Security operations centers are becoming essential for large businesses. A big organization with many assets and interaction points with the outside world needs to dedicate at least part of its IT budget to security monitoring.
Specialist tools need specialist technicians to run them and interpret their findings. Thus, a SOC is soon assembled by hiring cybersecurity specialists and giving them the necessary software to keep the IT system safe.
Experienced cybersecurity technicians are in high demand, so the salaries companies need to offer to attract these people keep rising faster than average wages in the IT sector. In many locations, high salaries just aren’t enough to attract the right caliber of security staff. Smaller companies don’t have the budget or work throughput to justify hiring security staff. For many reasons, it is becoming more attractive to outsource security monitoring tasks, and there are many managed service providers starting up to operate security monitoring on behalf of clients.
The term “virtual” is applied to many services in IT, and it describes a system that seems to be in-house but isn’t. For examples of this phenomenon, think of virtual private networks and virtual servers. The outsourced Security Operations Center (SOC) seems to be another department in the business. However, it isn’t – it is a virtual Security Operations Center (vSOC).
Virtual Security Operations Centers
Virtual security operations centers can be located anywhere. That location flexibility enables them to cut their costs by basing themselves in lower-rent areas. However, that doesn’t necessarily mean in remote towns. This is because the talent pool needed to run these centers tends to be more plentiful around university towns. However, the vSOC doesn’t need to be in high-rent office space on Main Street.
A vSOC can be located anywhere in the world and serve clients from any country. The main constraint on the client base for each service provider is the language of support staff.
The primary operations of vSOCs involved monitoring security software. Virtual security operations centers don’t need to access any of the client’s data stores so that they won’t hold data for the client, just not to make sure that there is no inappropriate use of that data. So, no location issues arise from legislation, such as GDPR, to not block a vSOC seeking clients in any country.
The vSOC doesn’t host data, and it isn’t a SaaS provider. Instead, it manages the software that the customer has subscribed to separately. In some cases, the vSOC consultants will advise the client which security monitoring software to buy and then recommend the management service on top of that. In other cases, the provider of the chosen security software will offer a management service on top of the SaaS package.
It is not unusual for the client to be located in one place, the system software operating on a server in a completely different country, the security monitoring software to be hosted in a third place, and the vSOC staff to be sited somewhere else.
The team tasked with monitoring your company’s system security doesn’t need to be composed of the same people around the clock. Even if you run your SOC, different people will be staffed at other times, working in shifts. vSOCs can rotate responsibility for a site’s security to various data centers around the globe in strategic time zones. Thus, the service provider can provide 24-hour vigilance without having to get technicians to work unsociable hours.
Although having cybersecurity technicians located remotely might seem like a weak security spot, the reverse is true. The vulnerability assessments for the guarded system can be conducted from an external location because that configuration better reflects the scenario of hackers gaining entry across the internet.
When the vSOC team accesses security software residents on the protected network, the connections that they use are secured. So, vSOC staff can securely watch over security software operating inside the network. As has already been noted, the security monitoring system won’t necessarily be resident on the protected network. In this case, the monitoring system will have an agent program on the protected network that communicates with the cloud-based monitoring system. Again, this communication will be carried out over secure, encrypted connections.
The vSOC team then gets access to the security monitoring service, not the protected network. Remediation actions are usually implemented through orchestration with resident access control systems operating on the protected system. This means firewalls, access rights, management systems, and network devices.
Remediation actions need to be triggered by the system security monitoring tool, such as an intrusion prevention system or a data loss prevention system. So, again, vSOC teams don’t need to have direct access to the protected system but need to set up and fine-tune the security monitoring system.
The most important part of a security monitoring system is the way it is set up. Suppose the detection rules and remediation triggers are created correctly. In that case, the monitoring system will take care of all of the security supervision work, so the security service provider can use one team of technicians to monitor many systems. By this tactic, the vSOC can offer system security management at a much lower cost than most companies would esxpe4nd running their in-house security operations center.
The service contract is the key element that makes outsourcing feasible. As a client, you have several decisions over what exactly you want the vSOC to do. For example, do you need the vSOC to manage continuity steps, such as mirroring your system to provide a failover environment so your staff can carry on working even if your server is destroyed? Other peripheral tasks that are not directly categorized as security monitoring include data backups and recovery. Another could be the responsibility for managing and archiving logs to make them available for compliance auditing.
You will have a service level agreement attached to your contract with the VSOC that specifies the quality of service and expected response times for various events. The contract should also specify the expected standard of experience and level of accreditation of the staff assigned to the client’s security monitoring.
With the contract in place, as long as it covers legal liability for the SOC’s success or failure in defending the system and preventing data breaches, the client effectively has an insurance policy against malicious activity.
The best vSOC options
As the vSOC doesn’t take control of your system or hold any of your company’s data, there aren’t any long-term consequences overtaking a short-term decision over which service provider to choose when looking for outsourced security services. That is to say; there is no procedural reason to be locked into a specific vSOC provider.
The fact that you don’t need the outsourced SOC to take over your external communications means less pressure when choosing a virtual security operations center – unpicking a terrible decision won’t be an expensive process.
What should you look for in a virtual security operations center?
We examined the market for vSOC services and managed security providers and rated candidate systems on the following criteria:
- A service that is configured to guarantee that technicians can’t get access to your data
- A system that offers round-the-clock supervision
- Services that can provide new security monitoring software as well as options for use with existing systems
- Flexibility in SLA creation to account for non-standard requirements
- The ability to manage a range of security monitoring software packages
- No setup fees or lock-in period
- Good value for money from a provider that isn’t going to try adding on unexpected charges to bump up the bill
While we usually expect software providers to give a free trial period, that isn’t possible with the vSOC concept. In this case, you are hiring a team instead of buying software, and people need to be paid.
For example, suppose you have assessed several reliable and highly regarded service providers that can become your virtual security operations center with these selection criteria in mind.
Here is our list of the five best virtual security operations center providers:
- Under Defense This provider offers a great deal of flexibility in its plans. The central security concept of the Under Defense system is the SIEM. Under Defense advises your company on which security software (SIEM) to install and will even help you install it. The Under Defense team then takes over, monitoring the dashboard of the SIEM software and ensuring that it takes appropriate action should a breach be detected. The team will also manage log files for you. Under Defense offers two vSOC options: fully managed and co-managed security. The co-managed option is suitable for businesses that have a small on-site team of security analysts.
- VerSprite Virtual Security Operations Center This service is a fully managed security package that includes a security monitoring system. You buy the security system, and VerSprite consultants can support you in that process. If you already have your security monitoring system in place, that’s fine. VerSprite takes over running that security system and will assess all of the alerts that it produces. The team sets each notification and weeds out the false alarms. Your system administration team will be informed of actual threats when they arise. If you prefer, you can work with the VerSprite team to set up automated responses so your team doesn’t have to spend time dealing with remediation tasks. As well as guarding against intrusion, the VerSprite team is experienced at file integrity monitoring and data protection.
- LightEdge Virtual Security Operations Center While other vSOC providers guide you through your choice of security monitoring software or take over managing your current security monitoring setup, LightEdge works with IBM QRadar software. QRadar is an excellent could-based SIEM, and you could do a lot worse. The point is that the Light Edge team has done their research, and they have decided that QRadar is the best system they could find. Also, having all clients on the same security monitoring system enables the company to transfer technicians from one client to another quickly. The supervision of your system is carried out around the clock, every day of the year. As with other vSOC solutions, you can decide how much remediation automation is implemented in the agreement. You can decide to let your people deal with identified problems or let the LightEdge technicians deal with them.
- Redscan Virtual SOC The approach of this service vis more of a support system than a complete security management takeover. This option would suit a business that wants to run its in-house SOC but can’t quite find the right quality of staff with a high level of expertise. Using the SOC as a second-line technician team, the client company can enable its SOC staff to improve their skills through experience. This solution is a good idea for those businesses who worry about the loss of control that completely outsourcing security management could bring. This solution is a bespoke approach that involves your IT staff with guidance from Rescan consultants from choosing security software to installing it, setting it up, and operating it.
- Executive Ops XOVSOC is a co-managed proposition that gives expert support and out-of-hours replacements for your in-house IT operations team. The Executive Ops team has its threat intelligence feed that alerts the technicians on what new attack The first line of defense lies with system security monitoring software, which spots abnormal behavior. Next, these alerts are channeled to an Executive Ops analyst who filters out false alarms. Finally, those genuinely concerning events get funneled through to your team, either as notifications or as feeds directly into your network management system.