Subscribe to receive notifications of new posts:

Cloudflare’s SOC as a Service


6 min read

When Cloudflare started, sophisticated online security was beyond the reach of all but the largest organizations. If your pockets were deep enough, you could buy the necessary services — and the support that was required to operate them — to keep your online operations secure, fast, and reliable. For everyone else? You were out of luck.

We wanted to change that: to help build a better Internet. To build a set of services that weren’t just technically sophisticated, but easy to use. Accessible. Affordable. Part of this meant that we were always looking to build and equip our customers with all the tools they needed in order to do this for themselves.

Of course, a lot has changed since we started. The Internet has only increased in importance, fast becoming the most important channel for many businesses. Cybersecurity threats have only become more prevalent — and more sophisticated. And the products that Cloudflare offers to keep you safe on the Internet have attracted some of the largest and most recognizable organizations in the world.

Ask some of these larger organizations about cybersecurity, and they’ll tell you a few things: first, they love our products. But, second, that when something happens online, they don’t just want their team on it. They want to tap into a dedicated team of specialists. A team that feels like an extension of their own team — to identify and respond to any situation. And more than that, they want that team proactively engaged.

It’s for this reason that we’re very excited to make our Security Operations Center (SOC) generally available as a service.

Cloudflare SOC as a Service combines our best-in-class security products and a team of cybersecurity experts within Cloudflare that augment your security and network teams to:

  • Monitor enterprise environments 24x7x365 for security threats and operational disruptions
  • Triage and respond to custom alerts
  • Perform deep analysis to identify attack vectors and network outages
  • Implement countermeasures to mitigate incidents during attacks

Why did we build SOC as a Service?

It’s hard to overstate the extent to which online has become the most important channel for many businesses. Fifty years ago, if you were running security for an organization you could be dealing with large volumes of people: customers, suppliers, contractors, employees. You’d have to secure assets and locations. But in many instances, the sheer scale of these do not compare to the volume of data and traffic that many businesses are working with online today.

When you’re dealing with that volume of data, you need a reliable mechanism to sift through all traffic to find the attacks more easily. Even with the most sophisticated tools, this can be time-consuming work. And that’s before you even get to responding and mitigating those attacks.

Sitting where we do, we have become very good at managing threats at Internet-scale. Not only do we do it for ourselves, but we do it as part of Cloudflare continuously improving our products. A customer-available SOC as a Service focused solely on attack monitoring and mitigation was a logical addition to enhance our existing automated protection systems, like our autonomous edge DDoS protection that actively protects all our customers against DDoS attacks across Layers 3 to 7.

What can you expect from SOC as a Service?

When large enterprise networks experience an unmitigated surge or mysterious traffic patterns, they need analysis and human intervention immediately. Cloudflare SOC as a Service answers that very real customer need with a white-glove, proactive team of network security engineers dedicated to protecting from security threats. Leveraging the Cloudflare security products, it provides threat detection and immediate triggering of the SOC as a Service incident response process for enterprises of all sizes and sophistication and across Layers 3, 4, and 7.

SOC as a Service provides direct engagement with and escalation to our dedicated team of Security Operations Engineers monitoring our customized, algorithm-based alerting system 24x7x365. These multivariate alerts provide proactive detection of security events by monitoring for anomalous traffic patterns, degraded application or network health, origin reachability, availability, and latency. SOC as a Service is a high-touch, high-impact offering meant to bridge the gap between our traditional break-fix customer support and proactive Zero-SLA support.

Here is what our SOC as a Service can do for you today:

  1. We start with 24x7x365 monitoring for attacks and health based on our proprietary, algorithm-based alerting that tracks deviations from a baseline threshold.
  2. If degradation, anomalies, or attacks are observed, automatic alerting is triggered to the customer and the SOC as a Service for both auto-mitigated and unmitigated events.
  3. Our team of SOC as a Service engineers investigate the attack vectors and make recommendations for configuration updates.
  4. Simultaneous to the investigation, we will proactively mitigate where possible, working in real-time with your team based on a customer-approved action plan.
  5. We provide recommendations and retrospective attack summaries to the customer as part of a monthly reporting cadence.

What makes our alerting so effective?

Configuring alerts can be confusing due to the complexity of real-world systems. There are so many variables to alert on, but often alert triggers are based on simplistic x/y (amplitude duration, and/or frequency) thresholds. For example, if the number of requests is above x rate and for y duration, then trigger an alert.

We try to make configuration as simple as possible while still providing best-in-class solutions. Our alerting platform for the SOC as a Service does the same. We started out with three goals:

  • Avoid confusing threshold configurations. Keep things as simple as possible, yet use powerful algorithms in the backend.
  • Find a way to reduce false positives which lead to alert fatigue.
  • Use a holistic approach to detect potentially unmitigated security events which slip through existing defences.

First, our alerts go through a period of baselining where we evaluate traffic patterns and types of requests to understand what is considered “normal”. We then use these baselines along with present conditions when deciding to trigger an alert. All this is done by our SOC as a Service team without you having to navigate numerous threshold configurations.

Next, our SOC as a Service alerts are categorized as either informational or actionable. This minimizes alert fatigue while ensuring actionable alerts are investigated first by our team. We report on both alert categories but respond only to actionable alert types immediately. For example, alerts for mitigated events are mostly not actionable, yet it is still important to know what is being mitigated. However, suspicious events that have not yet triggered a mitigation action should be investigated by our SOC as a Service team as soon as they occur.

Finally, our experience has shown that symptoms of security events first appear elsewhere before triggering firewall alerts. For example, we may see a sudden increase in traffic or latency or conversely a drop in reachability and/or availability. We are able to detect such conditions and use them as early warning signs.  Our team continuously monitors crucial variables through what we call “the life of a request (or packet)”.  We do this intelligently, using a holistic approach that cuts through alert fatigue while still surfacing suspicious patterns.

SOC as a Service Partners for Managed Security Services

Actively managing security configurations, integrating multiple security solutions, and incorporating third-party tooling and Security Incident and Event Management (SIEM) tools are crucial components for an end-to-end security posture. We’ve worked closely with our Cloudflare Partner Network to supplement our SOC as a Service offering and provide our customers the freedom to choose a partner that meets their needs and service-level requirements.

Our SOC as a Service partners — after thorough training by Cloudflare on our solutions — can provide trusted Managed Security Service Provider (MSSP) offerings around the globe, with ongoing hands-on-keyboard configuration updates and fine-tuning. Our partners can integrate with third-party security tools, services, analytics, and SIEM platforms like Splunk, Sumo Logic, and others to provide a holistic view of a customer’s threat profile outside just Cloudflare solutions.

We are happy to announce our initial set of global partners for our launch of our SOC as a Service:

Our team works closely with our MSSP partners. They help us manage everyday security services that integrate and overlap with the Cloudflare SOC as a Service: setup, configuration, and fine-tuning of rules; proactive payload analysis; SIEM log storage and integration; CVE monitoring; and more to ensure our customers can have a premium experience that coordinates seamlessly with the Cloudflare SOC as a Service offering.

Starting Today

We hope you’re as excited about our SOC as a Service offering as we are. For the right type of customer, having a specialized team of Security Operations Center engineers working 24x7x365 to monitor, detect, alert, and respond — alongside proactive communication and detailed reporting — can add an extra level of peace of mind to cybersecurity threats. Contact us today if you’re interested in finding out more on how our SOC as a Service can help.

We protect entire corporate networks, help customers build Internet-scale applications efficiently, accelerate any website or Internet application, ward off DDoS attacks, keep hackers at bay, and can help you on your journey to Zero Trust.

Visit from any device to get started with our free app that makes your Internet faster and safer.

To learn more about our mission to help build a better Internet, start here. If you're looking for a new career direction, check out our open positions.
SecuritySOC as a ServiceProduct News

Follow on X


Related posts

May 30, 2024 12:12 PM

Cloudflare acquires BastionZero to extend Zero Trust access to IT infrastructure

We’re excited to announce that BastionZero, a Zero Trust infrastructure access platform, has joined Cloudflare. This acquisition extends our Zero Trust Network Access (ZTNA) flows with native access management for infrastructure like servers, Kubernetes clusters, and databases...

April 12, 2024 1:00 PM

How we ensure Cloudflare customers aren't affected by Let's Encrypt's certificate chain change

Let’s Encrypt’s cross-signed chain will be expiring in September. This will affect legacy devices with outdated trust stores (Android versions 7.1.1 or older). To prevent this change from impacting customers, Cloudflare will shift Let’s Encrypt certificates upon renewal to use a different CA...