We are calling a tender for Managed SOC & drafting requirements.
Can point me to samples or share requirements normally expected
of vendors for such Managed SOC?
Besides piping firewalls, network devices, servers, UEBA events to
them for correlation, is it common to pipe originating IP addresses
of incoming emails (eg: O365) to them to check against blacklists?
I felt O365 antispam & antiphish & anti-malware protection is
We have EDR in place but was told to do MDR (Managed Detection
& Response), we must go back to the same EDR vendor (Trendmicro
to be specific) but TM doesn't do managed SOC, only MDR.
We don't want fragmented service providers ie one for managed
SOC & another for MDR.
Also, can we include a requirement such that we do away with our
current Defacement vendor (it's a Telco) & the managed SOC use
their own tool to manage our URLs (eg: using 'wget' or 'curl' to
download our web pages contents & compare against a baseline?
Or this is a function specific to Defacement vendor only & SOC
doesn't normally do this function?
What are the certifications required of such vendors eg: ISO27001/2,
must have certain encryptions, ... ?
I guess we can specify 'hot', 'warm' & 'cold/archive' of the events
for us to access via a dashboard?? Can we specify that the 'hot'
events must be on an SSD, 'warm' on fiber storage & 'cold' on
SATA (or usually it's tapes) if this vendor operates on cloud?