Your digital "Home of IT Security"
365 days a year: solutions, knowledge and networking.
Find and offer innovative IT security solutions, take part in our diverse action program and make and maintain contacts.
Become part of the it-sa 365 community!
Make an appointment with
So that you can make an appointment, the calendar will open in a new tab on the personal profile of your contact person.
Create an onsite appointment with
So that you can make an onsite appointment, the appointment request will open in a new tab.
Services play an important role in IT security - after all, many companies are simply not in a position to ensure security without external support. At it-sa Expo&Congress, many providers presented outsourcing solutions through to SOC-as-a-Service (SOCaaS). The individual providers focus on different aspects.
Developments in cybercrime require adapted responses. Defence against attacks is becoming increasingly complex and costly. However, there are financial limits to the permanent upgrading of security areas, which is why companies often react by outsourcing. In particular, cost-intensive areas such as the operation of an in-house Security Operations Centre (SOC) can be taken over by external providers, and numerous service offerings were presented at the it-sa Expo&Congress.
The German Federal Criminal Police Office (BKA) reports a significant increase in cybercrime of around a third compared to the previous year. "Cybercrime is characterised by an underground economy that now offers its criminal services on an industrial scale," says the BKA's annual report. The BKA adds that the 'cybercrime-as-a-service' business model remains of central importance and is subject to further professionalisation.
The background to this development is that the complexity of attacks is constantly increasing and attackers are specialising in certain areas. This makes it easier for attacks to be successful. For example, while some infiltrate systems, others then search for usable data.
More success through division of labour
This means that the effort required by companies to defend against attacks and secure their IT systems is constantly increasing. Smaller companies in particular are often unable to cope with this, as they do not have sufficient staff to deal with the issue or the existing IT staff are unable to cope with the additional security tasks. In addition, specialised staff are difficult to find and expensive. This is why more and more areas are being covered by service providers. The security industry is responding to this. As this year's it-sa Expo&Congress recently showed, the field of Security-as-a-Service (SECaaS) or Managed Security Service has expanded considerably. New offerings have been added, for example SOC-as-a-Service (SOCaaS).
Operating your own SOC is very expensive and usually only something for larger companies. Normally, work is carried out in shifts around the clock. Sufficiently qualified specialist staff are therefore required. However, the importance of a Security Operations Centre (SOC) should not be underestimated: It serves as a tactical control centre where all security data comes together. It should have an up-to-date overview of the company's security situation at all times.
Trend: SOC-as-a-Service (SOCaaS)
Security providers in this field operate a single SOC for as many customers as possible. This allows them to minimise the cost of personnel requirements. At the same time, they use a variety of tools to achieve a high degree of automation. A number of new offerings have recently come onto the market. It is not easy for customers to get an overview. It is difficult enough to find the right criteria for a selection in the first place, as these are not the same for every company, explains Stefan Strobel, CEO and founder of German security specialist cirosec. When selecting a SOCaaS solution, he advises: "Customers should make sure that the architecture model matches their own IT landscape. An important criterion is the software used in the company, such as endpoint detection and response (EDR). Strobel explains: "If you use Microsoft Defender as an EDR, for example, then you already have security data in the Microsoft cloud, so it makes sense to use Microsoft Sentinel". Sentinel is based on a cloud-based SIEM (Security Information and Event Management) that collects and aggregates log data from the company's IT, generates alarms from this in the event of an emergency and initiates and coordinates measures. This generates large amounts of data, which is often analysed using AI. "Many SOCaaS providers have based their offering on Microsoft Sentinel," says Strobel.
One of these providers is Getronics, for example. Their offering is based on Sentinel and is available in various expansion stages. This ranges all the way to taking over all security activities. "Many customers don't have any staff and are happy for us to do everything; others just need help with creating concepts, for example," explains Gerald Eid, Regional Managing Director DACH (D: Germany, A: Austria, CH: Switzerland) at Getronics. The provider also works with partners who can intervene on site. Eid adds: "There are customers who only get in touch when something has happened," in which case incident response specialists are needed who know how to react to emergencies. Eid continues: "We have the capacity to respond quickly at any time; we have a team of experts who can go into a company immediately.
The US provider BlueVoyant takes a similar approach. Customers can use various EDR and SIEM solutions whose data converge in Sentinel. Everything that "delivers data to the MS Azure or AWS cloud" can be monitored, explains Markus Auer, Sales Manager for the DACH region. For everything else, connectors are needed to deliver data to Sentinel. "BlueVoyant also builds its own connectors," explains Auer. Although the company specialises in monitoring the evaluations in Sentinel and carrying out the necessary reactions, this does not have to be done exclusively: "We follow a 'shared model', which means that the customer can also access Sentinel and intervene," explains Auer. The division of tasks can be defined granularly, "to the extent that only normal admins are required on site, but no security specialists," he adds.
Microsoft and Google provide the basis
An alternative to Microsoft's Sentinel is Chronicle, a comparable security platform from Google. The German provider Indevis works with this platform. It was originally only used by Google for its own cloud until the decision was made to create an offering for customers. "Chronicle's features include high storage capacity and fast searches as well as long-term data retention, so that analyses of security incidents can reach far into the past," emphasises Wolfgang Kurz, founder and until recently also Managing Director of Indevis. Google structures the log data for analyses and offers tools for evaluation. Indevis can also take care of patch management, firewalls, end device protection and the like.
The company Spacenet offers a comparable service. It also relies on Google's Chronicle, but has its origins in the colocation and hosting sector. The company is therefore familiar with interfaces between internal and external data flows. "External data traffic to and from the customer runs via Spacenet for monitoring purposes, where security measures are in place and the customer's firewalls are operated," explains Ingo Lalla, Spacenet's Chief Sales and Marketing Officer. The offering is supplemented, for example, by ransomware protection based on secure snapshots. "This also recognises attempts to overwrite files with encrypted variations," explains Lalla. Many of the company's customers come from the public transport sector in Germany, including the Munich Transport Association (MVV), but also the bavarian radio station Antenne Bayern.
Secure network for full control
Aryaka, a US company from Silicon Valley that has its origins in the WAN sector, takes a completely different approach. "We provide secure, stable network performance, especially for customers with multiple locations or branches," explains Klaus Schwegler, Senior Director of Product Marketing at Aryaka. Over time, however, other requirements were added, such as the need to securely connect employees working from home or partners to the company network. This is not done via the Internet, but via a private, dedicated network in which the security analyses and measures are also implemented. In Europe, Aryaka has German telco Deutsche Telekom on board as a partner. Aryaka also manages the network components for customers. "Unlike our competitors, we have full control over the network because it runs over our own connections," notes Schwegler. He therefore refers to this solution as a "zero-trust WAN".
These examples show that many offerings have been designed in conjunction with other services. Other providers offer further SOCaaS solutions and more are likely to be added in the future. Increasing complexity and attacks are likely to ensure a rosy future for providers in the managed security service sector.
Author: Uwe Sievers
Sources used for the preparation of this article:
