Security operations centers are becoming essential for large businesses. A big organization with many assets and interaction points with the outside world needs to dedicate at least part of its IT budget to security monitoring.
Specialist tools need specialist technicians to run them and interpret their findings. Thus, a SOC is soon assembled by hiring cybersecurity specialists and giving them the necessary software to keep the IT system safe.
Experienced cybersecurity technicians are in high demand, so the salaries companies need to offer to attract these people keep rising faster than average wages in the IT sector. In many locations, high salaries just aren’t enough to attract the right caliber of security staff. Smaller companies don’t have the budget or work throughput to justify hiring security staff. For many reasons, it is becoming more attractive to outsource security monitoring tasks, and there are many managed service providers starting up to operate security monitoring on behalf of clients.
The term “virtual” is applied to many services in IT, and it describes a system that seems to be in-house but isn’t. For examples of this phenomenon, think of virtual private networks and virtual servers. The outsourced Security Operations Center (SOC) seems to be another department in the business. However, it isn’t – it is a virtual Security Operations Center (vSOC).
Virtual Security Operations Centers
Virtual security operations centers can be located anywhere. That location flexibility enables them to cut their costs by basing themselves in lower-rent areas. However, that doesn’t necessarily mean in remote towns. This is because the talent pool needed to run these centers tends to be more plentiful around university towns. However, the vSOC doesn’t need to be in high-rent office space on Main Street.
A vSOC can be located anywhere in the world and serve clients from any country. The main constraint on the client base for each service provider is the language of support staff.
The primary operations of vSOCs involved monitoring security software. Virtual security operations centers don’t need to access any of the client’s data stores so that they won’t hold data for the client, just not to make sure that there is no inappropriate use of that data. So, no location issues arise from legislation, such as GDPR, to not block a vSOC seeking clients in any country.
The vSOC doesn’t host data, and it isn’t a SaaS provider. Instead, it manages the software that the customer has subscribed to separately. In some cases, the vSOC consultants will advise the client which security monitoring software to buy and then recommend the management service on top of that. In other cases, the provider of the chosen security software will offer a management service on top of the SaaS package.
It is not unusual for the client to be located in one place, the system software operating on a server in a completely different country, the security monitoring software to be hosted in a third place, and the vSOC staff to be sited somewhere else.
The team tasked with monitoring your company’s system security doesn’t need to be composed of the same people around the clock. Even if you run your SOC, different people will be staffed at other times, working in shifts. vSOCs can rotate responsibility for a site’s security to various data centers around the globe in strategic time zones. Thus, the service provider can provide 24-hour vigilance without having to get technicians to work unsociable hours.
Security configurations
Although having cybersecurity technicians located remotely might seem like a weak security spot, the reverse is true. The vulnerability assessments for the guarded system can be conducted from an external location because that configuration better reflects the scenario of hackers gaining entry across the internet.
When the vSOC team accesses security software residents on the protected network, the connections that they use are secured. So, vSOC staff can securely watch over security software operating inside the network. As has already been noted, the security monitoring system won’t necessarily be resident on the protected network. In this case, the monitoring system will have an agent program on the protected network that communicates with the cloud-based monitoring system. Again, this communication will be carried out over secure, encrypted connections.
The vSOC team then gets access to the security monitoring service, not the protected network. Remediation actions are usually implemented through orchestration with resident access control systems operating on the protected system. This means firewalls, access rights, management systems, and network devices.
Remediation actions need to be triggered by the system security monitoring tool, such as an intrusion prevention system or a data loss prevention system. So, again, vSOC teams don’t need to have direct access to the protected system but need to set up and fine-tune the security monitoring system.
The most important part of a security monitoring system is the way it is set up. Suppose the detection rules and remediation triggers are created correctly. In that case, the monitoring system will take care of all of the security supervision work, so the security service provider can use one team of technicians to monitor many systems. By this tactic, the vSOC can offer system security management at a much lower cost than most companies would esxpe4nd running their in-house security operations center.
VSOC contracts
The service contract is the key element that makes outsourcing feasible. As a client, you have several decisions over what exactly you want the vSOC to do. For example, do you need the vSOC to manage continuity steps, such as mirroring your system to provide a failover environment so your staff can carry on working even if your server is destroyed? Other peripheral tasks that are not directly categorized as security monitoring include data backups and recovery. Another could be the responsibility for managing and archiving logs to make them available for compliance auditing.
You will have a service level agreement attached to your contract with the VSOC that specifies the quality of service and expected response times for various events. The contract should also specify the expected standard of experience and level of accreditation of the staff assigned to the client’s security monitoring.
With the contract in place, as long as it covers legal liability for the SOC’s success or failure in defending the system and preventing data breaches, the client effectively has an insurance policy against malicious activity.
The best vSOC options
As the vSOC doesn’t take control of your system or hold any of your company’s data, there aren’t any long-term consequences overtaking a short-term decision over which service provider to choose when looking for outsourced security services. That is to say; there is no procedural reason to be locked into a specific vSOC provider.
The fact that you don’t need the outsourced SOC to take over your external communications means less pressure when choosing a virtual security operations center – unpicking a terrible decision won’t be an expensive process.
Our methodology for selecting a virtual security operations center
We examined the market for vSOC services and managed security providers and rated candidate systems on the following criteria:
- A service that is configured to guarantee that technicians can’t get access to your data
- A system that offers round-the-clock supervision
- Services that can provide new security monitoring software as well as options for use with existing systems
- Flexibility in SLA creation to account for non-standard requirements
- The ability to manage a range of security monitoring software packages
- No setup fees or lock-in period
- Good value for money from a provider that isn’t going to try adding on unexpected charges to bump up the bill
While we usually expect software providers to give a free trial period, that isn’t possible with the vSOC concept. In this case, you are hiring a team instead of buying software, and people need to be paid.
For example, suppose you have assessed several reliable and highly regarded service providers that can become your virtual security operations center with these selection criteria in mind.
Here is our list of the four best virtual security operations center providers:
- Under Defense EDITOR’S CHOICE This provider offers 24/7 business protection across all environments, including clouds, networks, endpoints, apps, SaaS, and critical data. Their Security-as-a-Service platform resolves incidents faster with automation, offering full security visibility, a direct SOC hotline, on-demand hunts, and dynamic vulnerability reporting. The vSOC services can integrate with existing tools, adding necessary solutions and handling data synchronization. Customizable to meet specific needs, options include extending your SOC, turnkey services, co-managed SIEM, or building a SOC from scratch. Cutting-edge developments, such as a custom app for Splunk Audit logs and unique SIEM correlation rules, enhance cybersecurity affordability and accessibility. Expert-driven threat hunting and mitigation proactively address security incidents, providing personalized guidance to prevent future issues. Try it for free.
- VerSprite Virtual Security Operations Center This service is a fully managed security package that includes a security monitoring system. You buy the security system, and VerSprite consultants can support you in that process. If you already have your security monitoring system in place, that’s fine. VerSprite takes over running that security system and will assess all of the alerts that it produces. The team sets each notification and weeds out the false alarms. Your system administration team will be informed of actual threats when they arise. If you prefer, you can work with the VerSprite team to set up automated responses so your team doesn’t have to spend time dealing with remediation tasks. As well as guarding against intrusion, the VerSprite team is experienced at file integrity monitoring and data protection.
- Redscan Virtual SOC The approach of this service vis more of a support system than a complete security management takeover. This option would suit a business that wants to run its in-house SOC but can’t quite find the right quality of staff with a high level of expertise. Using the SOC as a second-line technician team, the client company can enable its SOC staff to improve their skills through experience. This solution is a good idea for those businesses who worry about the loss of control that completely outsourcing security management could bring. This solution is a bespoke approach that involves your IT staff with guidance from Redscan consultants from choosing security software to installing it, setting it up, and operating it.
Virtual security operations center FAQs
What is a virtual security operations center?
A virtual security operations center, or VSOC, is a package of tools that provides a centralized threat detection and response service for all of the digital assets of a business. A Security Operations Center (SOC) is staffed with technicians and cybersecurity experts around the clock, the VSOC is a managed service provided on a contract. The VSOC will be serving many clients simultaneously, so each company pays a lot less than the cost of running a dedicated, in-house SOC.
What are the benefits of virtual SOC?
A virtual SOC provides around the clock security monitoring and defense for IT assets at a lower cost than a full, in-house, staffed security operations center. This solution is ideal for small and mid-sized businesses that don’t have the IT budgets of large corporations.
What do security operations centers do?
A Security Operations Center (SOC) provides live security monitoring of IT assets to maintain security software and run threat hunting systems to protect endpoints and networks. The SOC will supervise antimalware and firewalls and set up firewalls to protect networks from malicious traffic. The SOC will also run a SIEM service or XDR to spot intruders and insider threats. This software can also implement automated threat responses. However, the staff of the SOC can also be expected to implement actions to shut down threats.
