Analyst Chat
Analyst Chat #62: The SOCaaS Market Segment - A First Look
The Security Operations Center-as-a-Service (SOCaaS) market has emerged and continues to develop in response to demand for security monitoring, analysis, detection, response, and improvement recommendations either instead of or as a supplement to permanent on-premises SOCs. KuppingerCole Analyst Warwick Ashford joins Matthias for this week's episode and shares some insights into this evolving market segment he gained during his recent research.
Welcome to the KuppingerCole analyst chat. I'm your host. My name is Mathias Reinwarth. I'm an analyst and advisor at KuppingerCole analysts. And my guest today is Warwick Ashford. He is an analyst with KuppingerCole working out of London and he's focusing on many topics around cybersecurity and identity and access management. Hi Warwick.
Hi Matthias. Good to be here. Great To have you and great to have you again in 2021. We want to cover a topic today. That is a new acronym yet another acronym it's called SOCaaS. Security operations center as a service sock as a service.
And that is hopefully something that is interesting to a large group of potential customers. I think it's important for those who don't have a soccer security operation center in general, maybe not even a proper it security organization, or maybe even not an it organization within their own organization. On the other hand, it might be interesting for organizations that do have that, that spent lots of money on that. Having education and teams and hardware and software and processes, and 24 by seven operations of such a security operations center, but to move one step backwards, the definition of warrior, what is a SOC AA? Yes,
Well, very basically, uh, SOC as a service solutions provide as a cloud-based service, all the benefits of a security operations center. So this is especially a support of a team of information security experts that monitors and analyzes security systems to provide sort of proactive and reactive cyber defense capabilities, but a sort of more detailed definition would be it's a type of managed security service. So that it's an it's important that it's cloud-based and that it's built on multi-tenant software's a service platforms and it goes beyond the offerings of traditional managed service security service providers, MSPs because lots of people argue that it's, it's kind of a marketing term and that it's been made up and, and that it doesn't really have a meaning, but it differs from, from, um, managed detection and response services and MSPs, um, because MSSP is typically monitor and manage things like, uh, intrusion detection, systems, firewalls, antivirus, and that kind of thing.
Uh, but psych is a service typically includes all of that plus a team of analysts to resolve every alert, uh, identify and analyze indicators of compromise and also analyze and respond to attacks, uh, to minimize the impact of security incidents. And at the same time, they help to optimize an organization's protection detection and response capabilities. And this is done through continual assessment and reporting, including guidance on security strategies and policies. So SOC as a service, therefore includes services that typically make up managed detection and response NDR solutions. And it can be considered, I think, as an evolution of both managed security services and NDR. So it's going beyond it's cloud-based and it covers all the it environments that we find in a modern enterprise. Okay,
Understood. So I'm focused first on a, the possibility that some organizations just have not the, the, the team and the qualification within their own team and the others who can save money. But I think that is by far not broadly thought enough. So I think there is much more benefit also available here. Um, maybe also in the area of consolidating existing services into, into one single managed platform or cloud based platform, is this a way to move forward as
Well? Uh, yes, I think so. And, uh, to your point, the thing that interests me about SOC as a service is that it caters the market caters to all different kinds of organizations. So I recently published a market compass on SOC as a service and of the 10 vendors that I looked at. And I guess there are about probably 30 to 40 vendors in the space, perhaps even more. Uh, but I, I looked at 10 and, uh, of those, some definitely catered to, to the smaller organizations that don't have in-house resources that are entirely reliant, uh, on, on an outside service. Uh, but it also caters for the upper end, uh, where this is now, uh, an add on or a complimentary to the in-house team. So it caters to a wide range. And when organizations are looking at choosing which SOC is a service that they should go for, uh, they should look at what their needs are. And so there are definitely some providers that cater for the upper end, uh, while the other ones who cater for the, for the lower end. So, you know, I think that's the, the question you're asking is, is kind of, is this all things to all people and, and definitely different providers do provide food for different segments of the market,
Right? When I think back to say five years ago, and I was talking to larger organizations and the more critical their business was, the worst the reaction was. And when I asked them, if they are willing to move their critical infrastructure, that critical systems into the cloud, move them into a software as a service or just platform or infrastructure as a service, they were quite hesitant. Now we're talking about moving the security processes, which is really at the core of any organizations or should be into the cloud. So things must have changed. So it's being hesitant, hasn't really changed. So that is a market segment. It's a growing market segment and organizations are choosing to do so, is this really the next trend for security?
Well, I think so. And simply because organizations are in a way being forced to go there to save costs and also to make things work. And, and I think the past sort of seven to eight months has been as being the accelerator. And we've seen, you know, in, in post COVID in the, in the post COVID era, people who were not even thinking about going to the cloud have gone to the cloud, it's, it's just accelerated that whole thing. Uh, we've also seen that in the whole area of digital transformation, that's also happens. I think, organizations that weren't comfortable with going to the cloud, weren't comfortable with homeworking, weren't comfortable with remote working are suddenly there and are having to make it work, uh, because of the way the world has changed. Right? So this
SOC as a service also reflects the general trend that we are moving to everything as a service of not only working from home, but working from anywhere but the office. So this is really more or less, also a more natural trend for these cloud first cloud native, um, organizations. Is that true or is it also for the traditional on-prem, um, seventies, it still available organization?
Yeah, look, uh, the, the, the thing with psych as a service is that a lot of the platforms are designed to be able to hook up to existing systems. So that's another one of the benefits of the SOC as a service is they, you can get more value out of your, your existing investments in security systems. Is that now, you know, a lot, I think one of the biggest drivers for this market is that organizations are suffering from alert, fatigue. They can't cope with the volume of alerts coming out of their security systems. Uh, they don't, they don't have the experience or the people to, to actually look at each alert and, and decide whether it's it's, you know, we know a prime example of this was the target case yet in United States. Um, they, they were alerted to the fact that the, they had been breached, but the alert was missed because it was one of millions of bats and, you know, human beings just can't cope with that, but you, especially when the teams are constrained.
So I think that's why a soccer's a services is good because it not only covers the cloud side of things and, and the OT and some at some organizations and are putting a focus on the operational technology, OT and, uh, internet of things, IOT. So it's covering those organizations. They've got a mix of legacy on prem stuff, as well as in the cloud. And so it's catering for all those markets, but it's, it's, it means they have one single place where they can consolidate, uh, all the risks. And, and I think, uh, psych as a service is, you know, one of the things that they can provide that SOC as a service is the only way most organizations are able to consolidate all their security threats, tools and systems into a single point of control and address and resolve alerts and monitor and respond to all the indicators and potential compromise. Okay.
So, um, when you're saying they provide these services, they consolidate that into one single platform. What would be the typical FA capabilities functionalities that would be included typically in such an offering? Um, I assume it would be of course, monitoring. It would be threat detection. Uh, what else is included in a package when I go to such a security, um, provider and look at their offerings,
It varies widely. And as I said, from the most basic packages through to very complex ones, so, uh, some of the providers are providing it under their MDR services and, and it it's everything under the sun, uh, that you can, you can imagine. Um, so if you think of a software provider like IBM, they're able to do the full range of, of response. Um, but their, their target market is the upper end of the market. They're very much are looking to provide their, their SOC as a service as a, as a, as, um, a complimentary to an existing one organization rather than taking over all the operations. So it's, it's to give organizations the, the breadth to be able to cover everything, to cover their whole, uh, it estate. And also then to kind of have a lot of this stuff automated so that the in-house analysts only having to deal with a very small, uh, part, part of that. Whereas on the lower end, um, it's, it's offering kind of, as I said earlier, it, it typically includes all the stuff that, that, um, managed detection and response solutions have, but then it's also helping them to, uh, assess their, um, defense capability and, and improve that. It's the continuous improvement side of it. That that kind of, I think is one of the things that sets psych as a service apart from just, uh, an MDR offering, you've mentioned
IBM as a potential vendor that can be looked at in general, this market. Is it a mature market? I don't ask if IBM is mature, but are there different types of vendors, startups, smaller companies, organizations that really started their business with this SOC as a service. And, and how, how does this market segment in general look like when it comes to coverage by vendors?
Well, the, the more mature, uh, end of things, I started way back in the early two thousands. So we can trace back to, to, you know, 2000, uh, the early two thousands and, and say, look, these were the beginnings of a SOC as a service where you're providing this, um, team, uh, to, to monitor, analyze and help protect an organization, but you're providing it as a service. But I think really in the last six years, we've seen a consolidation of the market. We've seen a greater use of the term SOC as a service. Um, cause as I said at the beginning, some people dismiss it as a marketing term, but it it's gaining traction, uh, particularly in Europe, apparently more than the United States, uh, in European RFPs, it's appearing more and more. Um, but the services that you're all finding that are called MDR or advanced MDR or whatever, conform more to what I considered to be now evolving as, as a, as a solid SOC as a service, um, model. Okay.
Um, when I talk as an advisor to end user organizations, usually each organization is of the opinion that they're special, that they meet, they meet some, some, uh, adaption of the service that they need some additional services. Um, how well are these, uh, services designed to be a one size fits all? How good are they in adapting to individual, uh, end user organization requirements? Um, can they provide usually everything that is required or will it always be some kind of hybrid approach with some stuff being still done at
Home? Well, that's why I said it's very important for organizations to assess exactly what their needs are and then to look for the SOC as a service provider that fits their needs to the most because I came across some vendors that I spend quite a lot of time, uh, in the onboarding phase, uh, they'll spend, uh, I think the one organization I looked at spent an entire month with the, with the client go and really sought to, uh, tailor the service to the individual organization where others that are obviously offering at a lower cost point or kind of more generic, but, um, that's probably would be fine for organizations that are not high risk, who aren't kind of going to, um, who don't have such big it estates. So it's very much a question of, of understanding exactly what it is you need and then doing your market research to find out which providers meet those needs best, uh, because not all of them meet all needs if you know what I mean. So looking at the market compass, which is the, one of the ideas behind, behind our reports of market campuses to help people to navigate the market and, and kind of just see what offerings are that are out there. And if they have a look at the report, they can see that there are some that are better suited to different kinds of needs. Right. Right.
And, and maybe that is also the, the, a good point to really hint at that document. You've mentioned that you had to look at 10 of these, um, providers of these SOC as a service services. You provide this information as this market compass, it's available on our website, it's out now. So that really should be a jumpstart for those interested in that topic to get a first and a thorough picture of the market in general. And if there are any further questions, I think they can reach out to you or to me, or to KuppingerCole in general, to get more information on specific use cases on specific vendors. That was a very interesting starting point into this market, at least for me as I'm more the am guy and that's the cybersecurity guy, but I'm really interested in learning more around that topic. Is there anything else that you would like to, to provide as some, some guidance for those interested in that topic before we close down today?
Well, I'd just like to reiterate that, you know, it's important to understand what it is that you need. And, uh, just, I'd like to kind of maybe just go through the SOC as a service benefits. It's the main ones I'd say uninterrupted and comprehensive, centralized monitoring and analysis of enterprise systems for suspicious activities and that sort of fixed and predictable monthly or annual cost and monitoring is really the only way that you can address, uh, the risks across, uh, certainly a hybrid infrastructures, in my opinion, and its way of improved incident, response times and practices, uh, it, it brings faster detection out of security events, such as compromises and containment of threats. And it's a resolution of all alerts to get maximum value out of existing systems because it's pointless. If you've got all these alerts coming out of our out of security systems, but you can't deal with them and why get all the other moves to as a service model, it's a reduced cost and impact on the business of security incidents,
Right? So these benefits really sound too good to be true. So that is something that many organizations, um, should really look at when it comes to yeah. Improving their service on the one hand when it comes to security and on the other hand, getting more for the invested amount of money. So it's really, um, yeah. Um, best of both worlds. So it's really improving the quality and reducing the efforts required. That sounds really like a strong leap forward when it comes to cybersecurity.
Oh, I I'm going to watch this market with interest because certainly the organizations that I met along the way were, are, um, very interesting organizations and, uh, they're doing interesting stuff and bringing lots of new technologies to bear. I think that we're going to see a lot more specialization to cater for needs of particular market segments. There'll be a lot more automation. Um, we're going to see a lot more sore capabilities, um, and a lot more use of things like, um, machine learning and other AI technology.
That sounds really interesting. And it looks really like on the one hand, a mature market, but still an emerging and evolving market. And, uh, maybe now we should look at the individual and user organizations being more and more willing to use such a service and to hand over their security, um, assets, um, also to such a service. So thank you very much Warrick for sharing your insight from the most recent, um, market compass around, um, SOC as a service, looking forward to talk to you again soon about that topic, about different topics, uh, for the time being, thank you very much, mark.
Thank you. Bye-bye bye-bye
Hi Matthias. Good to be here. Great To have you and great to have you again in 2021. We want to cover a topic today. That is a new acronym yet another acronym it's called SOCaaS. Security operations center as a service sock as a service.
And that is hopefully something that is interesting to a large group of potential customers. I think it's important for those who don't have a soccer security operation center in general, maybe not even a proper it security organization, or maybe even not an it organization within their own organization. On the other hand, it might be interesting for organizations that do have that, that spent lots of money on that. Having education and teams and hardware and software and processes, and 24 by seven operations of such a security operations center, but to move one step backwards, the definition of warrior, what is a SOC AA? Yes,
Well, very basically, uh, SOC as a service solutions provide as a cloud-based service, all the benefits of a security operations center. So this is especially a support of a team of information security experts that monitors and analyzes security systems to provide sort of proactive and reactive cyber defense capabilities, but a sort of more detailed definition would be it's a type of managed security service. So that it's an it's important that it's cloud-based and that it's built on multi-tenant software's a service platforms and it goes beyond the offerings of traditional managed service security service providers, MSPs because lots of people argue that it's, it's kind of a marketing term and that it's been made up and, and that it doesn't really have a meaning, but it differs from, from, um, managed detection and response services and MSPs, um, because MSSP is typically monitor and manage things like, uh, intrusion detection, systems, firewalls, antivirus, and that kind of thing.
Uh, but psych is a service typically includes all of that plus a team of analysts to resolve every alert, uh, identify and analyze indicators of compromise and also analyze and respond to attacks, uh, to minimize the impact of security incidents. And at the same time, they help to optimize an organization's protection detection and response capabilities. And this is done through continual assessment and reporting, including guidance on security strategies and policies. So SOC as a service, therefore includes services that typically make up managed detection and response NDR solutions. And it can be considered, I think, as an evolution of both managed security services and NDR. So it's going beyond it's cloud-based and it covers all the it environments that we find in a modern enterprise. Okay,
Understood. So I'm focused first on a, the possibility that some organizations just have not the, the, the team and the qualification within their own team and the others who can save money. But I think that is by far not broadly thought enough. So I think there is much more benefit also available here. Um, maybe also in the area of consolidating existing services into, into one single managed platform or cloud based platform, is this a way to move forward as
Well? Uh, yes, I think so. And, uh, to your point, the thing that interests me about SOC as a service is that it caters the market caters to all different kinds of organizations. So I recently published a market compass on SOC as a service and of the 10 vendors that I looked at. And I guess there are about probably 30 to 40 vendors in the space, perhaps even more. Uh, but I, I looked at 10 and, uh, of those, some definitely catered to, to the smaller organizations that don't have in-house resources that are entirely reliant, uh, on, on an outside service. Uh, but it also caters for the upper end, uh, where this is now, uh, an add on or a complimentary to the in-house team. So it caters to a wide range. And when organizations are looking at choosing which SOC is a service that they should go for, uh, they should look at what their needs are. And so there are definitely some providers that cater for the upper end, uh, while the other ones who cater for the, for the lower end. So, you know, I think that's the, the question you're asking is, is kind of, is this all things to all people and, and definitely different providers do provide food for different segments of the market,
Right? When I think back to say five years ago, and I was talking to larger organizations and the more critical their business was, the worst the reaction was. And when I asked them, if they are willing to move their critical infrastructure, that critical systems into the cloud, move them into a software as a service or just platform or infrastructure as a service, they were quite hesitant. Now we're talking about moving the security processes, which is really at the core of any organizations or should be into the cloud. So things must have changed. So it's being hesitant, hasn't really changed. So that is a market segment. It's a growing market segment and organizations are choosing to do so, is this really the next trend for security?
Well, I think so. And simply because organizations are in a way being forced to go there to save costs and also to make things work. And, and I think the past sort of seven to eight months has been as being the accelerator. And we've seen, you know, in, in post COVID in the, in the post COVID era, people who were not even thinking about going to the cloud have gone to the cloud, it's, it's just accelerated that whole thing. Uh, we've also seen that in the whole area of digital transformation, that's also happens. I think, organizations that weren't comfortable with going to the cloud, weren't comfortable with homeworking, weren't comfortable with remote working are suddenly there and are having to make it work, uh, because of the way the world has changed. Right? So this
SOC as a service also reflects the general trend that we are moving to everything as a service of not only working from home, but working from anywhere but the office. So this is really more or less, also a more natural trend for these cloud first cloud native, um, organizations. Is that true or is it also for the traditional on-prem, um, seventies, it still available organization?
Yeah, look, uh, the, the, the thing with psych as a service is that a lot of the platforms are designed to be able to hook up to existing systems. So that's another one of the benefits of the SOC as a service is they, you can get more value out of your, your existing investments in security systems. Is that now, you know, a lot, I think one of the biggest drivers for this market is that organizations are suffering from alert, fatigue. They can't cope with the volume of alerts coming out of their security systems. Uh, they don't, they don't have the experience or the people to, to actually look at each alert and, and decide whether it's it's, you know, we know a prime example of this was the target case yet in United States. Um, they, they were alerted to the fact that the, they had been breached, but the alert was missed because it was one of millions of bats and, you know, human beings just can't cope with that, but you, especially when the teams are constrained.
So I think that's why a soccer's a services is good because it not only covers the cloud side of things and, and the OT and some at some organizations and are putting a focus on the operational technology, OT and, uh, internet of things, IOT. So it's covering those organizations. They've got a mix of legacy on prem stuff, as well as in the cloud. And so it's catering for all those markets, but it's, it's, it means they have one single place where they can consolidate, uh, all the risks. And, and I think, uh, psych as a service is, you know, one of the things that they can provide that SOC as a service is the only way most organizations are able to consolidate all their security threats, tools and systems into a single point of control and address and resolve alerts and monitor and respond to all the indicators and potential compromise. Okay.
So, um, when you're saying they provide these services, they consolidate that into one single platform. What would be the typical FA capabilities functionalities that would be included typically in such an offering? Um, I assume it would be of course, monitoring. It would be threat detection. Uh, what else is included in a package when I go to such a security, um, provider and look at their offerings,
It varies widely. And as I said, from the most basic packages through to very complex ones, so, uh, some of the providers are providing it under their MDR services and, and it it's everything under the sun, uh, that you can, you can imagine. Um, so if you think of a software provider like IBM, they're able to do the full range of, of response. Um, but their, their target market is the upper end of the market. They're very much are looking to provide their, their SOC as a service as a, as a, as, um, a complimentary to an existing one organization rather than taking over all the operations. So it's, it's to give organizations the, the breadth to be able to cover everything, to cover their whole, uh, it estate. And also then to kind of have a lot of this stuff automated so that the in-house analysts only having to deal with a very small, uh, part, part of that. Whereas on the lower end, um, it's, it's offering kind of, as I said earlier, it, it typically includes all the stuff that, that, um, managed detection and response solutions have, but then it's also helping them to, uh, assess their, um, defense capability and, and improve that. It's the continuous improvement side of it. That that kind of, I think is one of the things that sets psych as a service apart from just, uh, an MDR offering, you've mentioned
IBM as a potential vendor that can be looked at in general, this market. Is it a mature market? I don't ask if IBM is mature, but are there different types of vendors, startups, smaller companies, organizations that really started their business with this SOC as a service. And, and how, how does this market segment in general look like when it comes to coverage by vendors?
Well, the, the more mature, uh, end of things, I started way back in the early two thousands. So we can trace back to, to, you know, 2000, uh, the early two thousands and, and say, look, these were the beginnings of a SOC as a service where you're providing this, um, team, uh, to, to monitor, analyze and help protect an organization, but you're providing it as a service. But I think really in the last six years, we've seen a consolidation of the market. We've seen a greater use of the term SOC as a service. Um, cause as I said at the beginning, some people dismiss it as a marketing term, but it it's gaining traction, uh, particularly in Europe, apparently more than the United States, uh, in European RFPs, it's appearing more and more. Um, but the services that you're all finding that are called MDR or advanced MDR or whatever, conform more to what I considered to be now evolving as, as a, as a solid SOC as a service, um, model. Okay.
Um, when I talk as an advisor to end user organizations, usually each organization is of the opinion that they're special, that they meet, they meet some, some, uh, adaption of the service that they need some additional services. Um, how well are these, uh, services designed to be a one size fits all? How good are they in adapting to individual, uh, end user organization requirements? Um, can they provide usually everything that is required or will it always be some kind of hybrid approach with some stuff being still done at
Home? Well, that's why I said it's very important for organizations to assess exactly what their needs are and then to look for the SOC as a service provider that fits their needs to the most because I came across some vendors that I spend quite a lot of time, uh, in the onboarding phase, uh, they'll spend, uh, I think the one organization I looked at spent an entire month with the, with the client go and really sought to, uh, tailor the service to the individual organization where others that are obviously offering at a lower cost point or kind of more generic, but, um, that's probably would be fine for organizations that are not high risk, who aren't kind of going to, um, who don't have such big it estates. So it's very much a question of, of understanding exactly what it is you need and then doing your market research to find out which providers meet those needs best, uh, because not all of them meet all needs if you know what I mean. So looking at the market compass, which is the, one of the ideas behind, behind our reports of market campuses to help people to navigate the market and, and kind of just see what offerings are that are out there. And if they have a look at the report, they can see that there are some that are better suited to different kinds of needs. Right. Right.
And, and maybe that is also the, the, a good point to really hint at that document. You've mentioned that you had to look at 10 of these, um, providers of these SOC as a service services. You provide this information as this market compass, it's available on our website, it's out now. So that really should be a jumpstart for those interested in that topic to get a first and a thorough picture of the market in general. And if there are any further questions, I think they can reach out to you or to me, or to KuppingerCole in general, to get more information on specific use cases on specific vendors. That was a very interesting starting point into this market, at least for me as I'm more the am guy and that's the cybersecurity guy, but I'm really interested in learning more around that topic. Is there anything else that you would like to, to provide as some, some guidance for those interested in that topic before we close down today?
Well, I'd just like to reiterate that, you know, it's important to understand what it is that you need. And, uh, just, I'd like to kind of maybe just go through the SOC as a service benefits. It's the main ones I'd say uninterrupted and comprehensive, centralized monitoring and analysis of enterprise systems for suspicious activities and that sort of fixed and predictable monthly or annual cost and monitoring is really the only way that you can address, uh, the risks across, uh, certainly a hybrid infrastructures, in my opinion, and its way of improved incident, response times and practices, uh, it, it brings faster detection out of security events, such as compromises and containment of threats. And it's a resolution of all alerts to get maximum value out of existing systems because it's pointless. If you've got all these alerts coming out of our out of security systems, but you can't deal with them and why get all the other moves to as a service model, it's a reduced cost and impact on the business of security incidents,
Right? So these benefits really sound too good to be true. So that is something that many organizations, um, should really look at when it comes to yeah. Improving their service on the one hand when it comes to security and on the other hand, getting more for the invested amount of money. So it's really, um, yeah. Um, best of both worlds. So it's really improving the quality and reducing the efforts required. That sounds really like a strong leap forward when it comes to cybersecurity.
Oh, I I'm going to watch this market with interest because certainly the organizations that I met along the way were, are, um, very interesting organizations and, uh, they're doing interesting stuff and bringing lots of new technologies to bear. I think that we're going to see a lot more specialization to cater for needs of particular market segments. There'll be a lot more automation. Um, we're going to see a lot more sore capabilities, um, and a lot more use of things like, um, machine learning and other AI technology.
That sounds really interesting. And it looks really like on the one hand, a mature market, but still an emerging and evolving market. And, uh, maybe now we should look at the individual and user organizations being more and more willing to use such a service and to hand over their security, um, assets, um, also to such a service. So thank you very much Warrick for sharing your insight from the most recent, um, market compass around, um, SOC as a service, looking forward to talk to you again soon about that topic, about different topics, uh, for the time being, thank you very much, mark.
Thank you. Bye-bye bye-bye
Video Links
Stay Connected
Related Videos
How can we help you