How to build a SOC with limited resources

How to build a SOC

with limited resources
Introduction
Some organisations have formal security and attacks. And when an event occurs, many
operations centres (SOCs). Formal 24x7 organisations can’t efficiently and effectively
SOCs are tightly secured areas where teams respond because they lack formal incident
of dedicated analysts carefully monitor for response processes and capabilities.
threats around the clock, every day of the year.
For organisations caught between the
Analysts are checking their organisation’s
prohibitive cost of a formal SOC and the
enterprise security controls to identify possible
wholly inadequate protection from an informal
signs of intrusion and compromise that may
SOC, there is a solution: building a SOC that
require a response by the organisation’s automates as much of the work as possible.
incident responders. Automation can help a team perform constant
Unfortunately, most organisations cannot afford security event monitoring and analysis to
detect possible intrusions. It can also provide
a 24x7 SOC. The cost of having well-trained
incident response automation and orchestration
analysts onsite at all times outweighs the benefit
capabilities to manage and expedite incident
for almost every organisation. Instead, most
handling.
organisations either make do with an informal
SOC comprised of a small number of analysts The purpose of this white paper is to show you
who have many other duties to perform or have how you can successfully build a SOC, even
no SOC at all and rely on borrowing people with limited resources. The paper explains
from other roles when needed. Security events the basics of SOCs, providing details of what
are not consistently monitored around the SOCs mean in terms of people, processes,
clock. This leads to major delays in responding and technology. Finally, you’ll learn the
to many incidents, while other incidents go methodology of building a SOC with limited
completely unnoticed. It’s a dangerous situation resources, focusing on tactics to make your
that results in damaging cyber incidents. It rollout smooth and successful. After reading
is also highly unlikely that analysts will have this paper, your organisation should be ready
any time to be proactive in looking for threats to start planning its own SOC.

Introduction 3
 How to build a SOC with limited resources

What makes a SOC

effective? Fusing people,
processes, and technology
To create an effective SOC, you need three Similar benefits can be achieved for other
components — people, processes, and types of attacks and threats as well through
technology — to build an efficient security automation of the SOC. This enables your
operation. This minimises reliance on people organisation to have a small number of analysts
and enables decentralisation of the SOC team. who focus on the most complex and challenging
tasks instead of legions of analysts who spend
For SOCs, the power of automation cannot most of their time performing time-intensive,
be overstated. Consider a type of incident mundane tasks. Automation also greatly
that happens all the time: a phishing attack improves the efficiency of SOC operations
campaign. A strong security operations so that incidents are detected, stopped, and
platform can automatically take care of nearly recovered from much more quickly, thus
every aspect of the detection, response, and minimising damage and other costs.
recovery processes, including:
The following sections further explain the SOC
• Detecting the campaign and investigating in terms of people, processes, and technology.
its purpose and scope
• Comparing the observed characteristics
to threat intelligence to improve
understanding of the threat
• Automating the entire remediation,
including blocking the threat from
continuing the campaign, deleting all
phishing emails from user mailboxes,
determining if any phishing emails
triggered malicious payloads to be
downloaded and installed, quarantining
any infected systems, and wiping
malicious code from systems
• Generating a report on the incident and
providing it to appropriate stakeholders

4 | What makes a SOC effective? Fusing people, processes, and technology

 How to build a SOC with limited resources

People
No matter how well automated a SOC is, people are an absolute necessity. The
two most fundamental roles in a SOC are the security analyst and the incident
responder. Security analysts work primarily in the monitoring and detection
phases of a SOC. Typical tasks include monitoring alarms from an all-in-one
platform and performing triage to determine which alarms require intervention
from the incident responders. Incident responder tasks may include:

• Conducting deeper analysis of suspicious security events using:

• Search analytics capabilities
• Threat intelligence sources
• Basic forensics techniques
• Malware analysis tools
• Performing response activities whenever an incident necessitates
• Keeping management apprised of the status of incident response
efforts. Other possible SOC roles include forensic analysts and
malware reverse engineers.
A security architect is the final important part-time role for any SOC. The
security architect is typically someone within the security organisation with a
deep understanding of the organisation’s security program and infrastructure.
This person should help design the initial SOC solution and oversee its
implementation to ensure it is efficient and effective. Over time, the security
architect can plan and implement adjustments to the SOC solution, including
expansions to meet the additional needs of the organisation. The security
architect role is particularly important because the architect’s decisions will
significantly affect the security program and thus affect the whole organisation.

Organisations have many options when it comes to how to staff a SOC.

Following are a few examples of possible SOC staffing models:

What makes a SOC effective? Fusing people, processes, and technology | 5

 How to build a SOC with limited resources

Processes
Every SOC, no matter what staffing model an organisation uses, relies on
processes. Technology brings people and processes together — such as an
all-in-one SIEM platform that notifies a security analyst of something that needs
immediate attention, or an incident responder commanding a SIEM platform
to do something on the incident responder’s behalf. But processes also help
people to work with each other. For example, a security analyst may mark a
set of events in the SIEM platform that an incident responder needs to further
investigate. The SIEM platform provides workflow capability that transfers
responsibility for the work from the security analyst to the incident responder.

All-in-one SIEM platforms can foster much more sophisticated communication,

collaboration, workflow, and orchestration capabilities for SOCs. When a major
incident occurs, numerous security analysts, incident responders, and forensic
specialists may all help to resolve it, and others within the organisation such
as system and network administrators may also be involved. By integrating
a SIEM platform and a SOC with existing business processes and workflows,
an organisation can promote the SOC’s adoption and viability while ensuring
rapid and effective efforts throughout the organisation to detect and respond
to threats. This avoids a mistake many organisations make — forcing all
existing business processes to change to accommodate the SOC.

In these cases, having an all-in-one SIEM is essential because it performs

security automation and orchestration to ensure that everyone is kept up to
date on the status and has access to all necessary information. It can also
provide people with the tools they need to work together and to route tasks
from one person or team to another. Finally, a full SIEM platform provides the
ability to check on workflows to ensure that nothing is overlooked or handled
too slowly.

What makes a SOC effective? Fusing people, processes, and technology | 7

 How to build a SOC with limited resources

Technology
An all-in-one platform is ideal for building a • Use workflow capabilities to alert each
SOC because it includes and integrates all person/role when it is their turn to do
the needed forms of security automation and something for the SOC, such as reviewing
incident response orchestration into a single an event it has flagged as high risk.
display. Here are some examples of what a • Interface with asset management,
SIEM platform can do: vulnerability management, trouble
ticketing, intrusion prevention, and other
• Centralise all forensic data supporting
existing systems to automatically integrate
effective machine analytics and enabling
SOC processes with business processes.
rapid investigations, so it can be
This greatly expedites workflow and
monitored at all times and analytics can
reduces workload for staff in numerous
be utilised to identify events of particular
departments.
interest, this eliminates the need to have
people looking at the raw security event • Enable automated responses that are
data on monitors 24 hours a day. automatically associated with specific
alarms. Actions that can be initiated
• Provide context for security events and
without human interaction, or that
incidents by integrating critical threat
require single-click approval, can greatly
intelligence sources and vulnerability data,
benefit your team’s time to respond to
as well as information from integrated
an incident. An all-encompassing SIEM
systems in human resources, finance,
platform should recognise common
contracting, etc. regarding business
situations, such as a basic malware
systems and assets. This context enables
compromise, and automatically respond
security analysts to better determine what
so the team can focus on more complex
an attacker may be attempting to do and
and impactful events and incidents.
why.
• Prioritise events of interest based on their
relative risk to the organisation so that
SOC staff can pay attention to the most
concerning events first.
• Pull evidence together in one location
and safely and securely share it with
authorised individuals, such as remote
staff and outsourcers involved in an
incident response effort.

8 | What makes a SOC effective? Fusing people, processes, and technology

 How to build a SOC with limited resources

Estimating SOC costs

and savings
How much a SOC will cost an organisation consistent across models for a particular size
is dependent on many factors, as is how SOC because most of the same infrastructure
much a SOC may save an organisation. needs to be in place whether you have 8x5 or
Let’s start by looking at estimated annual 24x7 onsite staffing. The only exception is the
labour and services costs for common SOC fully outsourced SOC model, because it doesn’t
staffing models for small, medium, and large require facilities, equipment, or systems for
SOCs. (See cost comparisons of various SOC SOC staff.
staffing models on page 12.) These estimates
The final major considerations for SOC costs
show that for all sizes of SOCs, labour and
involve how effective the SOC will be at
service costs are highest for SOCs not based
preventing incidents, detecting and stopping
on an all-in-one security information and
incidents quickly, and restoring normal
event management (SIEM) platform. This is
operations. Converting an informal SOC into a
because there is far more monitoring, analysis,
well-structured SOC utilising a SIEM platform
investigation, prioritisation, forensic data
could reduce costs by millions of pounds a year
collection, incident response, management,
for incident handling, loss of user productivity,
and reporting work to be done by humans
and loss of business from incidents that prevent
instead of the SIEM platform.
the organisation from conducting its normal
The second major type of cost for SOCs is the operations.
infrastructure, including facilities, equipment,
Consider a simple malware incident at a
networks, systems, software, and subscription
5,000-user organisation. The organisation’s
fees (e.g. threat intelligence feeds). These
informal SOC isn’t staffed around the clock,
costs are hard to generalise. For example,
so the malware incident isn’t detected until
one organisation might have unused facility
approximately 100 systems have been
space available for immediate SOC use, while
affected. Each of these systems needs to
another organisation may need to acquire and
be rebuilt, with each rebuild, restore, and
prepare new space. One organisation might
redeployment taking on average four hours
have networks and systems readily available
of system administrator time. The users of
for the SOC, while another may need to design,
these 100 systems can’t do most of their work
procure, and implement them. However, in
general, the infrastructure costs are fairly

10 | Estimating SOC costs and savings

 How to build a SOC with limited resources

Cost comparisons of various

SOC staf ng models
Small SOC Medium SOC 10,000 Large SOC
< 10,000 users 50,000 users > 50,000 users

SOC without a SIEM

8x5 onsite 16x5 onsite 24x7 onsite
platform

Security analysts 2 FTEs @ $120K each 8 FTEs @ $120K each 20 FTEs @ $120K each

Incident responders 1 FTE @ $145K each 4 FTEs @ $145K each 8 FTEs @ $145K each

Specialists (malware 0 FTEs; outsource and 2 FTEs @ $150K each 5 FTEs @ $150K each
reverse engineers, pay when needed (est.
forensic analysts, etc.) $50K/year)

Management 1 FTE @ $150K 2 FTEs @ $150K 3 FTEs @ $150K each

Total $585K $2,140K $4,760K

Fully in-house SIEM-

8x5 onsite 16x5 onsite 24x7 onsite
powered SOC

Security analysts 1 FTE @ $120K each 4 FTEs @ $120K each 8 FTEs @ $120K each

Incident responders 1 FTE @ $145K each 2 FTEs @ $145K each 4 FTEs @ $145K each

Specialists (malware 0 FTEs; outsource and 1 FTE @ $150K each 2 FTEs @ $150K each
reverse engineers, pay when needed (est.
forensic analysts, etc.) $25K/year)

Management 0.25 FTE @ $150K 0.5 FTE @ $150K 1 FTE @ $150K

Total $328K $995K $1,990K

12 | Estimating SOC costs and savings

 How to build a SOC with limited resources

Steps for building a SOC

with limited resources
Based on experiences helping a wide variety of organisations,
LogRhythm experts developed a methodology for building a SOC
that uses a full SIEM platform. The following seven items describe
each step of the methodology.

14 | Steps for building a SOC with limited resources

 How to build a SOC with limited resources

Step 1: Develop a strategy

Two particularly important parts of developing a strategy for the SOC are
as follows:

A. Assess the organisation’s existing SOC capabilities in terms of people,

processes, and technology. Note that when building a SOC, the SOC’s
initial scope should be limited to core functions: monitoring, detection,
response, and recovery. Some SOCs support additional functions,
such as vulnerability management, but such non-core functions
should be delayed until the core functions are sufficiently mature.

B. Identify the business objectives for the SOC. To be effective, the

SOC should focus on helping the organisation meet its business
objectives. Creating a SOC for the sake of security without factoring
in the business, such as which systems and data are most critical to
sustaining operations, will inevitably cause problems showing value
to the business, and could result in the SOC missing a key threat that
results in a damaging cyber incident.

Step 2: Design the solution

Echoing the advice under Step 1 about limiting the initial scope of the SOC, it
may be best to pursue a few quick wins instead of creating a full-scale, broad-
function SOC solution. Choose a few business-critical use cases and define
the initial solution based on those use cases, keeping in mind that the solution
must scale in the future to meet additional needs. Having a more narrowly
scoped initial solution also helps to reduce the amount of time needed to
implement it and achieve initial results more quickly. When designing the SOC
solution, important actions include the following:

A. Define the functional requirements. These requirements should be

tied to business objectives whenever applicable.
Functional requirement areas include:
i. identifying the sources of log and event data to be monitored
ii. identifying the sources of threat intelligence to be utilised
iii. determining performance requirements, such as response times

Steps for building a SOC with limited resources | 15

 How to build a SOC with limited resources

B. Choose a SOC model. This should be based on the functional

requirements just defined, as well as the strategy defined in the first
step. Decisions to make include which hours and days to staff versus
outsource, which responsibilities to staff versus outsource, which
roles the SOC will have, and how many FTEs will be needed per role.

C. Design the technical architecture. This includes:

i. Planning the composition and configuration of the components of
the solution, most notably the SIEM platform
ii. Identifying the business systems and information systems that
should be integrated with the SIEM platform to provide business
context for security events and incidents
iii. Defining the workflows for events and incidents to align with the
organisation’s existing processes
iv. Planning to automate the solution as much as possible, including
the necessary technologies to have complete visibility of the
threat landscape for the systems and data in the initial SOC scope
and to thwart attacks as early in the attack lifecycle as possible
v. Determining if the technical architecture is sound, such as
performing tabletop exercises for all use cases to identify
potential issues

Step 3: Create processes,

procedures, and training
If the SOC staffing will be partially outsourced, it is important to work with the
outsourcer to ensure that processes, procedures, and training on both sides
take that into account.

16 | Steps for building a SOC with limited resources

 How to build a SOC with limited resources

Step 4: Prepare the environment

Before deploying the SOC solution, it is critically important to ensure that all
the elements are in place to provide a secure environment for the solution.
Notable elements include tightly securing SOC staff desktops, laptops, and
mobile devices; having secure remote access mechanisms in place for staff
(and outsourcers if applicable) to interact with the SOC solution; and requiring
strong authentication for remote access to the SOC solution at a minimum
(and preferably for local access as well).

Step 5: Implement the solution

The key to implementing the solution itself is to focus on taking full advantage
of the technology to minimise the workload on people. This solution is a
ground-up process that begins by:

A. bringing up the log management infrastructure

B. onboarding the minimum collection of critical data sources

C. bringing up the security analytics capabilities

D. onboarding the security automation and orchestration capabilities

E. begin deploying use cases that focus on end-to-end threat detection

and response realisation

Another essential element is achieving seamless interoperability with

other systems, both to collect data from sources and to issue actions and
commands to help apply context, contain, and remediate in alignment with
workflows. The latter is particularly helpful for reducing the mean time to
detect and to respond to incidents. The solution should also incorporate
threat intelligence feeds and other intelligence sources as automated inputs
to improve detection accuracy.

Steps for building a SOC with limited resources | 17

 How to build a SOC with limited resources

Step 6: Deploy end-to-end use cases

Once solution capabilities are deployed, you can implement use cases across
the analytics tier and security automation and orchestration tier, such as
detecting compromised credentials and successful spear phishing campaigns.
You should test during a variety of shifts and during shift changeovers. All the
forms of solution automation mentioned earlier are particularly important to
test rigorously. The reliability and security of remotely accessing the solution
should also be verified to the extent feasible.

Step 7: Maintain and evolve

Once the solution is fully in production, it will need ongoing maintenance, such
as updating configuration settings and tuning over time to improve detection
accuracy, and adding other systems as inputs or outputs to the solution. You will
need to include other maintenance periodically, including reviewing the SOC
model, SOC roles, FTE counts and so forth, to make adjustments.

Expert note
The key to implementing the solution itself is to focus on taking full advantage of
the
18 technology
| Chapter Title to minimise the workload on people.
CONCLUSION
Having an all-in-one SIEM platform capabilities that transfer responsibility
has become an absolute necessity for for specific tasks from person to
implementing a SOC to achieve greater person or role whenever needed. This
efficiency. A hybrid SOC is the just-right keeps things moving and minimises
solution for organisations that cannot justify miscommunications that could
inadvertently delay action or cause
the overwhelming expenses of a formal
duplicated efforts.
SOC and cannot tolerate the inadequate
protection provided by an informal SOC. • Automates incident response
orchestration so that all people involved
The LogRhythm NextGen SIEM Platform in incident response have immediate
is the ideal technology for building a SOC. access to necessary information
Organisations that adopt this strategy can
LogRhythm’s security automation and
achieve immediate and ongoing cost savings
orchestration capabilities significantly
as compared to adopting any other SOC
improve the efficiency and effectiveness of
model. This strategy also leads to a material
incident response.
reduction in risk for the organisation. Specific
ways in which the LogRhythm platform
benefits organisations include the following:

• Uses advanced capabilities for threat

detection and analysis, such as user
and entity behaviour analytics, that can
find and understand the significance of
many types of threats that cannot easily To see how you can build your own
be detected by other means. This is SOC with LogRhythm, schedule a
particularly helpful for identifying insider customised demo today:
threats attempting to access and steal logrhythm.com/schedule-online-demo
sensitive data.
• Provides highly sophisticated workflow

Conclusion | 19