Enough federal government agencies are outsourcing security operations center (SOC) capabilities to off-site facilities that within the next few years dedicated, on-premise teams providing continuous support will be relegated to the back seat, a government security official said.
A combination of budget constraints and understaffed SOCs is pressuring agencies to “consider the reality” of centralizing security operations across the federal government, wrote Dan Jacobs, the General Services Administration’s (GSA) cybersecurity coordinator of the identity, credential and access management team, in a recent blog post. (Note #1: Earlier this summer Jacobs advocated for SOCaaS use in federal agencies in remarks at researcher Gartner’s 2018 security conference. His blog elaborates on the presentation.)
Enter SOC as a service (SOCaaS). “If agencies contract out security operations, they are using SOC as a service and can leverage this model to streamline security operations,” he said. (Note #2: Artic Wolf Networks' AWN CyberSOC platform is an example of an SOCaaS model).
SOC as a Service: Potential U.S. Government Approaches
There are two scenarios in which the feds could adopt a SOCaaS model, Jacobs said. In one script (which he called “probable”), a large Tier 1 SOC would provide 80 percent of security operations standardized across all agencies, with smaller Tier 2 and Tier 3 centers filling in the services not covered by the Tier 1 operation.
However, in another scenario (which Jacobs termed the “most likely outcome”), a Tier 1 SOC would provide a limited number of services common to all agencies while the Tier 2 and Tier 3 operations would deliver security services tailored to each agency’s specific needs.
Either way, under a centralized model a best of breed/larger organization would be the Tier 1 SOC provider. “In both cases, the goal is to combine the capabilities and services provided by a best of breed organization,” said Jacobs. Ultimately, the plan would be for the GSA to build out these services for purchase by the federal government. That outcome, however, is “years away from becoming reality,” he said.
SOC as a Service: For Recommendations
Here are four of Jacobs’ recommendations for how the feds could adopt SOCaaS:
- Buy-in. The agency chief information officer, the chief information security officer and the executive board must be on board with mission and goals.
- Data. The more mature the processes, the easier is it to gather requirements that will drive better service management, risk/compliance posture and savings.
- Timelines. Create a realistic timeline to fully implement SOCaaS, including training execution, gap analysis, modelling, testing and evaluation.
- Benchmarks. Use due diligence and metrics/analysis to create a blueprint to meet agency goals. Connect with agencies who have already done this to learn and share best practices.
“Centralized security operational services, such as SOCaaS, are likely to become a reality over the next several years,” wrote Jacobs. “While some agencies already have capabilities and services to improve management of security operation, many have not yet started down this path.”
Examples of SOC as a Service
SOC as a Service is becoming increasingly more popular in several industry sectors -- including the higher education market and the MSP-driven SMB sector. Examples include:
- Higher Education: Several Big 10 Universities have launched OmniSOC to protect participating universities from cyberattacks.
- MSP for SMB Sector: Arctic Wolf Networks promotes SOC as a Service to MSPs across the small and midsize business market, and the company has a fledgling relationship with ConnectWise to push deeper into the sector. Also, Continuum has built worldwide SOC services for SMB-focused MSPs, and master MSSPs like Infogressive could emerge as SOC providers, in some ways, to small business MSPs.
Additional insights from Joe Panettieri.