Analyst Chat

Analyst Chat #123: Market Compass - Security Operations Center as a Service

SOCaaS (Security Operations Center as a Service) is a growing trend in cybersecurity, where core security functions are uniformly delivered to enterprises from the cloud. Warwick Ashford explored this in a recently published Market Compass and provides an overview of his findings.

Welcome to the KuppingerCole Analyst Chat. I'm your host. My name is Matthias Reinwarth, I'm Lead Advisor and Senior Analyst with KuppingerCole Analysts. My guest today is Warwick Ashford. He is Senior Analyst with KuppingerCole working out of London. Hi, Warwick, good to see you.

Hi, Matthias, good to see you, too. Glad to be back on the podcast. Chatting about a new publication.

Exactly. A new publication I think of one focus area that you really had a real struggle look at in the recent times is a market segment that has been covered already before, so we are talking about update documents, but it's really a growing market I assume. We want to talk about SOC as a Service. What can I think of when I think of SOC as a service?

Well, just think of it as evolved managed security services or evolved MDR. It's quite interesting because there's a lot of terminology in the market around this and some people have kind of embraced the SOC as a service term whereas others are providing these services that we're describing as SOC as a service under their MDR sort of banner or their expanded MDR service. But I'd like to distinguish it from sort of traditional MDR as as saying it's something a little bit more than that. It's an evolution of that. So I can see like probably within the next year or so, the perhaps more people began talking about it as just MDR, but it's been it's an evolution of MDR rather than just being what we traditionally know as MDR.

Right. So what kinds of functionalities do these SOC as a service provide? Is this the full picture of what a traditional SOC on-premise would do?

Oh, yes, it is very much that, but it is different things to different sizes of companies because as you'll see in the Market Compass there are four distinct use cases, there are those where people will go for SOC as a service where they have no no internal SOC or if they have an internal SOC, and then they want to add that additional layer, that additional layer of monitoring and analysis to work as a part of the extended in-house security operations center team. So there are some of those four areas where you either don't have one and you want to replace it entirely or you want to work a little bit with them or not.

When we look at this update, I think usually we do this update in, let's say one or two years. What happened since the initial addition of this of this Market Compass? Have many things changed?

Yes and no. I think the biggest change probably was that the impact of the pandemic came to bear. And I think people understood for the first time or more than ever how important it was to have monitoring and analysis across their whole IT because more and more people were now working remotely and you know, the more and more companies sort of accelerated their adoption of cloud would just, you know, went into the cloud based services. So this kind of having an overall view became suddenly more important to more people. And so that's why I think it's given the SOC as a service market quite a boost and an impetus. So as you mentioned before, I think the big difference between last year and this year is that the kind of growth that we predicted has been realized. And I can see that going on for at least the next couple of years.

Right, with the SOC as a service being provided from the cloud. Is it also very much focused also on cloud services to secure them? Is this a pair?

Yes. Well, this is the whole thing. Again, you know what I see as being a distinction from the the older traditional market is that more organizations have on prem and in the cloud and more organizations are becoming some hybrid it. So they need something to to cover this hybrid environment. And that's kind of where SOC as a service comes in, where its looking at the whole IT environment and then providing that support that they need.

Right. So for traditional organizations, that could mean augmenting the security that is required for dealing with these new shiny cloud based platforms as well, right?

Yeah, that's correct. I mean, you know, as I said in the beginning, I see it as an evolution of MDR. So what it adds is the all important components of continuing improvement. While it makes all this available as a cloud based service, it's via a platform and it puts SOC services within the reach of even small organizations without the cost and the challenge of maintaining a SOC on-prem.

Right. When we think of these SOC as a service and I think of functionalities that I talked to Alexei, our colleague, about when it comes to actually responding to events that have been identified, are these services also moving in that direction so that they not only can identify these threats, but also react upon what's happening? Is this a trend as well?

Oh, yes, definitely. Because again, I think that's one of the things that distinguishes SOC as a service from from a more traditional service providers is that it's... one of the things it's designed to do is to address the alert fatigue that a lot of organizations are experiencing. You know, they're getting alerts from all these different security systems and they don't know how to deal with them. So the idea is not to add to that burden, but to take it away and say, you know, look, okay, we've done all the analysis across your entire IT estate. These are the ones that need to be looked at. This is the way we're going to... We either agree beforehand or on the playbook, how are we going to deal with certain common situations. Or we need to discuss, What do you guys think? Is this the way you want to handle this? So there's a far more interaction that way and there's far more focus on how to continually improve rather than just saying there's something happening over here, you need to deal with it.

Right. And the Market Compass as a document aims at supporting organizations identifying the right service provider, the right vendor, in general. And you've mentioned these different use cases. So I assume that this document really helps in assisting organizations of different sizes with different use cases in identifying the proper service provider and that there's not necessarily a one-size-fits-all right upper corner vendor?

Yeah, that's true. I mean, some of the SOC as a service providers do focus quite heavily on the lower end of the market. As I said, they're trying to provide SOC services to companies that would normally not be able to do that. They're trying to put them in the reach with the smaller companies, whereas others focus more kind of on the on the medium to large and those more large, you know, the medium to large enterprises, very large enterprise. So it's a question of just looking at a couple of vendors that we've looked at. There are a couple of new vendors in this year's report compared with last year, which is great. And they range from startups to well-established players. And people can, organizations can have a look and try and match up, the ones that provide the kind of services that are best tailored to their needs. And as you say, part of the exercise is understanding what is it that I need and which vendors are able to match that up. So, you know, look at this report to get some insights into the how the market is evolving to understand the main use cases that we've mentioned before. Also to find out why SOC as a service may just be the answer to some of your biggest security challenges. But also to find out how SOC as a service can help get more value out of existing security investments. And then as you said to find out more about the vendor or vendors that are best suited to your needs. So we analyze a couple of our vendors and analyze their strengths and their challenges and where they are best suited to help.

So now that we talked about the actual vendor side, the analysis of what vendors or service providers are around there, I think there are many challenges also for the organization itself being ready for acting with such a SOC as a service and then identifying, asking the right questions. What are the right questions to ask? And I assume you have answers for that as well, right?

Yes, but that's in the Buyer's Compass. We've also produced a Buyer's Compass and that's really to help with this part of the process. So look at the Buyer's Compass for questions to ask your vendors, also for the criteria to select your vendor and for additional requirements for successful deployments. And and the Buyer's Compass also will help prepare your organization to conduct RFI as an RFP for SOC as a Service Solutions

Right. So we have a pair of documents that look at different angles of this approach towards acquiring the right solution. With the Buyer's Compass being the document that really aids in supporting or trying to find the right solution in general. On the other hand, the Market Compass looking at actual service providers and that the organizations then can look what fits their needs afterwards. So great to have this overview and great to have this set of updated documents available. They are out right now. And I highly recommend that the audience who is interested in SOC as a service is really coming to, looks at our research area, maybe does a first test subscription or acquires a subscription which is really affordable and gets the insight that you just acquired and documented in these two documents. So again, Market Compass and Buyer's Compass are both out. Any final recommendations from your side or maybe some insights that you realized are striking in that market, or is it just evolving and getting more mature?

It is getting more mature, but I think what's interesting is the direction that it's going into. So one or two of the vendors are looking at things like securing container environments and securing OT environments, operational technology environments and IoT as well. So there are all these new use cases and some of the vendors are obviously looking more towards automation and that's supported by artificial intelligence on various kinds, mostly machine learning, obviously. But you know, these are the directions that's going in. So again, it's really interesting for organizations to have a look and then match that to their use cases. And that's what my recommendation is, just to have a look at these and see where perhaps you can get benefit where you didn't actually realize it and kind of move from your traditional MDR to something that's a little bit more appropriate for the here and now where you've got a hybrid environment and you've got external workers and so on. And you're just needing to have a handle on all of it to bring it together. Because as far as I'm concerned, SOC as a service is the only way many organizations are able to consolidate all their security threats, tools and systems into a single point of control so that they can address and resolve all alerts, they can monitor and respond to or indicators of potential compromise, and they can evaluate the effectiveness of existing controls to identify where and how this can be improved.

Interesting. So really that this really adds value. And again, I highly recommend reading these documents. Thank you very much, Warwick, for being my guest today. Thank you for creating that great set of research documents and I'm looking forward to having you in this podcast very soon again. Thank you very much.

Me too. Thanks, Matthias. Bye.

Video Links

Stay Connected

KuppingerCole on social media

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00