Earlier this year, the SANS 2022 SOC Survey was published, an event security experts anticipate each year. Written by Chris Crowley and Barbara Filkins, the survey is designed to “explain everything they, and the SANS community, have learned about optimizing SOC operations in the past 12 months.”

The survey explores the ongoing development and progress of a Security Operations Center (SOC), including different definitions of SOC solutions. A SOC is described as a system “built around capabilities required by businesses” with a framework that is “not necessarily aligned with a reference architecture.” A SOC is comprised of the technologies in use and the individuals who make up the team.

All SOCs are not alike and, recently, the idea of offering security operations as a service (SOCaaS) has been embraced as a compelling alternative to assembling physical locations and structures.

“We consider a SOC architecture as how organizations decide to arrange their staff and technology to gain visibility into protected systems, perform the required work, and take into account the complicated logistical and jurisdictional issues to address when monitoring information systems,” SANS writes. In some cases the SOC can be “outsourced” if the expertise for specific industries, regulations and compliance measures is in place.

With hiring, retention, and turnover identified as top challenges based on the survey, is it time to reconsider how IT teams take on the SOC?

One company thinks so and has built its model on the premise that as more communications, computing, network, and storage move to the cloud, the next generation of SOCs will be cloud-native, too.

SANS forecasts that “looking ahead 12 months, while survey results show the single, centralized SOC as the leading deployment model, the real growth is occurring in cloud-based SOC services. This opens the door to what we envision as the true definition of SOC, one based on capabilities rather than a formal structure.”

“When we were introduced to Pillr, we were impressed by their future vision,” said Nick Heddy, Chief Commerce Officer of Pax8. “They proved a new SOC model and, in doing so, had an offering that was more agile, more elastic, less expensive, and more effective, given the broader view the company has into what is happening in the dynamic and often troubling world of cyberattacks.”

“Choosing a cloud-based security operations platform like Pillr is a smart solution for organizations looking to expand their cybersecurity program in a scalable way,” said Paul Anderson, CEO of Pillr. “Large enterprises can afford to spend millions of dollars to defend their assets and can pay hundreds or even thousands of people to operate their globally connected SOCs. But it makes sense for organizations – especially for SMBs responsible for abiding by security and privacy regulations – to go with a quality SOC solution delivering quick turn-up and lower total costs.”

The services that providers like Pillr offer, how they’re provided, and how much visibility and control the end customer has can differ widely. But, for businesses requiring a 24/7/365 SOC, adopting a service-supported solution has become an essential part of a cybersecurity strategy.

“Pillr is so much more than SOCaaS. It provides organizations a path to build an effective cybersecurity program and expand business by offering a greater roster of services,” said Alexandra Matthiesen, CMO of Pillr. “In a collaborative security operations model, MSPs with a conventional IT focus can incorporate that extra ‘S’ with the guidance and support of dedicated SOC staff – all without the command on resources. We maintain a team of over 85 security analysts and threat hunters in our five global SOCs, so our partners don’t have to.”

A recent Ponemon Report shows only 42 percent of businesses say that their SOC is very effective, which may explain why so many organizations are migrating to a SOC service model, which covers most of what organizations need, including telemetry, monitoring, investigation, analysis, and endpoint health.  

“Pillr comes with proven benefits,” Anderson said. “This includes a reduction of the overall cost of maintaining in-house security teams, including real estate, equipment, connectivity and, of course, salary. With our collaborative platform approach, our customers also get the full range of centers of excellence, with experienced people who live and breathe cybersecurity, including important future trends, all while staying alert and responsive in the moment.”

Data is a very important part of decision-making when choosing a security operations solution. How much data and what data is collected? Which underlying technologies are being used? How mature are those technologies?

“For example, most EDR products in the market are opaque about the data they’re capturing, with the rationale that data is analyzed in real-time,” Anderson explained. “EDR is great for real-time decision making, but threats are becoming more sophisticated, requiring ongoing analysis – some attacks have been known to reside in systems for weeks or even months before they are detected.”

SIEM solutions do collect more data, record and store it, but often that information is more like “reporting” than insight.

“There are some key questions to ask providers when considering moving to a security operations solution like Pillr. Can the provider handle the scale of its customers, especially in such a high-growth category? How many SOCs are they maintaining? How are they certified? What’s the scope of their security operations team?” Matthiesen, Pillr CMO, recommended.

“Ask for examples for specific case studies and come prepared with your hardest questions,” she adds. “There is no more important area for tough conversations about the proven capabilities of a solution and supporting team; they’ll be guarding the assets and reputation of your organization.”

Choosing a security operations partner requires careful consideration within the context of the overall IT and cloud infrastructure vision for the business.

Speaking on the value of Cybersecurity Awareness Month, Anderson said, “We share a relentless drive to secure partner environments so they can thrive in the face of today’s most challenging threats, and this requires collective awareness. We are big fans of the annual campaign and its broader goal. Helping our partners remain aware and prepared for whatever may come – it’s everything.”