Security Operations Centre
Their primary focus isn’t preventative protection.
They are actually Monitoring, Detecting and Responding to threats.
A SOC’s core expertise is not in security hardening practices; this element is often overlooked, security hardening is typically delivered as a separately-scoped professional services engagement.
Configuration is King 👑
Time and time again, we hear how $managedService or $AISecurityProduct prevented an attack. Most of the time it’s boring, easy stuff.
"Our service detected a brute-force attack on a server"– Well why could that server be brute-forced?
Because someone left a port open, or worse, knowingly left 3389 open by intentional practice?
"Our service prevented $spookyEnterpriseApp from sending data to a dangerous IP"– yeah, because you didn’t have admin approval turned on.
"Our service prevented a Global Admin login from $unsafeCountry"– Why didn’t you have proper identity controls which have already considered how people can access stuff?
Nearly all the stuff a SOC team protect against are quite simply basic shortcomings on a businesses’ configuration management or lack of internal training efforts.
What I’m NOT saying
I want to make it clear before I proceed that I am not discrediting the skill, effort, and talent that exists within SOC teams and people, or suggesting that you should never look to invest in one. Their services save the day time and time again, and many businesses would have burned to the ground without their involvement.
My problem is with the MSSP model, and the potential lack of customer understanding around it. Do prospects really know what’s good for them? Or have they heard “SOC” and been convinced by osmosis that they’re the best thing to aim for in terms of securing their company?
Sometimes the price of a SOC can seem reassuringly expensive.
The Foundations of Business Security
You absolute priority when it comes to protecting your business is Identity Management. I’ve seen orgs with incredibly poor Conditional Access policies go out and buy a SOC thinking that is the solution. These are orgs where to reset a user password, they allowed security questions as an option, and if you knew what someone’s favourite colour was, you were pretty close to getting access.
The SOC service isn’t going to draw initial attention to the flawed configuration, they’ll first tell you they locked the account 5 mins after someone accessed it, and rarely offer a long-term, org-wide fix. Why? Because:
- It’s not their core expertise or interest
- The internal team made clear elsewhere they want to own it
- The internal team assumes the SOC is doing it, and the SOC assumes the internal team is doing it
The MSSP Commercial Model
If you’ve been around C-Levels and business owners long enough and follow the money often, you learn to ask the question “who benefits” whenever someone is trying to sell you something.
Let’s ask that about MSSP providers.
MSSPs are a subscription service, the recurring income based on endpoints or whatever metric is crucial to their survival and income. To keep their customers, they must continually demonstrate value. If they had no alerts or incidents to talk to you about, you might wonder why you pay them.
So, it is in their interest to show you things they can measure and report on. They can improve the customer experience by giving you access to a dashboard 24/7 – this is nice.
Here are the easiest things they can show you:
- Device vulnerabilities – open up any M365 Security portal and you’ll see hundreds of these, even in an environment where you patch the same day on all installed apps.
- Outdated operating systems – again, you’ll see this in most tools, but the general UK guidance is to not worry about anything until 2 weeks after patch release (unless critical 0-day)
- The MSSP usually aren’t responsible for your OS patching
- Microsoft “Secure” Score – they can point to it being a low number and tell you to make it a high number
- Open ports on monitored networking appliances (potentially)
- Risky logins over X period
Here are the things they love to show you:
- We prevented XYZ on user account John Appleseed
- We prevented remote activity on device PC-1001
- We observed someone trying to brute-force your Global Admin account
- We saw a malicious email get clicked, but we nuked the payload tenant-wide (rock on!!!)
- etc.
They’ll put this into a fancy report and that’s them justified for another few months.
What they are not doing
It’s harder to measure and report on preventative actions, and often it is far less exciting to keep hearing about the preventative advantages of the firewall lockdown someone did for you a year ago.
In other words, prevention isn’t sexy, and they can’t keep using it for justifiable value.
The Missing Link
You need to go to market and find someone or a company that understands the importance of configuration management (that is not an SCCM reference!). You need them to do a few things for you (using Microsoft terms here):
- Review Identity – Create a strong baseline of Conditional Access policies
- Review Entra Configuration – Restrict access to data to only approved apps, users, and devices
- Review Endpoint security baseline – turn off old protocols, enable ASR rules, review the software Firewall… basic stuff
- Review networking infrastructure – are things properly segregated? Do staff and servers share the same subnet?
- Remove unsupported hardware/software
- Review patching cycles and methods
- etc.
The list can go on a bit, but those are the core things that when configured properly, will give you the best long-term sleep patterns.
A SOC service can be a fantastic supplement to that mission!
But as with all supplements, they are just that, and do require a well-balanced diet as a recommended foundation.
What should drive you to get a SOC service?
- You just inherited an estate that is slow and resistant to change, and/or need a safety net while you figure stuff out and make incremental improvements
- Some regulatory demand requires you have one
- You’re convinced everything internally is good enough, and have budget for additional insights
- Budget isn’t an issue, so you can afford that safety blanket
Reasons you shouldn’t go for a SOC as a top priority
- You use M365 Business Basic or Standard as a base license
- You have a Secure Score less than 30 percent
- You do not manage devices centrally
- Your whole IT team are Global Admins
- Users are local admin everywhere and nobody gives a shit about it
- You have budget decisions to make between a better base product with better configuration potential, or a SOC
Things to ask your potential SOC provider
- Will you help us with our configuration management? (i.e. what is actually included in the service aside from the main stuff: threat detection, incident response, vulnerability management, threat intelligence.)
- Get a few customer references from them
- Ask for examples of those changes
- What do you check during onboarding?
- Can you provide example dashboards and reports (check they aren’t just copy/pasting stuff you can see on the home page of your Security Portal)
- Ask about awards and accreditations
- ISO 9001 / ISO 27001 / ISO 27017 / ISO 27035 etc.
- SOC 2 Type II
- Cyber Essentials Plus
- CREST Accreditation
- Staff who have CISSP, or product-specific creds
- General awards for recognition
- What’s the fewest number of SOC analysts available at any given time?
- How big is the staff turnover in the team? (cross examine with LinkedIn premium if you have it)
- What additional costs might there be in the case of a full disaster recovery scenario?
- What happens if you fail to meet your SLAs?
- Do you as a provider undergo third-party pen tests?
Priorities
Think about what you need to do for meaningful security improvements; splashing out on SOC services is not addressing the root cause.