How to Build a Security Operations Center (SOC) on a Budget
As part of Solutions Review’s Premium Content Series—a collection of contributed columns written by industry experts in maturing software categories— Matthew Warner of Blumira takes you through the ins and outs of security operations centers, and how to build one on a budget.
A security operations center (SOC) is expensive.
From the technology utilized to the personnel needed to run it, a traditional SOC can cost an organization millions of dollars per year. For small and medium-sized businesses, this price tag alone serves as a major deterrent. Instead of trying to build and operate a SOC beyond their means, small and medium-sized businesses should recreate the capabilities a SOC provides through other methods. After all, these companies should still be able to protect their environments like larger enterprises.
Widget not in any sidebars
SOC: The Ins and Outs for a Budget-Conscious Mind
What is a SOC?
Many people imagine a SOC as a physical place. While this is true to a point–the images of a large, windowless room filled with flat screen monitors and security analysts sitting at desks–a SOC is also seen as an organizational framework for security. It combines many components of a robust security environment, including people, processes, and tools that can detect, respond to, and analyze security threats. Traditional SOCs run 24 hours a day, seven days a week, with security analysts interacting with environmental data to watch for emerging threats and respond as required.
SOCs typically leverage different security technologies, including:
- SIEM (Security Information and Event Management): This is a centralized logging platform that takes data from various alert systems and combines it into a cohesive view.
- EDR (Endpoint Detection and Response): This is a type of software that runs on endpoints to detect incoming threats. It provides real-time monitoring with an automated response that helps mitigate known issues.
Who Works in a SOC?
A SOC is about people as much as it is about technology, since SOCs involve multiple employees working at different levels of responsibility based on their experience. Let’s look at some of the key roles:
- Tier 1 (Triage): An entry-level position who works on the front lines of the SOC. Their job is to respond to the hundreds of daily alerts that get sent, along with providing end-user support when needed. This job is tedious and monotonous and leads to high burnout, so employers may find themselves frequently filling and refilling these positions.
- Tier 2 (Security Investigator): A more experienced team member, this role takes a higher view and attempts to locate the sources of an attack and create mitigation strategies.
- Tier 3 (Advanced Security Analyst): Another step above, this person looks at the SOC’s operation and looks for security trends. This role also involves planning and incident response.
- SOC Manager: Outside of the tier system, this person manages SOC operations and communications with technology leadership, such as the chief information security officer and chief technology officer.
What Challenges Exist in Building a SOC?
Building a SOC requires the right technology and the right people. Both can be difficult to find and acquire–especially personnel. Organizations find themselves fighting over a limited talent pool, requiring consistent recruiting and hiring in order to keep a SOC properly staffed. With high competition, professionals will more easily move from job to job in search of better offers. There is currently a skills gap in the cybersecurity marketplace, meaning there are simply not enough professionals to fill job openings. Hiring outside staffing firms can help cut time from this process, but often the cost is prohibitive for small businesses. For many organizations, the talent battle makes it difficult to fill even entry-level jobs.
Along with hiring, there is also the challenge of technology. While different security solutions provide a range of essential capabilities, the excess technology in a SOC can become overwhelming, as vendors continually create new products to address emerging issues. This continued growth, though, leads to a complex lattice of solutions that provide too much coverage in some areas and not enough in others. This results in a phenomenon known as “alert fatigue,” where team members become numb to the constant barrage of security threats. False alarms account for about 40 percent of all alerts and further encourage the habit of ignoring these warnings, especially during busy times. This ultimately leads to employee burnout and decreased performance.
The Cost of a SOC
While technology certainly has a high price tag, the costs for a SOC primarily come from the analysts. For a traditional SOC, organizations should expect to hire a minimum of five security analysts to cover all shifts. Even organizations that hire predominantly junior team members should budget a minimum of $500,000 each year. Some organizations choose to hire experienced engineers and build automated alerting tools, but even that scenario requires paying a team member $150,000 or more. According to Ponemon, the average organization spends $2.86 million annually to run an in-house SOC.
Building SOC on a Budget
The ultimate goal of a SOC is to provide visibility into your environment and detect and respond to threats. For many organizations, the benefits of a traditional SOC do not equal the financial commitment needed. While a SOC is excellent for a large enterprise that can afford it, many smaller organizations will want to find workarounds that offer similar functionality without the cost. The best approach is to start slowly, collecting data logs from sources in your environment that can later feed automated technology. A SIEM solution can take this log data and provide visibility into your infrastructure. Centralized logging provides visibility into the environment, but analyzing log files from multiple sources can be overly time-consuming. A SIEM can provide analytics, search, and reporting capabilities to provide context around these events and alert to suspicious behavior. Many SIEMs charge per log, although there are some that simply cost a flat fee per user. Look for a solution that fits within your budget.
Much of the work in a SOC revolves around checking alerts–many of which are false positives or do not require attention. With the right SIEM, users can better manage alerts and ensure that they only receive actionable items. Accompany alerts with context or built-in workflows and playbooks that give suggestions for the next steps. Using a SIEM solution, you can quickly respond to critical threats, respond within the next day to high-priority threats, and delay lower threats to when time allows. Leveraging a SIEM-oriented process, along with data logs, can create many of the same functionalities of a SOC without the high cost. A SOC is not the right choice for everyone, but the capabilities and a secure network are something everyone can afford with the right approach.
Widget not in any sidebars