ESG's Christina Richmond and Dave Gruber discuss the differences and similarities between SOC-as-a-service (SOCaaS) and Managed Security Service (MSS).
Read the related ESG Blog: SOCaaS versus Managed SOC
Dave: Hi, I'm Dave Gruber with ESG, and I'm here today with my colleague, Christina Richmond, ESG principal analyst covering cybersecurity services. Yesterday, Christina and I were having a chat about the differences between SOC as a service versus traditional MSSP, and there were some questions that I had had about SOC as a service as the number of vendors that are in the market today talking about providing and delivering SOC as a service.
And my curiosity was around how does this differ or how is it like other managed security services that might be in the marketplace.
Christina: I think, you know, a lot of people think that SOC as a service is a buzz word, and maybe it is. But essentially, the "as a service" is what defines it.
Typically, SOC as a service is built on SaaS platforms, is multi-tenant, and it's in a cloud environment. It's SOC monitoring, so think SOC analysts, there are humans involved. Think machine learning or algorithmic detection. And this is where it gets a little bit confusing, right, because you have endpoint detection and response and managed detection and response, and you have all kinds of other detection and response.
But essentially, what's happening in SOC as a service is you have a platform and you are algorithmically looking for the known and unknown bads, and there are lots of different ways they go about that. When those bads are found, then the SOC analyst will further investigate them.
Now, if you were to compare that to managed security services, legacy managed security services has been management and monitoring, whereas SOC as a service is just the monitoring. So the management side is where there's vulnerability management and assessment, there's patch management, there's configurations, capabilities in the typical managed security services provider.
Now, those two are blurring. Those two are blending together, because a lot of MSSPs, the managed security service providers, are actually doing what SOC as a service does. So witness, for example, AT&T's acquisition of AlienVault, AlienVault is a SOC as a service firm, AT&T was an MSSP.
And now, together, they're doing what I would call advanced managed security service.
Dave: And it's a question of which one becomes a superset of the other as MSSPs have gone out and offered a number of different types of services. It's interesting just to call out this as a special case. We see this as a massive overload of alerts that people deal with every day and I wonder if this type of a service is emerging specifically to attack that problem organizations are drowning in alerts and struggling with that just upfront triage process that early investigation part of the phase.
SOCs end up hiring small armies of net new SOC analysts, tier one analysts, they're sifting through all of that. This feels like maybe an opportunity to outsource some of that heavy lift of the triage process, add some additional automation to it in a way that helps offload the on-premise resources to be more focused on solving other security problems.
Christina: You are spot on, my friend. That is absolutely right. And so, that is why we're seeing this convergence occur. This streamlines it. It brings in some of that machine learning capability that we're now seeing more and more in security. I would not call it artificial intelligence quite yet. I would say we're still in the learning phase.
But certainly, it's a benefit, and it helps reduce some of the SOC analyst's fatigue. The other thing that the SOC as a service platform helps us with is the cloud environment. So that is something that MSSPs traditionally were not building in the cloud.
Many of them have now, many of them are building out their capabilities in the cloud. But the SOC as a service model, because they could start from a net new startup, builds in the cloud. They were completely cloud native, and they're multi-tenant. They're built in the cloud so that they have that facile environment where they can not only do things faster, because they have greater bandwidth and more capabilities at a lower cost, but they also can monitor in the cloud.
Dave: Makes perfect sense. So it will be super interesting to see how these services evolve, whether organizations can supplement, their organizations are completely offload this level of services to another organization here, and what those models look like, whether people end up working collectively on-prem or whether they're completely off-site.
Christina, will you be doing additional research and putting out more information on this subject?
Christina: Yeah, absolutely, Dave. I will be doing more research and reaching out to the firms that claim to be SOC as a service, you know. AlienVault, Alert Logic, Palladium, CrowdStrike. Overwatch, for example, is another one.
So I would like to do some definitional research and also highlight what these different firms are doing. So, definitely look for that coming soon.
Dave: Great, great. It's been nice chatting with you about this. And we look forward to seeing some additional information. Thank you so much.