equal. Selecting the right provider is essential to developing a successful SOC partnership that keeps your organization secure from threats.
Here are 12 essential questions to consider when selecting a SOC partner.
1. Do they understand your requirements?
Security is not one-size-fits all. Your SOC partner should be able to understand your operating conditions, security maturity, and organizational priorities to develop a solution that addresses your specific security challenges.
Before evaluating providers, align internally on what your biggest concerns are, where you need the most help, and what you are looking for from a SOC provider. Knowing the answers to those questions will help you better understand how a provider’s offering matches up with your needs.
2. Do they have demonstrated and verifiable expertise?
During your evaluation process, it is important to find out if your provider has experience in your industry and with the security technologies you are working with today. If your industry has any unique compliance requirements, or disproportionately experiences certain types of attacks, having a provider who is familiar with those things will go a long way.
Referencing analyst reports, for example Forrester Wave or Gartner Magic Quadrant, can help provide third party validation. You should also ask to speak with a current client with a similar organizational profile, so you can verify that the provider can meet your needs. Also, during the evaluation process you should seek more information about their SOC analysts who would be working with you:
- How much experience do their analysts have?
- How do they keep their SOC staffed with knowledgeable analysts?
- Can you speak with analysts during the sales process?
These analysts will be the first line of defense for your business, so it is important to know you can trust and rely on them.
3. What resources will be supporting your account?
Your team will likely be interacting with your SOC provider on a regular basis, so you should understand what that relationship will look like. Some providers may bring their ‘A team’ to the sales calls, but use their ‘B team’ to deliver the service. Ask questions to better understand what the account management structure looks like. For example:
- Do I have named resources, like a technical account manager or an executive sponsor, who I can contact directly?
- If I experience a problem, who do I speak to and what escalation paths exist to make sure it gets resolved?
4. What is their detection strategy?
A lot of companies deal with tremendous volumes of data, which can lead to false positives and wasted time. A strong SOC provider should not take a ‘detect all things’ approach, but rather develop a formalized detection strategy that is focused on understanding the adversary’s TTPs (tactics, techniques, and procedures) and breaking the attack chain at various tactics.
A strong provider will focus on value over volume. In a true SOC partnership, your provider should work to improve your detections over time through tuning and analysis. Before signing on with a SOC provider, you should have a clear understanding of how they will develop and implement a detection strategy that meets your needs.
5. How do they leverage community threat intelligence?
Your SOC provider should always be up to date on the latest attack techniques and be able to build that into your defense. One of the benefits of working with a SOC provider vs building your own is that the provider has access to a lot more data and threat intelligence than your internal team. Make sure your provider can leverage the intel they receive from their clients to proactively defend your environment.
At Binary Defense, we call this Collective Defense. It means that if one of our clients is attacked, we take what we learn from that and apply it to all our clients. This can come in several forms, including new detection rules that get rolled out to all clients, proactive communication on high-profile security events, and additional threat context for our analysts to make them more prepared if they spot similar threats in the future.
6. Do they provide answers, or just alerts?
One major benefit of utilizing a SOC partner is that they should filter out noise and give your team more time back in their day to focus on other strategic initiatives. If your provider is sending you false positives or alerts that don’t require any action on your part, it will end up costing your team time and will not provide much value. A high-quality SOC partner will conduct thorough analysis on any alarms that are generated and only send alerts that require further action. Any alerts that are sent to you for review should contain additional context – the who, what, why, how – about the alert so that your team is able to act quickly and won’t need to analyze the alert on their own to understand what is going on.
When evaluating providers, ask to see samples of what their alerts look like and ask if they map to any industry-standard frameworks, like MITRE ATT&CK or Cyber Kill Chain, to improve your defense and prevent future attacks. For example, at Binary Defense our analysts identify indicators of compromise across the Cyber Kill Chain and provide detailed tactical and strategic mitigation recommendations. This helps our clients understand why an alert was generated and can help them detect similar threats earlier in the kill chain going forward – which improves their overall defense. When it comes to SOC alerts, you should prioritize value over volume.
7. What will the working relationship look like?
Your SOC provider becomes the front line of defense for your business. A good SOC provider should be an extension of your team and help you improve your security maturity over time. When evaluating a provider, you should seek to understand what the engagement will look like. How often will you meet with them to discuss daily operations? How do they measure success and prove their value? What are they doing to drive your cybersecurity program forward?
If a provider does not have satisfactory answers to these questions, it could be a red flag that they may be challenging to work with. Typically, especially towards the beginning of a SOC partnership, regular weekly meetings are essential to establishing a strong working relationship and aligning on day-to-day operations. In addition, regular reporting meetings and metric reviews help ensure you are meeting your goals and that the provider is doing the work they agreed to do. At a strategic level, quarterly business reviews ensure your provider understands your top security objectives and can help you achieve your goals.
8. What types of metrics do they report on?
If you are investing in a SOC partner, you are likely going to be asked to demonstrate the value they provide. One important way to do that is through regular reporting updates that your SOC provider shares with you. Not only does regular reporting help justify the cost of a SOC, but it should also help you better understand your threat landscape and inform your decision making. When evaluating providers, consider the following:
- What metrics do I need to provide to my board/leadership?
- What metrics will show the effectiveness of my security program?
- How will I use these metrics to make strategic decisions and improve my security maturity?
Answering these questions will help you better understand what metrics you need from a SOC provider. You should be focused on getting metrics that can drive your security program forward, not just volume metrics.
9. Will they be a true partner?
Many SOC providers focus on the tactical side of things but fail to act as a strategic partner. A strong SOC partner should deliver on outcomes that drive your security program forward. If a provider is too focused on just monitoring and sending alerts without also listening to your needs and solving problems, you are likely not going to get a lot of value out of that. Look for a provider that takes a consultative approach and focuses on building a partnership. Some of the criteria we have addressed in this blog – developing a detection strategy, understanding your requirements, and providing detailed, contextual alerts – will be good indicators for whether a provider will be an extension of your team or just another security vendor.
10. How will they improve my cyber maturity?
One benefit of working with a SOC partner is that they can help improve your overall cyber maturity. But not all providers operate the same, so it is important to understand exactly how your partner will do this. Ask them questions like:
- How will you measure and show improvement over time?
- What do you do to learn from incidents and prevent them from happening in the future?
- Can you share an example of how you have helped other clients improve their cyber maturity?
At Binary Defense we often look at where along the Cyber Kill Chain most detections happen, which can help our clients sure up their defense. For example, when reviewing monthly metrics for a client, we noticed that 75% of our detections occurred at delivery. Based on this, we can advise them to harden their email gateway so we can prevent malicious emails from making it to the inbox in the first place. We can then work with the client to develop better detections for their email security, or potentially help them replace their email security software with one that can better meet their needs.
11. Do they deliver solutions tailored to your unique needs?
Each organization is different and requires unique, personalized solutions. A good SOC provider will look at every client scenario with fresh eyes, and work with you to understand your operating rhythms and integrate itself into your team. You should look for a provider that can customize its processes and procedures to complement your team, rather than requiring them to overhaul its processes to fit with the provider’s rigid structure. During your evaluations, ask them to articulate how they will support your specific needs. Dig deeper into your operating procedures and expectations to make sure they align with what the provider can deliver.
12. Can you trust them?
The most important criteria to consider when evaluating SOC providers is trust. You are asking this company to be your first line of defense, and if an attack slips through it could be catastrophic for your business. Determining if a provider is trustworthy can be challenging, but here are several things to consider when deciding.
First, stay away from ‘black box’ solutions. Your provider should be able to clearly articulate what events generated an alert, what investigation was conducted on that alert, and how the resulting action (or inaction) was decided. You need to have visibility into every investigation. At Binary Defense, we address this by providing a system that documents every alert – including false positives and other alerts that are not raised to the client. This helps keep us accountable and gives our clients peace of mind and full visibility.
Second, make sure you have access to your data during – and after – your relationship with the SOC provider. If you decide not to work with that provider anymore, it is important that you are still able to retain the data from the engagement. When evaluating providers, ask them about data retention and what you will have access to. We have had clients who come to us after working with a different provider, and they were not able to keep any of the knowledge management from the previous engagement, which means they lose a lot of insight into their environment and their security history.
Finally, the level of visibility into the effectiveness of the SOC is a great indicator of trust. This goes back to the reporting and metrics we discussed earlier. A strong SOC partner will provide detailed reporting on the good and the bad. If a provider is hesitant to share certain metrics or does not provide transparent reporting, that may be a red flag.
At the end of the day, there are a lot of factors that go into selecting the right SOC partner for your business. But transparency and accountability are the two most important pillars of a successful partnership.
Want to hear more? Watch this webinar recording to hear our SOC leadership team speak on these topics.