W H ITE PA PE R : S E V E N S TE P S F O R M S P S TO E X TE N D N O C I NTO S O C C A PA B I LITI E S

W H I T E PA P E R

Seven Steps for MSPs to Extend NOC

into SOC Capabilities

The high-growth world of security services offers managed service providers a tremendous business
opportunity. Businesses struggle to keep up with the heavy influx of attacks and threats barraging their
IT systems. They’re usually willing to pay a premium to reliable and knowledgeable partners capable of
providing insight and action against the threats they face. Customers intuitively understand that security
service providers typically have more wherewithal as an industry specialist to recruit and maintain a team
of quality analysts focused solely on security who can keep up with the fast-paced changes the bad guys
make in their tactics, techniques and procedures.

This is why security offers such a profitable pivot for traditional IT service providers. Contrasted against
the increasingly commoditized world of general IT services, security stands as a high-value business with
tremendous growth potential. Even better, many mature service providers already have a head-start on
building the infrastructure necessary to support a robust security service offering.

Just as a Network Operation Center (NOC) stands as an architectural hub for many of the traditional
offerings a service provider presents to the market, a fully functional Security Operations Center (SOC)
powers the underpinnings of successful security services. And the good news is that much of the existing
infrastructure already sitting in the NOC can be leveraged in a high-performance SOC. Many of the tools,
monitoring capabilities, and data used by the NOC feed into successful security monitoring by SOC
analysts. Nevertheless, there still remain significant differences between the overall skillset and tools
required to operate a SOC compared to a NOC, which means even the most experienced service-providers
must plan carefully to successfully navigate the transition.

With focused investment, a good go-to-market strategy, and sensible recruiting, existing MSPs can
successfully extend their NOC into SOC and make the jump into high-value security services. Here are
seven steps to help you get started.

©2019 AlienVault, AlienApp, AlienApps, AlienVault OSSIM, Open Threat Exchange, OTX, OTX Endpoint Security, Unified Security Management, USM, USM Anywhere,
1
USM Appliance, and USM Central, are trademarks of AlienVault and/or its affiliates. Other names may be trademarks of their respective owners.
 S O L U T I O N B R I E F : A DWOHPITTIEN P
GAI PS EOR2: 7S0E0V1E W
N IST THE A
P LS I E
FNOV
R AM
USLT
PS® U
TON I EF X
I ETDE N
SDE CNUORCI TIYN TMOA N
SOAG
C ECMAEPNATB®I L( IUTSI EMS)

Decide On Your SOC Service Model

Before investing in additional SOC capabilities, it’s crucial to decide the type of security services the SOC
will be supporting. Is it an extension of existing MSP services? Or is it its own unique MSSP service?

If it is the latter, will your organization offer the typical security monitoring services most MSSPs provide? Or
will you be fulfilling the response function for the customer in the kind of end-to-end offering that analysts
describe as a managed detection and response service? The difference between the two is akin to a
physical security company providing security cameras versus security guards in a building. One watches
over the asset and alerts the customer to problems, the other watches and responds to intruders.

Answering these questions from the outset will help a service provider determine the level of staffing,
training and investment necessary to extend NOC into SOC operations. The type of service planned for
roll out may also help an organization decide how intertwined the SOC and NOC functions will be. The
service model should dictate sharing of resources, or if certain internal firewalls need to be set up to better
segment the business functions. For example, if two separate services are established it may be important
to segment the business functions logically and even physically.

Whatever direction business leaders decide to take their security service extension, it is crucial to be crystal
clear with customers and explain exactly what you’re offering—particularly if it is a new service that will not
be an upgrade included in existing price structures.

Planning for 24x7 Operations

Service provider leaders must understand that SOC-led services are a different animal than NOC in a
number of critical aspects. Most crucially, customer expectations of SOC-led security services are ratcheted
up compared to NOC-led services.

Unlike for NOC, the market standard for SOC functionality is 24x7 support. According to a recent survey by
CyberSecurity Insiders¹, 24x7 support was the number one factor for choosing an MSSP, named by 61% of
respondents as their top selection criteria.

¹ Managed Security Report, page 13.

©2019 AlienVault, AlienApp, AlienApps, AlienVault OSSIM, Open Threat Exchange, OTX, OTX Endpoint Security, Unified Security Management, USM, USM Anywhere,
2
USM Appliance, and USM Central, are trademarks of AlienVault and/or its affiliates. Other names may be trademarks of their respective owners.
 W H ITE PA PE R : S E V E N S TE P S F O R M S P S TO E X TE N D N O C I NTO S O C C A PA B I LITI E S

Service providers that come from a world of 8x5 NOC operations must recognize that the decision to move
into a 24x7 security service model should not be taken lightly. It requires much thought and consideration
about factors such as the number of staff required, seamless staffing models, shift schedules, overlap
redundancy, and other factors like dealing with the cybersecurity skills gap. Leaders extending their NOC
into a SOC must understand that it could take several months to fully staff a 24x7 SOC and establish a
functioning, always-available analyst team.

Service providers must also understand that selling security services in advance of building out SOC
capabilities is not feasible the way it is when ramping into NOC service offerings due to the high degree of
staff training and experience needed to offer security services. And, customers of security services have
a very slim tolerance for failure when it comes to security and will not look past early slip ups the way they
might in the early development of a NOC service.

The lesson is to not expand marketing and promises on SOC-led services until investments have been
made and the staffing and processes are in place for a seamless service. Before investments are made,
stakeholders should understand that the commitment to getting things right directly out of the gate means
that the service will likely need to operate in the red for a while until the sales team can build up the
customer base. Because heavy early investments need to be made, it is crucial to right-size pricing to the
level of service offered.

Given that you must make investment early and may not recoup that investment as quickly as you would
with other service offerings, you should carefully to weigh the long-term payoff of higher margin security
services against your short-term cash flow needs. If you can make the investment, the result will be a better
output and value for your customers, and a more profitable business for you.

Establish a recruiting and retention strategy

Staffing is another area where the differences between SOC and NOC are most acutely felt.

Running a SOC requires a more intensive skillset from analysts and a different approach to handling
incidents. Security analysts need to understand all of the basic concepts that a NOC analyst does when
it comes to understanding how network traffic normally flows and how a package traverses a network.
But they also must bring a greater depth of knowledge about tracking stealthy adversaries, responding to
threats, and answering the ‘Why?’ behind an incident rather than just understanding how it occurred.

The good news is that there are ways to jumpstart the recruiting process. For example, an established
managed service provider can use the NOC as feeder program for security analysts. Investing in
recruitment of one or two security rock stars to lead the team and develop security expertise among the
existing network analysts can bring the added benefit of building out a staff that already has intimate
knowledge of your corporate culture and processes. And, this provides a new career development path for
your NOC analysts.

However your organization recruits its security analysts, don’t forget to similarly invest in retention efforts.
The security skills shortage is a very real concern and it will take sustained effort to maintain the team once
it is put into place.

©2019 AlienVault, AlienApp, AlienApps, AlienVault OSSIM, Open Threat Exchange, OTX, OTX Endpoint Security, Unified Security Management, USM, USM Anywhere,
3
USM Appliance, and USM Central, are trademarks of AlienVault and/or its affiliates. Other names may be trademarks of their respective owners.
 W H ITE PA PE R : S E V E N S TE P S F O R M S P S TO E X TE N D N O C I NTO S O C C A PA B I LITI E S

Formalized Processes and Documentation

One of the most important early steps a service provider can take to extend into SOC functionality is
establishing a formalized SOC operations playbook. In some ways the need for formal processes is no
different than what’s required of the NOC, but as we described above the stakes are higher for a SOC.

Developing repeatable processes is paramount to establishing a sustainable SOC function. It’s the
difference between success and failure.

From the outset, the SOC team should be running with a set of formalized processes that dictate how to
run alert investigations, how to respond to specific types of incidents, how different roles operate within the
SOC on a daily basis and so on. When first extending into SOC services, a provider should be focused on
documenting all of these procedures. Additionally, the organization should have a process in place to evolve
and expand documentation to capture new learnings. SOC leaders should hold regular meetings to update
and improve process documentation for the sake of continual improvement.

This ensures repeatability, as well as sustainability in a highly competitive security job market that will likely
be impacted by turnover as people move in and out of roles. A standardized set of operations makes it
easier to onboard new analysts when dealing with a fluid team.

What’s more, customers also appreciate the predictability of service in how incidents are handled.

Seek an Integrated Approach to Tooling

Along with people and processes, you will also need to consider the tools needed to operate your SOC. As
a provider extending a SOC, remember that platforms and integration are crucial to getting the most out of
network and security monitoring data.

The security world is full of point products that offer one or two interesting capabilities, but which can be
a nightmare for an analyst to handle if they don’t sync up with each other or with the data flowing out from
NOC tooling. The fact is that too many point products can severely impede smooth SOC operations. The
more time analysts spend switching between different dashboards, or normalizing and exporting data
between tools, the less time they’re spending on actually hunting threats.

When extending into a SOC, a mature service provider should be working to identify where NOC data and
integrations can help enhance security operations functionality. This not only reduces the heavy lifting of
starting up a new SOC, it also arms SOC analysts with valuable data from the NOC for the most effective
handling of incidents. More importantly, though, organizations spinning up a new SOC should look for a
security toolset that provides integrated security capabilities (IDS, Vulnerability Scanning, SIEM, Threat
Intelligence) in one dashboard so your analysts have one centralized view of the data they need to detect
and respond to incidents.

Prepare for Tuning

Both NOC and SOC toolsets require tuning and customization to get the best performance and actionable
intelligence from the platforms. But SOC tools typically require more sustained tuning as environmental
variables change within an organization and the threat landscape evolves. This means that tuning will need
to be kept up with.

©2019 AlienVault, AlienApp, AlienApps, AlienVault OSSIM, Open Threat Exchange, OTX, OTX Endpoint Security, Unified Security Management, USM, USM Anywhere,
4
USM Appliance, and USM Central, are trademarks of AlienVault and/or its affiliates. Other names may be trademarks of their respective owners.
 W H ITE PA PE R : S E V E N S TE P S F O R M S P S TO E X TE N D N O C I NTO S O C C A PA B I LITI E S

It’s essential for service providers to recognize this early on to get the most out of their existing tools, and to
ensure they make right vendor selection and get resources in place to deploy and run them.

Service providers should consider the following success factors when it comes to effective security tool
tuning:

›› Using some early external help from consultants if the team is still ramping up internal security expertise;
›› Potentially hiring/recruiting some internal security rock stars to maintain effective tuning long-term; and
›› Seeking vendors that simplify the tuning process by providing up-to-date threat intelligence and
correlation rules on an on-going basis.

Centralized Approach to Communication

Finally, as you prepare to launch your SOC function, consider creating a centralized approach to
communication to run incidents over their lifecycle. Many MSSPs experience success by establishing a
central team that handles any request from the NOC or customers, essentially routing incident information
between external parties and internal security analysts.

By nominating team members to act as quarterbacks for the SOC, you’ll limit the amount of interruptions the
analysts will face due to external requests. This allows them to perform an investigation in a timely fashion,
streamlines workflows, and ensures they’re focused on investigations rather than administrative work.

Additionally, this centralized team provides a good way to train future SOC analysts, as the quarterback
sees many different scenarios play out over time.

Summary
While making the jump from NOC services to SOC services is one that requires careful thought and
planning, the long-term return for your business can be worth the effort. The tips covered above will help
you with your planning process and help you avoid mis-steps along the way.

We’d like to acknowledge Timothy Foley, CISSP, CISM, CRISC, GSTRT and Director of Information Security at
Dataprise, for his contributions to this whitepaper.

More information about how you can extend your NOC into a SOC with AlienVault®:

›› AlienVault Managed Security Services Program Information

›› Accelerate Managed Service Services Offerings with AlienVault Unified Security Management
›› AlienVault Buyer’s Guide for MSSPs

AlienVault®, an AT&T Company, has simplified the way organizations detect and respond to today’s ever evolving threat
landscape. Our phenomenal and award-winning approach, trusted by thousands of customers, combines the essential security
controls of our all-in-one platform, AlienVault Unified Security Management®, with the power of AlienVault’s Open Threat
Exchange®, the world’s largest crowd-sourced threat intelligence community, making effective and affordable threat detection
attainable for resource constrained IT teams.