Download a PDF copy of the whitepaper
01 Introduction
02 Meet The SOC Team
03 What Does It (Actually) Take to Build a SOC ?
04 Alert Fatigue
05 The Only Way To Eat An Elephant
06 Introduce Context & Automation
07 Blumira: A SOC Alternative
How To Build a SOC On a Budget
Smaller teams can get SOC capabilities without breaking the bank.
So, You Want To Build a SOC?
Whether you’ve got directives from the top, compliance requirements to meet, or you’re trying to get more visibility into your environment, you may think that a security operations center (SOC) — often hailed as the pinnacle of security — is the ideal option.Get To Know The Terms
Security Operations Center (SOC): |
A SOC is an organizational framework that combines people, processes and tools to detect, respond and analyze security threats. A traditional SOC includes in-house 24/7 monitoring in which security analysts are watching the environment for emerging threats and responding accordingly. |
Security Operations Center (SOC):
A SOC is an organizational framework that combines people, processes and tools to detect, respond and analyze security threats. A traditional SOC includes in-house 24/7 monitoring in which security analysts are watching the environment for emerging threats and responding accordingly.
Security information & event management (SIEM):
A SIEM is a centralized logging tool that integrates with different components of security and IT infrastructure — applications, systems, servers, antivirus, EDR — and takes in data from each service to alert teams of suspicious activity on a network.
Many SIEMs perform threat analysis, detection and response — but not without extensive ongoing fine-tuning and detection rule management. Blumira, on the other hand, performs fine-tuning, parsing and rule management on your behalf — lessening the burden on your IT and security teams.Endpoint detection and response (EDR):
EDR software runs on endpoints — including workstations, servers, and mobile devices — to detect incoming threats. EDR combines real-time continuous monitoring with automated response and analysis capabilities.
With a full SOC, an organization should be able to:
- Analyze threats using advanced analytics
- Continuously detect and respond to threats
- Carry out an incident response and recovery plan
- Investigate the root cause of security incidents
- Meet compliance and regulatory requirements
Meet The SOC Team
Tier 1 Analyst (Triager)
This entry-level position involves being on the frontlines ofthe SOC, manually going through the hundreds of alerts generated by a SOC. Responsible for triaging and prioritizing alerts, and may also provide end user support and endpointinstallation. Known for being a tedious role,this position is infamous for high turnover and burnout
Tier 2 Analyst (Security Investigator)
This is a more experienced position, responsible for deeper analysis and investigation into the sources of an attack, as well as developing mitigation strategies.
Tier 3 Analyst (Advanced Security Analyst)
The person in this position takes a more high-level approach to SOC maintenance, by identifying unknown vulnerabilities, reviewing pastthreats and more. Usually in charge of creating detections, reports, seeing trends,threat hunting, and finding anomalies. May be involved in incident response activities, unless the company has a separate incident response team
SOC Manager
This role involves managing the entire SOC team and communicating with leadership roles such as the CISO and CTO. Must have a deep understanding of every SOC tier, as well as strong people management skills.
What Does It (Actually) Take to Build a SOC?
Hiring Challenges
Labor shortages are rampant in this global economy, and the security industry is no exception. Staffing a 24/7 SOC requires a lot of personnel — usually around 10-12 full-time employees. Now, let’s assume you get applicants. The typical interview process — call screening, technical phone screening, management phone screening, and team interview — takes weeks, and more likely months, to complete. Multiply that by the number of quality applicants that will all go through that process, and you’ll realize recruitment carries an enormous cost in human hours across a range of employees. Hiring outside staffing firms can shrink that time to complete that process somewhat, but they too carry a cost that’s often a poor fit for an SMB. And, even an outside firm can’t alleviate the need to onboard the newly hired resource. Staffing is made more difficult given the challenge of retaining productive employees. Tier 1 hires are initially affordable, but market demand for their skills rises quickly. It’s not unheard of for a high performing Tier 1 SOC analyst to command a 50% higher salary by the two year mark, if not sooner. Many companies struggle to compete with these external market forces and ultimately earn reputations as regional stepping stones for cybersecurity careers in the process.Security analysts are responsible for the mind-numbing task of staring at a screen and triaging thousands of security alerts — oh, and being on call 24/7. It’s no surprise that burnout is a major problem for SOC analysts. Security professionals are more than twice as likely to report poor work-life balance. That burnout leads to high turnover
Alert Fatigue
174,000
Average amount of alerts SOC teams receive per week (Demi s to S tudy )
$30
Average cost of each alert investigation
How Much Does a SOC Cost?
$150,000 per security analyst
All things considered, the average organization spends $2.86 million per year to run an in-house SOC (Ponemon).
The Only Way To Eat An Elephant
" There i s onl y one way to eat an elephant : one bi te at a t ime. ”
- De smond Tutu
This adage also applies to building a SOC; trying to ‘eat the elephant’ all at once will just result in a failed implementation Think about the ultimate goal of a SOC: visibility into your environment, and the ability to detect and respond to threats. For an SMB, achieving that goal doesn’t necessarily require a massive amount of resources — but you will need a solid monitoring strategy and a few tools to make that happen.One Log At A Time
A better approach for smaller teams is to start slowly and to build gradually over time.
Start with high-value systems
Tying specific log ingestion to a standards framework will help to focus important log types and Event IDs.
Keep Building
After you’ve defined and followed processes and procedures, you can add other logs such as Windows, DNS, honeypots, applications, and database for a deeper look into the infrastructure.Questions To Ask Yourself:
Can I see data from my servers and networks, such as process monitoring?
Do I have proper antivirus logs?
Do I have access to IDP and traffic logs?
Once you have the data you need, the next steps will be much easier.
Centralize Your Logs
Option 1: rsyslog
Use rsyslog forwarding from a client to a centralized server, a process that requires a lot of maintenance and expertise.
Option 2: SIEM
A more sophisticated solution is a SIEM that can provide analytics, search, and reporting capabilities, or even better — a threat detection and response platform that can correlate those events, provide context around them, and detect suspicious behavior.
Introduce Context & Automation
The biggest challenges of managing and maintaining a SOC is alert fatigue and analyst burnout. Two concepts will alleviate this: context and automation.
Alerts that aren’t actionable can be a major time-sink for IT and security teams, especially those with less security expertise. Interpreting a disjointed event (What is this log telling me and what is it saying about my environment?) can be complicated and time-consuming. Accompany alerts with context — or even better, built-in workflows and playbooks that give suggestions for next steps. Context is also important when it comes to interpreting the importance and urgency of an alert. Look for security products that categorize threats by the time recommended to respond:- Priority 1 – Respond immediately to critical threats
- Priority 2 – Respond within next day to high-priority threats
- Priority 3 – Respond within the next few business days to lower, potentially malicious alerts
94%
of IT leaders say that automation is the best solution for alert fatigue, according to a Dimensional Research study. The ability to automatically sort alerts and correlate threats with data cuts down on time spent managing alerts.
of IT leaders say that automation is the best solution for alert fatigue, according to a Dimensional Research study. The ability to automatically sort alerts and correlate threats with data cuts down on time spent managing alerts.
Blumira: A SOC Alternative
A traditional SOC requires massive time, effort, cost, and people resources — and for small teams, that’s simply too big of an ask. Blumira acts as a SOC alternative that’s purpose-built for small teams and SMBs.Simplify & Automate Threat Protection
With Blumira’s platform, you can get up and running 5x faster than the industry average — using your existing team and infrastructure. Get complete security coverage in hours to rapidly detect and stop attacks.
How Blumira Works
DetectionMonitor and detect real threats
Response Enable your team to quickly respond
Expertise Gain access to security expertise
Benefits of Blumira: Easy for SMBs
- Faster time to security - deploy in minutes, 5x faster than industry average
- Replace your SOC - automate manual triage and response
- Lower TCO (total cost of ownership) - all-in-one platform priced peruser (not data or endpoints)
- Access to security experts - responsive support included; no need for in-house analysts
Sign Up Free!
blumira.com/freeErica Mixon
Erica is an award-winning writer, editor and journalist with over ten years of experience in the digital publishing industry. She holds a Bachelor’s degree in writing, literature and publishing from Emerson College. Her foray into technology began at TechTarget, where she provided editorial coverage on a wide variety...
More from the blog
View All PostsBlumira Threat Detection Insights: Unveiling the Power of XDR
Read More451 Research: Highlights on Multicloud Security from Voice of the Enterprise
Read More451 Research: Cyber Insurance Highlights from Voice of the Enterprise
Read MoreSubscribe to email updates
Stay up-to-date on what's happening at this blog and get additional content about the benefits of subscribing.