SOCaaS versus Managed SOC (with video)

detection-responseWe live in a sea of acronyms: SOC, MSS, MDR, IDS, IDP, SOCaaS, SECaaS… Three of these in particular are causing consternation in the market: SOCaaS, MSS, and MDR. Let’s see if we can shed some light on them.

Security operations center (SOC)-as-a-service or SOCaaS has gained popularity in recent years with the advent of SaaS-based, multi-tenant, cloud architected security monitoring services. The SOC operates as the brain of the security program, constantly monitoring and alerting security analysts of possible intrusion and attack. It seeks visibility into configuration, patch, and vulnerabilities and is often the first line of defense for an organization.

In a managed security services (MSS) engagement, the organization outsources its management and monitoring (or SOC function) to a third-party service provider like that which Secureworks and IBM offer. Traditional MSS included the management portion of this operation, but in recent years some MSS providers (MSSPs) like Symantec have gotten out of the management business as there are lower margins for product install, configuration, and management. And some would argue that monitoring is the more critical function as that is where the adversary can be seen and caught. This is true, but still others would argue that proper configuration and regular patching (or basic security hygiene) better thwarts the adversary in the first place.

Cloud migration birthed SOCaaS, which provides an automated detection of anomalous behavior, correlation to a database (sometimes a security information and event management (SIEM)) system of known malware, and alerts or blocks on that knowledge. Many of these offerings include algorithmic detection and response methods either at the endpoint (EDR), network (NDR), web (WDR), or cloud  (CDR). The platform searches the environment of choice on a continuous basis and checks against known bads. Most of the time SOCaaS providers have level 1 and level 2 SOC analysts who investigate the alert before forwarding it on to the client.

Managed detection and response (MDR) is another new term which is often confused with MSS. MDR can include EDR, NDR, WDR, and/or CDR. The more advanced providers include all. As stated above, these services use algorithms to detect anomalies and alert in near real time. Some providers also offer SOC services and sometimes these are SOCaaS, but not always. Some MSS providers also offer MDR, but rarely vice versa in the traditional definition of MSS. In others words, when an MDR says it offers MSS, they usually do not do the traditional on-premises management. In fact, in a recent ESG study, 29% of respondents stated that the MSSP they were already engaged with offered MDR whereas only 3% stated that their EDR provider also offered MDR. 


A fourth area of confusion is co-managed or outsourced SOC services. Typically this begins with a consulting engagement where a provider will help build a client’s SOC and then sometimes manage it with them, or sometimes the client will outsource it entirely.

Clear as mud? The key takeaway here is to know what you need for your company. Small and midsized companies which are cloud native with few security resources will often engage with MDR and SOCaaS. Midsized and larger firms with some security personnel will choose SOCaaS for portions of their architecture that are in the cloud, especially when they have a hybrid environment with multiple cloud hosters in the mix because this is where many SOCaaS providers shine. If larger firms are already engaged in an MSSP relationship, the SOC function will be included and the organization may either use the MSSP’s MDR capabilities (if existent) or bring in its own MDR piecemeal or whole.

Topics: Cybersecurity