We agree with the advice in recent channel articles that state that every organization (regardless of size) should have a Security Operations Center (SOC) to help them detect and respond to threats. We disagree with the premise that “a SOC can be a single person” or that it should be a service provided directly by the staff of the MSP. Why?
- The SOC needs to provide 24/7 coverage all 365 days to be effective. Recent threats like the Kaseya vulnerability and log4j exploits were triggered right as organizations headed into holiday weekends.
- No one person has the depth and breadth of experience needed to detect threats, validate if they are credible, and make appropriate recommendations on addressing them. It’s improbable that the proper experience and expertise is employed within the organization or on the staff of most MSPs. Even if such a unicorn staff member exists, one person cannot cover 24/7/365 and would almost certainly have other IT responsibilities.
- Separation of Duties is in the best interest of the client. Organizations should not have the same entity recommending, implementing, and supporting solutions as assessing or auditing them. In the case of a cyber incident, an independent forensics team should always be brought in to assist with recovery, confirm if the existing solutions are appropriate and if anything could and should be done differently to better prevent incidents in the future.
Does this mean that clients have to go outside of their current MSP for a SOC, or that MSPs should not be providing SOC services? No. Our ProVision solution allows MSPs to use Foresite’s SOC services to help organizations of all sizes protect themselves while providing Separation of Duties for their clients.