To keep up with an ever-changing threat environment, cybersecurity technologies and offerings are continually evolving. It’s essential for managed services providers (MSPs) to ensure you are providing your clients with the best possible protection – not just protecting endpoints or a cloud application. It’s vital that you explain to your clients how Security Operations Center (SOC) as a Service and a managed antivirus offerings differ.
Todd Thiemann, Director of Product Marketing at Arctic Wolf Networks, explains the contrast between these two services: “A SOC provides the functions that an enterprise requires to monitor for threats and respond to security incidents. This includes the category that Gartner refers to as ‘Managed Detection and Response.’ SOC as a Service is a managed service, monitoring all security telemetry for threats, including network, endpoint, and cloud (IaaS and SaaS).”
“This is different than managed antivirus or managed endpoint detection and response because such services typically monitor a single vendor’s endpoint security product while SOC as a Service is monitoring the entire environment — on-premises endpoint and network along with cloud,” Thiemann explains.
He adds that Security Operations Center as a Service is security protection tool agnostic. “Managed antivirus typically only covers a single vendor’s antivirus product, while SOC as a Service can ingest security telemetry from any security solution that can send log data,” he says. “SOC as a Service typically also ingests log data from the major endpoint detection and response as well as antivirus tools.”
Threat Detection via SOC
Thiemann says the NIST Cybersecurity Framework is built on five functions:
“SOC as a Service is monitoring for what threats slip through the protective layers that an enterprise might have,” he says. “You need to protect your environment, but also monitor to detect threats that inevitably slip through. We focus on detection and response, but also help protect by identifying vulnerabilities that might be exploited so an enterprise can reduce its attack surface.” Arctic Wolf covers the “protect” portion of a cybersecurity plan through vulnerability assessments and vulnerability management.
Where a managed antivirus or managed endpoint protection and response (MEDR) only look at one dimension (i.e., the endpoint), SOC as a Service is monitoring multiple dimensions, including endpoints, network, IaaS and SaaS, and performing correlations across those dimensions. By ingesting security telemetry from all dimensions of an enterprise’s system and enriching it with threat intelligence, it’s effective at sifting through data to find malicious activity. “We catch things like suspicious logins to Office 365 or other cloud solutions that might enable a threat actor to compromise an endpoint,” he says.
When SOC as a Service locates a threat, it informs the end user with the context they need to remediate. “And SOC as a Service avoids is a bunch of false positive alerts you cannot act on,” Thiemann says.
Businesses Are Migrating to SOC as a Service
Thiemann says MSPs should be aware that the Security Operations Center as a Service space is extremely active now. “Customers realize that a managed service is preferable to buying a bunch of tools and scrambling to find scarce talent to operate those tools,” he comments.
While large enterprises may have an on-premises SOCs, medium-sized companies and SMBs are looking for an outsourced solution. “Customers want something that is agnostic to security vendor tools in case they want to move between vendors, and they’re looking for solutions that provide coverage across multiple dimensions including network, endpoint and cloud,” Theimann says. “They also may need to satisfy cybersecurity compliance obligations for regimes like PCI DSS and HIPAA that require monitoring and log retention.
“Look for the solution that provides the security monitoring coverage and compliance bells and whistles that your clients require,” he says.