7 KEY ATTRIBUTES OF SOC-AS-A-SERVICE And How it Differs from Traditional Managed Security Services

WHITE PAPER

PAGE 2 of 14 | 7 KEY ATTRIBUTES OF SOC-AS-A-SERVICE

Historically, organizations have turned to managed security services providers (MSSPs), with their breadth of expertise and resources, to address key security requirements including security technology implementation and basic management. These providers helped reduce cyber risk and maintain compliance by taking care of tasks such as ensuring that the firewall and other devices were configured properly, the associated software and firmware were up to date, and the basic events were handled.

But today, organizations need more sophisticated managed services that can detect and respond to threats and threat actors that are increasingly able to bypass these security controls.

Legacy MSSPs, however, often aren’t well positioned to offer advanced security operations center (SOC) capabilities for threat detection and response. Many are limited to basic services for 24/7 remote monitoring and managing of firewalls, endpoint detection and response (EDR) solutions, virtual private networks and intrusion detection systems (IDS), and alerting on basic events. These are important, but insufficient.

Outsourcing has increased significantly in recent years, and 53% of CISOs say the main reason is the desire for timelier incident response.1 Simply detecting and alerting customers about threats is no longer enough for MSSPs—security leaders want more. According to Gartner, “Gartner clients are demanding a more focused set of managed services that can help identify, investigate and respond to security threats. These services center on detection and response.”2

And to do that, providers need to be able to collect telemetry from a broad range of data sources across the organization, normalize, correlate and analyze it to uncover potential threats—then actually respond to the real threats. That means customers relying on traditional, commoditized technology management services must still grapple with gaps in their defenses.

INTRODUCTION: MOVING BEYOND TRADITIONAL MANAGED SECURITY SERVICES

Legacy MSSPs are limited to basic services:

• 24/7 remote monitoring andmanagingoffirewalls

• Endpoint detection and response (EDR) solutions

• Virtualprivatenetworks and intrusion detection systems (IDS)

• Alerting on basic events

PAGE 3 of 14 | 7 KEY ATTRIBUTES OF SOC-AS-A-SERVICE

THE EVOLUTION OF MANAGED SECURITY SERVICES TO INCLUDE SOC-AS-A-SERVICE

Adopting a SOC model has become more critical for enterprises that that want to elevate the maturity of their practices and improve their security posture. In 2020, 80% of surveyed IT and security practitioners said their SOC was essential, compared to 73% in 2019.3

For organizations looking for more robust managed security, this has sparked the evolution of SOC-as-a-service (SOCaaS). In addition to covering some of the basics offered by MSSPs, SOCaaS delivers essential, advanced services and value such as:

• Identifying data sources with high security value for your specific use cases• Data engineering, and data ingestion into a centralized SOC platform• Identifying and analyzing threats, including indicators of compromise (IoC)

and indicators of attack (IoA)• Analyzing and prioritizing alerts • Detecting and responding to threats and incidents• Aggregating and leveraging global threat intelligence• Providing guidance on security strategies and policies• Leveraging standard frameworks like MITRE ATT&CK to improve

preparedness for adversary tactics, techniques and procedures (TTPs)

SOCaaS vendors’ highly trained in-house experts have broad and well-honed skills focused on threat detection and response, and operate as a true extension of your IT or security team. As an alternative or a complement to a traditional MSSP, SOCaaS combines this advanced expertise with standardized processes and the flexibility of short-term contracts. And most importantly, SOCaaS providers typically rely on a co-managed, cloud-native, next-generation security information and event management (SIEM) platform that has been purpose-built for modern threat detection and response, and more reliably and quickly surfaces high-fielity alerts.

80%

In 2020, 80% of surveyed IT and

security practitioners said their SOC was

essential3

PAGE 4 of 14 | 7 KEY ATTRIBUTES OF SOC-AS-A-SERVICE

Top Signs You’ve Outgrown a Traditional MSSP

• Onboarding of the data sources important to you is taking too long and is expensive.

• You lack visibility into the rules that are applied to the data that’s being ingested and monitored.

• Your in-house team is drowning in low-value alerts received from the MSSP.

• The MSSP lacks the technology required to fully and effectively leverage your data sources for threat detection and response.

• The MSSP doesn’t have the specialized threat expertise you need to complement your team’s skill sets.

• You have limited or no visibility into the MSSP’s platform or threat investigation process.

• Escalating an incident takes too long, increasing dwell time and, ultimately, risk.

• You feel like the MSSP operates in a vacuum rather than aligning with your in-house team and your objectives.

• You’re not seeing the return on investment you expected from the MSSP.

Security leaders should think beyond traditional MSSPs and consider outsourced services that will elevate their defenses with SOCaaS. And MSSPs that want to better serve the rapidly growing market for threat detection and response should also carefully consider whether they’re properly equipped to do so. This white paper highlights the key SOCaaS attributes you should look for when selecting a service provider that will be effective in light of the rapidly evolving threat and IT landscape.

SOCaaS vendors’ highly trained in-house experts have broad and well-honed skills focused on threat detection and response, and operate as a true extension of your IT or security team.

PAGE 5 of 14 | 7 KEY ATTRIBUTES OF SOC-AS-A-SERVICE

A modern, cloud-native, next-generation SIEM platform is absolutely essential to threat detection and response. Yet many traditional MSSPs rely on a legacy SIEM that wasn’t designed for security monitoring. To address the shortcomings of their chosen SIEM, they’ll cobble together a set of point solutions like user and entity behavior analysis (UEBA), security orchestration, automation and response (SOAR) and a threat intelligence platform (TIP), but get stuck with the inefficiency of jumping between applications as they to try to investigate a threat. As a result, analysts still have to spend much of their time sifting through an unmanageable number of alerts and false positives, while you suffer the consequences. And they need to acquire skills and expertise in multiple point solutions, which is a massive training challenge and cost.

Many MSSPs try to solve the alert fatigue problem by simply throwing a lot of people at the problem—which is a very inefficient, old-world approach to a modern SOC challenge that no longer works.

A modern, cloud-native, next-generation SIEM platform is absolutely essential to threat detection and response.

Critical SOCaaS Capabilities: An effective SOCaaS provider relies on a cloud-native, next-generation platform that has been purpose-built by security professionals to improve the effectiveness and efficiency of their threat detection and investigation process. This platform eliminates the cost and complexity of managing an on-prem SOC technology stack by combining a number of essential SOC technologies—including SIEM, UEBA, SOAR, threat detection engine, a TIP and case management—into a single, unified SaaS platform.

ATTRIBUTE 1: MODERN PLATFORM

AneffectiveSOCaaSprovider relies on a cloud-native, next-generation platform that has been purpose-built by security professionals.

PAGE 6 of 14 | 7 KEY ATTRIBUTES OF SOC-AS-A-SERVICE

TIP: Consider a SOCaaS provider that offers technology-agnostic threat monitoring, which doesn’t require you to invest into a defined, on-premises technology stack.

QUESTION TO ASK THE VENDOR: How tightly can your platform integrate with case management systems to ensure our investigation process is efficient?

Additionally, a modern SOCaaS platform:

• Natively supports a broad range of telemetry and data sources and makes it easy to quickly add new sources and assess the security value of different data sources.

• Leverages data science and automation, and combines multiple detection techniques, resulting in fewer false positives and a manageable number of high-fidelity alerts.

• Leverages the MITRE ATT&CK or similar framework to provide essential insights into how new data sources enhance coverage and reduce risk, thereby improving the effectiveness and value of the service and your compliance efforts.

• Provides full transparency via a co-management approach, which allows you to login remotely and fully collaborate alongside the SOCaaS team to address issues, learn and elevate security.

• Supports multi-tenancy to enable analysts to more efficiently monitor security across different businesses while being able to meet data sovereignty requirements.

• Includes a range of other important features such as custom rules that ensure rapid and no-cost support for additional or specific use cases.

With this automation, a modern SOCaaS platform drastically reduces the volume of traditional L1 analyst activity, enabling you to focus more energy on higher priority incidents. This has a couple of benefits:

• Higher priority risks don’t slip through the cracks, which reduces overall risk.• Analysts are more engaged, effective and satisfied, which helps with retention

and, ultimately, lowers operating costs.

PAGE 7 of 14 | 7 KEY ATTRIBUTES OF SOC-AS-A-SERVICE

ATTRIBUTE 2: DATA EXPERTISE

Fewer than half of medium and large enterprises are highly confident in their security solutions’ ability to detect the adversary TTPs included in each of the matrices of MITRE ATT&CK.4

TIP: Look for a SOCaaS provider whose platform maps your current state against the MITRE ATT&CK framework, which will identify gaps and help you better manage risk.

QUESTION TO ASK THE VENDOR: What models and foundational methods do you use for your analytics engine?

Big data now underpins threat detection and response. The proliferation of high-volume sources—like EDR telemetry, network solutions, network flows, cloud-layer telemetry and SaaS activity—adds to the huge volume of data to be normalized, correlated and analyzed at scale. MSSPs need the ability to ingest a broad range of data sources from across a diverse IT environment, including on-premise, remote, multi-cloud, SaaS applications and IoT/OT.

Generating high-fidelity alerts from this data, while minimizing false positives, requires a combination of the right SOC technologies, including data science, machine learning and automation, augmented by human intelligence, experience and intuition.

Critical SOCaaS Capabilities: Threat detection and response is only as good as the data you can access, along with your understanding of—and ability to leverage—its inherent detection value. A SOCaaS provider that is vendor- and data source-agnostic provides native support for a broad range of critical data sources and telemetry. That means the vendor’s platform can immediately ingest your data from virtually any source to accelerate the time to value.

Casting a wider data net improves the breadth, quality and confidence of threat detection, reduces dwell time and enables analysts to detect and respond to hidden, evasive and emerging threats faster. And, with the possible exception of custom data sources, a SOCaaS provider should be able to readily and quickly support the data sources you need.

PAGE 8 of 14 | 7 KEY ATTRIBUTES OF SOC-AS-A-SERVICE

ATTRIBUTE 3: THREAT EXPERTISE

40%

Fewer than 40% of organizations have a high ability to hire the right experts for

their SOCs.3

TIP: Look for a vendor that has deep expertise in data science and an advanced technology platform that will truly leverage the detection value of myriad data sources.

QUESTION TO ASK THE VENDOR: What kind of security experts are part of your SOCaaS team and how do they communicate with customers?

To reduce cyber risk, the primary focus of a high-value, effective SOC is twofold:

1. Rapidly, consistently and confidently detecting a broad range of threats that may have evaded individual security controls and solutions.

2. Responding to these threats in a timely and effective manner.

But this requires an entirely different skill set than simply deploying and managing security products. Many traditional MSSPs lack this specialized “threat-centric” expertise. The L1 SOC analysts MSSPs typically hire only monitor alerts, leaving the investigation to customers. Adding detection and response capabilities would require the MSSP to both overhaul its SOC technology and hire talent who have more specialized skills.

Critical SOCaaS Capabilities: A SOCaaS provider’s team comprises a range of highly trained experts who enhance the capabilities of your in-house team 24/7. These experts include:

• Data scientists and engineers who understand the detection value of different data sources, develop and refine rules through a variety of detection techniques, and ensure the integrity of the data pipeline.

• Security analysts who continuously monitor your environment, investigate suspicious activities and potential threats, resolve incidents and make recommendations for containment.

• Security engineers who deploy and integrate security solutions into your organization’s infrastructure, as well as make recommendations for further tuning and alignment with best practices.

• Threat researchers who support the SOCaaS team with timely threat intelligence and insights on adversary’s TTPs.

• Threat hunters who proactively detect, disrupt and eradicate threats that may lurk within your environment and may have bypassed your security controls.

PAGE 9 of 14 | 7 KEY ATTRIBUTES OF SOC-AS-A-SERVICE

ATTRIBUTE 4: TRANSPARENCY

SOCaaSvendorscan provide a co-managed service, so you can actively engage in the process to the extentyou’dlike.

TIP: Consider a vendor that provides a range of persona-based dashboards and reporting options that meet the needs of all your stakeholders, including executives and compliance officers.

QUESTION TO ASK THE VENDOR: How do your security analysts collaborate with my internal security team?

Since many traditional MSSPs rely on a legacy SIEM or a collection of point solutions, the visibility they provide to clients is often restricted to a set of dashboards and reports. This limited visibility hinders your team’s ability to understand what data goes into generating alerts. At the same time, the MSSP’s analysts are flying blind because they can’t know what causes the false positives. The lack of transparency diminishes the overall value and effectiveness of the MSSP, and leaves CISOs and CIOs without the insights and answers they need to feel confident in their security.

Additionally, because of the constraints of the legacy SIEM they rely on, typical MSSPs can’t allow customers to actively participate in the threat detection and investigation process. If your in-house team can’t be actively involved in investigation, you’re missing out on valuable knowledge sharing and collaboration, and the efficiency of the threat investigation process will be diminished.

Critical SOCaaS Capabilities: Because they rely on a cloud-native next-gen SIEM, SOCaaS vendors can provide a co-managed service, meaning you can fully participate alongside the vendors’ analysts. In short, you see what they see, and can actively engage in the process to the extent you’d like. With complete visibility into the threat detection and investigation process, and not simply web access to summary reports or dashboards, you’ll be able to not only see the rules being used, but also create your own.

This transparency empowers your team to understand your organization’s security posture, remain hands-on throughout the threat detection and investigation cycle as much as they’d like, and maintain the full ability to manage security processes. The result is not only faster and more effective investigations, but also enhanced knowledge for your in-house team.

PAGE 10 of 14 | 7 KEY ATTRIBUTES OF SOC-AS-A-SERVICE

ATTRIBUTE 5: ACTIVE RESPONSE

Rapid investigation, response and containment are critical to preventing or minimizing the potential damage inflictedonyourorganization.

TIP: Consider a SOCaaS vendor that can also recommend policy or security control changes that will prevent similar security incidents in the future.

QUESTION TO ASK THE VENDOR: What are your procedures and SLAs for escalating and responding to security incidents?

Threat detection alone is not enough. When a security incident is discovered—something that could be important, but isn’t yet an actual data breach or successful attack—rapid investigation, response and containment are critical to preventing or minimizing the potential damage inflicted on your organization. However, many legacy MSSPs will simply provide recommendations for the response that should be taken, leaving the actual responsibility for implementing the containment or mitigation measures to you.

A modern SOCaaS platform that leverages data science and automation can expedite the investigation and response process, and will ensure that analysts are spending more time on high-fidelity alerts and are not overwhelmed by false positives.

Critical SOCaaS Capabilities: A top SOCaaS vendor will offer you two options: either to recommend mitigation measures that you can implement; or to provide active response, in which the vendor will implement a set of predefined containment measures on your behalf. These active response measures may include:

• Adding URL, IP, domain or file hashes to your endpoint, email, network and firewall security solutions, along with web application firewall (WAF) “block and allow” lists

• Scanning hosts for IoCs and IoAs• Quarantining and isolating compromised hosts from the network using

endpoint or workload security tools• Killing a process or deleting malicious code with endpoint or workload

security controls• Implementing and deploying firewall, network intrusion detection system or

WAF rules to stop an active attack

This type of flexible service is particularly valuable for organizations that may lack the resources to implement these changes, which may be necessary at any time of day or night as threats arise or incidents unfold.

PAGE 11 of 14 | 7 KEY ATTRIBUTES OF SOC-AS-A-SERVICE

Service quality, as it relates to threat detection and response, comes down to four key elements:

1. Technology: Does the provider efficiently and effectively leverage essential technologies to detect and respond to the threats that matter to your organization, and therefore reduce your cyber risk, in a manner that meets your expectations?

2. Service level agreements (SLAs): Does the service provider meet or exceed the SLAs and success criteria established at the start of the relationship?

3. Rapport: Is the working relationship between your team and the provider’s team productive and effective? Do they trust each other? Is there open, honest, constructive collaboration? Are they in sync? Is the team relatively static, or is there high turnover of analysts or other key personnel?

4. Communications:Is there clear, timely and complete communication, in all its various forms (verbal, reports, meetings, email/Slack, etc.) between the teams?

Each of these elements is largely a function of attributes one through five. Specifically, if the service provider has a modern platform, offers superior data and threat expertise, provides transparency and actively responds to threats on your behalf, then the service quality is probably very high. Traditional MSSPs often come up short on service quality specifically because they don’t embody these key attributes.

Critical SOCaaS Capabilities: A SOCaaS provider ensures service quality by:

• Leveraging a modern, cloud-native platform that integrates essential SOC technologies and comprehensive threat intel in a unified SaaS.

• Supporting the service with comprehensive SLAs for both the platform and the service outcomes as they relate to incident investigation and response.

• Operating as an extension of your team and working seamlessly with your in-house IT or security staff, complementing them with the skills and expertise that your organization needs.

• Maintaining close, regular communications with key members across your IT/security team, and providing monthly or quarterly reports and reviews to show you the progress of your security efforts.

ATTRIBUTE 6: SERVICE QUALITY

TIP: Work with a SOCaaS provider that can elevate your SOC regardless of your current SOC’s maturity level. A quality vendor should be able to enhance your security, regardless of what stage you’re at.

QUESTION TO ASK THE VENDOR: Do your SLAs cover both the platform and the business outcomes?

Service quality is probably very high if attributes onethroughfiveare met.

PAGE 12 of 14 | 7 KEY ATTRIBUTES OF SOC-AS-A-SERVICE

ATTRIBUTE 7: RAPID TIME TO VALUE

TIP: Work with a SOCaaS vendor that offers flexible contracts, from short-term to multi-year, and ensures continuity by exporting all your logs should you choose to terminate the contract.

QUESTION TO ASK THE VENDOR: How will you help me improve my organization’s security posture over time?

The actual experience organizations have when outsourcing their SOC to MSSPs isn’t always positive. In fact, only 52% of organizations rate their MSSPs as effective.3

Often, it takes months to see value from traditional MSSPs. Common reasons include a long onboarding process, reliance on a legacy SIEM augmented with point solutions that aren’t integrated or optimized for your environment, weak data science, and a lack of threat detection expertise. In the meantime, you’ve signed a long-term contract to lock in better rates—and you’re stuck regardless of the MSSP’s performance.

Critical SOCaaS Capabilities: With SOCaaS, you can hit the ground running because there’s very little to deploy, it can be accomplished quickly, and is included as part of the service. A good SOCaaS provider will natively support dozens of data sources, including the most common and valuable ones from a detection value perspective. And if they don’t already support the data sources you need, they should readily support them as part of the onboarding process. Best of all, the SOCaaS provider’s experts do all the work for you, from implementation through monitoring and response.

SOCaaS can be fully operational in as little as one month. Your time to value decreases from months or even years to weeks, and your bill is predicable, with an all-inclusive, pay-as-you-go monthly fee that covers the use of the technology and the experts.

And while you’re offloading much of the responsibility of threat detection and response to the vendor, you benefit from leveraging advanced technology features, regular content updates and a constant review of your enterprise’s security health.

AverageCostofSOCOutsourcedtoMSSPs:

$5.3 million in FY 2020vs.$4.4 million in FY 20193

PAGE 13 of 14 | 7 KEY ATTRIBUTES OF SOC-AS-A-SERVICE

GOING BEYOND BASIC MSSP CAPABILITIES WITH CYSIV SOCaaS

To differentiate from basic services offered by legacy MSSPs, Cysiv combines its own platform with highly skilled security experts and standardized, effective processes that deliver accelerated threat detection and response. The co-managed, feature-rich, multi-tenant SOC platform is the foundation for Cysiv’s services.

The Cysiv SaaS platform, which can be rapidly deployed and scaled, combines essential technologies into a unified solution, including:

• Next-generation, cloud-native SIEM driven by data science and automation• Massively scalable data lake for log storage, search and retrieval• MITRE ATT&CK preparedness to help ensure you are protected against potential TTPs• A TIP with comprehensive and timely feeds from a range of open and paid

sources of threat intelligence• Embedded UEBA for identifying anomalous patterns based on algorithms and

statistical analysis• A threat detection engine that leverages a blend of techniques to produce

higher-fidelity alerts, reduce false positives and better inform analysts• SOAR for automating incident response workflows• Case management to ensure seamless communication and collaboration during

investigations and incident management

Cysiv’s Next-Gen SIEM

DNS

INCIDENTS

ENRICHED LOGS

INDICATORS

DETECTIONS

LOGS

ENTERPRISETELEMETRY

Cysiv is vendor- and technology-agnosticand can ingest data from virtually any datasource, including an existing SIEM.

AUTOMATED LOG PROCESSING

TWO-STAGEAUTOMATED THREAT DETECTIONENGINE

HUMAN INVESTIGATION

Cysiv’s patent-pending log architecture automaticallynormalizes to a CIM and enriches the data with user info,IP attribution, geo-location, critical asset informationand more.

STAGE 1: Find threats using the right technique for each use case.

STAGE 2: Patterns of malicious activity are automatically aggregatedinto “detections.”

Cysiv experts then investigate all detections and validate them. Typically, just10-20% of all confirmed security incidents warrant escalation to clients forfurther investigation.

Vuln’y Data

Database ThreatIntel

EDRXDR

Cloud Firewall/ VPN

IAM Win, Linux & Mac OS

Network SIEM

CyberIntel

Signatures& TTPs

UEBA Statistics& Outliers

Context-awareAI / ML

PAGE 14 of 14 | 7 KEY ATTRIBUTES OF SOC-AS-A-SERVICE

Cysiv experts—including analysts, detection engineers, data scientists, incident responders and threat hunters—work on your behalf to monitor and respond to threats in your environment.

LEARN MORE

Sources:1 Cisco, CISO Benchmark Study, 20202 Gartner, “The Managed Security Services Landscape Is Changing,” Pete Shoard, Kelly Kavanagh, Mitchell Schneider, John Collins, Toby Bussa, April 9, 2020 3 Ponemon Institute, “Second Annual Study on the Economics of Security Operations Centers,” January 20214 UC Berkeley Center for Long-Term Cybersecurity, “MITRE ATT&CK as a Framework for Cloud Threat Investigation,” September 2020

© 2021. All rights reserved. Cysiv and the Cysiv Logo are trademarks of Cysiv, Inc. Other marks and names are trademarks or registered trademarks of their respective owners.

AboutCysivCysiv is an innovator in the field of security operations center-as-a-service (SOCaaS). We help enterprises reduce the risk of a damaging cyber-attack or data breach by providing advanced, 24/7 threat detection and response. Using the cloud-native, co-managed Cysiv Command platform, our team of experts operate as a seamless extension to internal IT/security teams to accelerate and improve the process of detecting, investigating and responding to actionable threats across the complete IT environment. All of this is delivered with simple, predictable monthly billing, and can be operational in days. To learn more, visit www.cysiv.com.

CysivGlobal CysivMiddleEast&AfricaDallas, USA | cysiv.com | info@cysiv.com Cairo, Egypt | mea.cysiv.com | mea_info@cysiv.com

Cysiv’s platform provides vendor-agnostic data support and automated threat detection and triage, along with incident response, without requiring licensing or hardware. The platform automatically ingests data from a comprehensive set of sources, normalizes and enriches it, and then applies a blend of techniques to find indicators and identify anomalies before escalating the most critical incidents to your team.

With over 1,000 data science rules already included as part of the service, new rules added weekly, and the ability to create custom rules, Cysiv casts a wider and finer net for catching IoCs and IoAs. This improves the quality and confidence of threats detected, and dramatically shortens the mean time to detect and contain threats that are often hidden, evasive or new.

Cysiv experts—including analysts, detection engineers, data scientists, incident responders and threat hunters—work on your behalf to monitor and respond to threats in your environment. But your in-house personnel can remain as hands-on as they desire, collaborating with the Cysiv team and maintaining full visibility into the SaaS platform and investigations.

Cysiv SOCaaS enables organizations of all sizes, even large enterprises, to achieve better value from their existing security investments while continuously reducing cyber risk. You don’t have to make upfront investments or commit to long-term contracts, and you gain flexibility with a pay-as-you-go model that allows you to scale services as needs change.

Cysiv’s model is not “either a traditional MSSP or Cysiv.” Enterprises that are already working with an existing MSSP for standard device management and related services can further elevate their security posture by augmenting these with Cysiv SOCaaS and benefitting from essential threat detection and response services.