Partnering with a managed security operations center (SOC) can take your cybersecurity efforts to the next level.
In fact, 72% of businesses with a SOC call it an “essential” or “very important” component of their cybersecurity strategy.
Cybersecurity is an important consideration for every business, and managed SOC services take a comprehensive approach to protection.
If you’ve realized managed SOC services are right for you, the next decision you’ll need to make is what those services will look like.
Managed SOCs, including us at The KR Group, offer multiple tiers of service. One of the decisions you’ll need to make as a customer is which service level agreement (SLA) is right for your business.
What are your SLA options?
SLA refers to the level of service you expect from a vendor.
When it comes to managed SOC services, SLA is how soon you can expect to receive an alert from your provider on a security threat.
Along with real-time alerting (dictated based on the SLA you choose), you’ll also receive assistance responding to whatever triggered the alert.
Again, the time frame of this response depends on which SLA you pay for.
Generally, you’ll have two options to choose from when it comes to SLA from your managed SOC:
A. 2-hour SLA
As the name suggests, this means your managed SOC will notify you within two hours of an incident.
This means your managed SOC may very well alert you before the two hours, but they don’t guarantee it.
B. 30-minute SLA
This SLA, on the other hand, guarantees your managed SOC will alert you within a half-hour of an incident.
If you want an expedited response time, the 30-minute SLA provides that.
When it comes to deciding which SLA is right for you, there are three comparisons you should consider:
- Risk mitigation
- Cost
- Internal requirements
You may find one or more of these resonate with your needs. They should help you determine which SLA is right for you.
Choosing an SLA based on risk mitigation
Regardless of which SLA you choose, you’re getting risk reduction recommendations in addition to alerts from your managed SOC.
A qualified security engineer is behind the scenes analyzing a suspicious event and deciding on the level of risk associated with the event.
When it comes to determining which SLA is right for you, you should consider how long you’re willing to wait to start handling a threat.
A. 2 hour SLA
With the 2-hour SLA, you aren’t guaranteed response until 2 hours after your SIEM detects the threat.
Ideally, your managed SOC can respond much sooner, but it isn’t promised.
In general, we find 2 hours to be adequate time to respond to a threat. However, if you’re worried it isn’t enough, the 30-minute SLA provides an alternative.
B. 30 minute SLA
This prioritizes your environment and allows you to have a faster resolution to the security issue that triggered the alert in the first place.
Depending on the threat, the difference between 30 minutes and two hours can be enough to make a negative impact
If you’re worried about how long it will take to start resolving the security threat, choosing the 30-minute SLA can provide you with that reassurance.
Choosing an SLA based on cost
The primary deciding factor for many businesses is how the cost difference between 30-minute and 2-hour SLA.
SLA is only one of the components that go into determining how much you’ll pay for managed SOC services, but it is worth mentioning on its own.
A. 2-hour SLA
Think of 2-hour SLA as the standard for most managed SOC services. As such, it is the standard for cost.
The most basic agreement for managed SOC services is a 2-hour SLA with 1 month of alert storage.
You can choose different alert storage terms, and the longer the length of storage and the different sensor options can increase your cost. However, with each option, the 2-hour SLA will remain the standard when it comes to response time.
In other words, choosing a 2-hour SLA doesn’t cost anything additional.
B. 30-minute SLA
This is the premium SLA option when it comes to managed SOC services, so it costs more than the 2-hour option.
It is also available with every other option choosing a managed SOC contract includes.
However, even this increase is minimal and is around $5 more per user.
Choosing an SLA based on internal requirements
Another reason you might contemplate between the two SLA options is if you have internal standards or want to report to your customers what your SLA is.
While various compliance standards (HIPAA, NIST SP 800-171, GLBA, or PCI-DSS) don’t yet have any specific standards when it comes to security threat response time, many companies still consider these regulations when choosing their SLA time.
A. 2-hour SLA
As we stated before, 2-hour response time is generally adequate for handling security threats within your environment.
It is still something worth boasting about and will cover you to meet compliance measures.
B. 30-minute SLA
If you want to report to the compliance board or even your customers that you’re taking extra efforts to knock down security threats, a 30-minute SLA may be more appealing.
If you want the fastest response time available to be part of your narrative, this option will give that to you.
How to choose the right SLA for your business
It really boils down to what is best for your business.
If you’re looking for a more budget-friendly option and willing to wait a couple of hours for threat response, the 2-hour response time will work fine for your business.
On the other hand, if you want threats addressed sooner, are willing to pay a small amount more, and want to send the message that you’re addressing security threats as soon as possible, you’re probably looking at the 30-minute SLA.
Whichever option you choose, you can rest assured that someone is monitoring your network security and providing recommendations to address any issues. Overall, this means a stronger security posture for you.
If you need more help deciding which SLA or other managed SOC variable makes up the right contract for you, check out our article, “7 Questions Your Managed SOC Should Answer Before You Sign a Contract.”