Pit-Falls to look out for when looking for SOC-As-A-Service companies

Introduction

I found that with the 1001 options for "SOC As A Service" companies, and "contract incident response", many client companies still don't understand why use them outside of a compliance check. Some companies seem to have them on retainer but refuse them any ability to act, just to notify and it may or may not be dealt with ever. It's really weird when companies want to secure their data and do secure business using that data, but not actually do the work around securing their data. I think it's the age old adage with IT that "passing the buck" is the default, then only with training and awareness do people want to take responsibility for their own security. 

Then on the other side, these soc as a service companies themselves don't always provide training, understanding, or really anything more than a templated write up of the incident back to the company. That write up may contain details and even actions around what needs to happen. Even when they do provide detailed write ups and training, companies seem to lose track of how this benefits them.

So, to the small businesses that don't see a reason to plan and engage cyber security folks, maybe this little run through will help. The run through here is based partially on a real event that I was made aware of though I wasn't directly involved, but is otherwise just an example case. 

The example company here, will be labeled as "music store" in the discussion following.

Planning

Our company, music store, has just finished going over some details of secure transaction handling as part of our requirements when using our point of sale credit card system. The P.O.S company encouraged that all of our employees engage in a standard awareness training which discussed handling people's data with care. It also mentioned having a security operations center or cyber security staff to review and handling incidents should anything occur. Since we're a small company, it doesn't make a lot of sense for us to hire dedicated head count when we have just a few computers and our owner does most the IT work.

We wind up calling around to different IT companies around and find that one suggested going directly to a "SOC AS A SERVICE", which is where we found another company, (which for our sakes, we'll call SAAS-1). Who helped us setup monitoring and logged in to configure tests and seemed really professional. They also helped us write up a document for an IRP (incident response plan) to give to auditors.

Bad news

We then had a repeat customer come in very upset, accusing us of stealing his credit card number and selling his information online. So we calmed them down and began an issue ticket with the SAAS-1 company. They asked us where the information would have been stored, who would have had it, all the expected questions. Came back to us saying they don't have any evidence in an email consisting of a full report of the incident and a one line overview. 

We of course, went back to the customer and let them know the findings.

Contacted

Only a few weeks went by before we were contacted via email by SAAS-1 again asking us if we were aware of usage of a computer after store hours. We weren't so we go through the process of giving them access and letting them do their new investigation. 

In this report, the summary was the same nothing really found. We didn't notice at the time, but in the details of the report they actually told us to go in and add additional monitoring to the specific system, which required being done in person as it was not accessible remotely. 

Worse news

The same day, we got contacted by a subpoena for information relating to the original incident from the customer. Apparently our handling of this may have been in direct violation of law we didn't know even existed. We're just trying to sell music equipment, why laws actually apply outside of trade laws? 

When reviewing the details of the original case, they'd also added a recommendations section and noted the failure to implement may lead to further incident. 

So we call them and finally reached someone, just for them to basically say "you accepted our terms, which means you accepted responsibility for this." Which seems down right insane. So we reached out to another company (for our example case, SAAS-2), who suggested we get on a call and understand the current situation fully. During the call, we went over our concerns, the legal notice, and the actions of the last company. It was during this call they informed me that as a standard contract agreement for these companies, we should be ensuring that all reports be discussed in a "debriefing" call, and anything impacting or legally concerning needed to be documented and a call scheduled as soon as possible when the concern arises. They discussed other general concerns and at the end of it we decided we'd move vendors from SAAS-1 to SAAS-2. 

Cleanup

Once we got SAAS-2 on board, and a few days of scanning, they reported they found that there was several suspicious calls made by the software installed by SAAS-1, and that on doing some public information gathering, details of the company we'd used has emerged as being a scam. So we got on the phone and discussed the findings and during the call we could see, live, someone was logging in using their tooling installed and setting up files on the system to run later in the night.

It was at this point they mentioned contacting the police regarding the situation, and they sent a representative to walk through the situation with the police. While the local police mentioned they didn't have man power to investigate, they could forward the case to the fbi cybercrimes investigations. SAAS-2 then helped us get information to our business lawyer regarding the case and helped remove traces of the bad software from our systems. Criminal investigation we never heard further about. 

Recovery

We worked with them for about a month ensuring that nothing was going on to suggest any similar business impacting events were happening. We've since had several people come into the store and try to run commands on the systems but nothing that wasn't handled directly with SAAS-2. They kept us in the loop the whole way and that's just something we never got from our previous security provider. Unfortunately our customer expressed unwillingness to return even after details were given and allowing discounts due to the concerns.

Lessons learned

So, this type of problem appears to be common in the IT world including in cyber security. Unmanaged contract agreements, misunderstanding of roles and responsibilities, etc... and these can be a few tiny things that lead into an actual legal problem and could even risk of shutting down your company. This isn't just one person's story, this is dozens of peoples stories every single day. Some take aways that we have to share about this:

  • No matter how professional a team may seem, it's always worth checking the roles and responsibilities then only agreeing once you've understood whats best for your company and it fits the agreement. 
  • When you look to sign a contract with a company, spend the time to read it, or have a business lawyer review it. 
  • Every company, when it comes to IT and Cyber Security especially, should have a direct line of contact with their providers for any service offered. Defined in the contract.
  • Similarly, for any service offered, providers should have a direct contact within a company to handle communication from their end towards the client company. Also defined in the contract.
  • If your provider doesn't treat you like you're worth discussing details with, they probably aren't good for your overall security. Security providers should be able to discuss the realm of an issue. Such as, a firewall provider should be able to discuss how implementation strategies could lead to problems, ways to resolve them, risks involved, etc... A cloud EDR provider should be able to discuss risks and rewards of their platform and how to pivot on holes/gaps found.
  • Sometimes, the same service can be provided by many different companies, and each having it's own results. 


Hope this helps someone. 

Thanks for reading

If you need any IT or CyberSecurity work remotely or within the DFW area, please contact us over at FeemcoTechnologies.

Comments

  1. AnonymousOctober 27, 2025 at 2:39 PM

    Hoping this helps someone, the lessons you learned sounds really solid and useful

    Also lol/rip to 'worse news'

    ReplyDelete

Post a Comment

Popular Posts

pyscript, nim, aaaaand go

Image
     Just wanted to drop some stuff over what I've been playing with lately. Please be aware, tools and links described here might be or be able to be used maliciously, don't click or run things without understanding them. Much of the code referenced here can be found on github . Pyscript      To start with, I found the latest version of pyscript and couldn't really think of anything to do with it, outside of visualizations for web interface, or making integrations with jypyter widgets a little different without learning javascript. So I went a different route. In case anyone isn't aware, pyscript is intended to go along side pyodide or micropython (web versions of python) to leverage python programming inside a web page (loading these as javascript modules with fun little interface features). There is a wide range of examples (https://pyscript.com/@examples) and even an online ide (coding environment) to play with.     That's where I came in, af...
Read more

ISP Routing Hell

Image
Weird Routes?  History:      So I wasn't really sure how to start this post, but I guess some back story. Many in the IT world know consumer ISPs (internet service providers) like ATT, Comcast, Charter (now spectrum), all have a weird history of "you can't prove there's a problem because we don't escalate it properly, now you're stuck with this while we replace your router 200 times because it can't be on us" sort of problems. I switched to spectrum because in my area its the only non-att fiber lines, and ATT couldn't tell me why my router had an ssh server listening on it. They couldn't think it was compromised or could be compromised, they couldn't tell me anything they just replaced it. Then replaced it again. Then again. After 2 years of doing that, I just had enough. Later that year after leaving ATT, https://en.wikipedia.org/wiki/Salt_Typhoon . But sadly, despite my contempt for ATT by this point, this post isn't about them. More ...
Read more

DNS-Rebinding and such

      What started off as an interesting read on how DNS rebinding attacks work, and how they're leveraged to scan internal networks. The high level gist of the scenario is that if you have multiple A records, or the ability to rapidly change A records during someone's visit to a page, you can cause them to run push requests to other pages. This may include things like scanning a web-page visitor's local network, or replaying known addresses (maybe due to public dns resolving internal addresses) there is potential for attempting things like xss to steal credentials. Since it's the same domain being resolved, the browser often won't have any issue attempting requests.     Now, what this turned into was my general thought of "I've seen attacks before where people used webrtc, wasm, flash, vbs, etc... to port scan a network, I wonder if you could just use javascript targeting subdomains of other websites that have sub-domains pointing to private ips. This woul...
Read more