Blumira Resources & Blog

How to Build a SOC on a Budget

Written by Erica Mixon | May 5, 2022 2:43:18 PM

Download a PDF copy of the whitepaper

01 Introduction
02 Meet The SOC Team
03 What Does It (Actually) Take to Build a SOC ?
04 Alert Fatigue
05 The Only Way To Eat An Elephant
06 Introduce Context & Automation
07 Blumira: A SOC Alternative

How To Build a SOC On a Budget

Smaller teams can get SOC capabilities without breaking the bank.

So, You Want To Build a SOC?

Whether you’ve got directives from the top, compliance requirements to meet, or you’re trying to get more visibility into your environment, you may think that a security operations center (SOC) — often hailed as the pinnacle of security — is the ideal option.
In reality, a traditional SOC is a pipe dream for the majority of organizations. Building a full SOC is a massive undertaking that’s often only attainable for enterprise organizations with massive budgets and a huge staff of skilled analysts. For organizations that don’t have those resources, it’s important to take it one step at a time.
Fortunately for smaller teams, there are options to build out your version of a SOC without breaking the bank.

Get To Know The Terms

Security Operations Center (SOC):

A SOC is an organizational framework that combines people, processes and tools to detect, respond and analyze security threats. A traditional SOC includes in-house 24/7 monitoring in which security analysts are watching the environment for emerging threats and responding accordingly.

Security information & event management (SIEM):

A SIEM is a centralized logging tool that integrates with different components of security and IT infrastructure — applications, systems, servers, antivirus, EDR — and takes in data from each service to alert teams of suspicious activity on a network.

Many SIEMs perform threat analysis, detection and response — but not without extensive ongoing fine-tuning and detection rule management. Blumira, on the other hand, performs fine-tuning, parsing and rule management on your behalf — lessening the burden on your IT and security teams.

Endpoint detection and response (EDR):

EDR software runs on endpoints — including workstations, servers, and mobile devices — to detect incoming threats. EDR combines real-time continuous monitoring with automated response and analysis capabilities.

 

With a full SOC, an organization should be able to:

  • Analyze threats using advanced analytics
  • Continuously detect and respond to threats
  • Carry out an incident response and recovery plan
  • Investigate the root cause of security incidents
  • Meet compliance and regulatory requirements

Meet The SOC Team

Tier 1 Analyst (Triager)

This entry-level position involves being on the frontlines ofthe SOC, manually going through the hundreds of alerts generated by a SOC. Responsible for triaging and prioritizing alerts, and may also provide end user support and endpointinstallation. Known for being a tedious role,this position is infamous for high turnover and burnout

Tier 2 Analyst (Security Investigator)

This is a more experienced position, responsible for deeper analysis and investigation into the sources of an attack, as well as developing mitigation strategies.

Tier 3 Analyst (Advanced Security Analyst)

The person in this position takes a more high-level approach to SOC maintenance, by identifying unknown vulnerabilities, reviewing pastthreats and more. Usually in charge of creating detections, reports, seeing trends,threat hunting, and finding anomalies. May be involved in incident response activities, unless the company has a separate incident response team

SOC Manager

This role involves managing the entire SOC team and communicating with leadership roles such as the CISO and CTO. Must have a deep understanding of every SOC tier, as well as strong people management skills.

What Does It (Actually) Take to Build a SOC?

 

It’s time for a reality check: building a modest cybersecurity program — much less a 24/7 SOC — is a challenging feat.

Before you go full steam ahead in an attempt to build out a full SOC, evaluate the problems that you might face as a small to medium-sized business (SMB).

 

Hiring Challenges

Labor shortages are rampant in this global economy, and the security industry is no exception. Staffing a 24/7 SOC requires a lot of personnel — usually around 10-12 full-time employees.

Now, let’s assume you get applicants. The typical interview process — call screening, technical phone screening, management phone screening, and team interview — takes weeks, and more likely months, to complete. Multiply that by the number of quality applicants that will all go through that process, and you’ll realize recruitment carries an enormous cost in human hours across a range of employees.

Hiring outside staffing firms can shrink that time to complete that process somewhat, but they too carry a cost that’s often a poor fit for an SMB. And, even an outside firm can’t alleviate the need to onboard the newly hired resource.

Staffing is made more difficult given the challenge of retaining productive employees. Tier 1 hires are initially affordable, but market demand for their skills rises quickly. It’s not unheard of for a high performing Tier 1 SOC analyst to command a 50% higher salary by the two year mark, if not sooner. Many companies struggle to compete with these external market forces and ultimately earn reputations as regional stepping stones for cybersecurity careers in the process.

 

Security analysts are responsible for the mind-numbing task of staring at a screen and triaging thousands of security alerts — oh, and being on call 24/7. It’s no surprise that burnout is a major problem for SOC analysts. Security professionals are more than twice as likely to report poor work-life balance. That burnout leads to high turnover

Alert Fatigue

A full SOC contains a lot of different products, sometimes for no good reason other than shiny object syndrome. Our inner consumer craves the hottest new security technology:“With this shiny new security tool, we’ll be unstoppable!” An ESG study found that 40% ofIT and security professionalsuse between10 and 25 security tools; 30% use between 26 to 50.

There’s a layered approach to security, and then there’s just adding more tools in the hopes of finding the one unicorn that will protect you from everything (hint: it doesn’t exist). The resultis an unmanageable conglomeration oftools that provide little ROI and generate a lot of alerts.

Traditional SOCs generate an unsustainable amount of alerts for smaller teams, and it’s only human nature to eventually tune them out. Any sane person will burn out within a matter of weeks with constant alerts that tell you the sky is falling.

False positives also create unnecessary noise forevents thataren’t security threats, likea series of failed login attempts when a user simply forgot his orher password. False alarms account for about 40% of all alerts that security teams receive and further encourage the bad habit of ignoring alerts.

Let’s notforgetthattime equals money. When an alert comes in, an analyst must contextualize it, determine ifit’s a priority, and then triage itfor response. On average, analysts spend24-30minutes investigating each incident that comes through, according to an EMAstudy.Considering that the average salary of a SOCanalystis $109,156 per year (around $30 per incident investigation),false positives and alertfatigue can resultin a major costto business.

174,000

Average amount of alerts SOC teams receive per week (Demi s to S tudy )

$30

Average cost of each alert investigation

How Much Does a SOC Cost?

The staffing component alone adds up to an enormous cost. For a 24/7 SOC, expect to hire a minimum of 5 security analysts to cover 3 shifts of 8 hours, each with 1 staff per shift. Even if you can manage to hire junior security analysts to monitor your SOC, be prepared to budget a minimum of $500,000 in salary for security analysts alone. However, some teams choose to do more with less personnel by hiring senior experienced engineers and building automated alerting tools

However, some teams choose to do more with less personnel by hiring senior experienced engineers and building automated alerting tools In that scenario, you are likely to spend around:

However, some teams choose to do more with less personnel by hiring senior experienced engineers and building automated alerting tools

In that scenario, you are likely to spend around:

$150,000 per security analyst

Cybersecurity is a rapidly changing industry, and it’s important that security analysts’ skillsets are continuously updated. Certification programs can be costly, so be prepared to spend at least $2,500 per employee per year

This is all without factoring in the cost of hardware and software - the actual technology needed to support a SOC.

All things considered, the average organization spends $2.86 million per year to run an in-house SOC (Ponemon).

The Only Way To Eat An Elephant

The costs of a SOC are often justifiable for large enterprises such as science and technology, defense contractors, larger financial industry firms, and government agencies — especially given the SOC’s critical role in the organization’s risk mitigation strategy.

But where does that leave small-to-medium sized businesses (SMBs)?

After evaluating all of the challenges associated with a full SOC, you may be considering paring down the project to a smaller scale. Fortunately, it’s possible to achieve visibility without sinking massive resources into building a SOC.

" There is only one way to eat an elephant : one bite at a time. ”

- Desmond Tutu

This adage also applies to building a SOC; trying to ‘eat the elephant’ all at once will just result in a failed implementation

Think about the ultimate goal of a SOC: visibility into your environment, and the ability to detect and respond to threats. For an SMB, achieving that goal doesn’t necessarily require a massive amount of resources — but you will need a solid monitoring strategy and a few tools to make that happen.

One Log At A Time

At the heart of any SOC is a plethora of data, so you may be thinking that to achieve visibility, you need to ingest logs from every possible source in your environment.

Collecting logs from every source ensures that you have access to all of the data that you need. But for smaller teams, this approach can present challenges related to storage, indexing, and transmitting the data. When connecting those sources to a SIEM, you may receive a barrage of useless alerts.

A better approach for smaller teams is to start slowly and to build gradually over time.

Start with high-value systems

If your SIEM license cost is dependent on log volume (with Blumira, it’s not!), consume logs more aggressively from high-value systems, high-risk systems, and those facing external networks. Active Directory is often a good place to start; it’s where threat actors can get ‘the keys to the kingdom’ by obtaining domain account credentials, for example.

Begin with systems that are already delivering security logs, such as IPS/IDS and endpoint protection. This will allow you to become familiar with the software and configuration options while combining several applications into one log management system.

Then, you can save in areas that are of lesser importance from a security perspective.

Tying specific log ingestion to a standards framework will help to focus important log types and Event IDs.

Keep Building

After you’ve defined and followed processes and procedures, you can add other logs such as Windows, DNS, honeypots, applications, and database for a deeper look into the infrastructure.

Questions To Ask Yourself:

Can I see data from my servers and networks, such as process monitoring?
Do I have proper antivirus logs?
Do I have access to IDP and traffic logs?
Once you have the data you need, the next steps will be much easier.

Centralize Your Logs

All of that log data is great, but it won’t be much use to your team if there’s no central location for alert and analysis.

Centralized logging provides visibility into your environment — in other words, one step closer to the SOC capabilities you’re looking for.

Analyzing log files from multiple disparate sources is time-consuming, unwieldy, and likely to result in overlooking a security incident. Not only that, but looking at raw log files is like reading hieroglyphics if you haven’t been trained in that area.

Option 1: rsyslog

Use rsyslog forwarding from a client to a centralized server, a process that requires a lot of maintenance and expertise.

Option 2: SIEM

A more sophisticated solution is a SIEM that can provide analytics, search, and reporting capabilities, or even better — a threat detection and response platform that can correlate those events, provide context around them, and detect suspicious behavior.

Introduce Context & Automation

The biggest challenges of managing and maintaining a SOC is alert fatigue and analyst burnout. Two concepts will alleviate this: context and automation.

Alerts that aren’t actionable can be a major time-sink for IT and security teams, especially those with less security expertise. Interpreting a disjointed event (What is this log telling me and what is it saying about my environment?) can be complicated and time-consuming.

Accompany alerts with context — or even better, built-in workflows and playbooks that give suggestions for next steps.

Context is also important when it comes to interpreting the importance and urgency of an alert. Look for security products that categorize threats by the time recommended to respond:

  • Priority 1 – Respond immediately to critical threats
  • Priority 2 – Respond within next day to high-priority threats
  • Priority 3 – Respond within the next few business days to lower, potentially malicious alerts

94%

of IT leaders say that automation is the best solution for alert fatigue, according to a Dimensional Research study. The ability to automatically sort alerts and correlate threats with data cuts down on time spent managing alerts.

of IT leaders say that automation is the best solution for alert fatigue, according to a Dimensional Research study. The ability to automatically sort alerts and correlate threats with data cuts down on time spent managing alerts.

Blumira: A SOC Alternative

A traditional SOC requires massive time, effort, cost, and people resources — and for small teams, that’s simply too big of an ask. Blumira acts as a SOC alternative that’s purpose-built for small teams and SMBs.

Simplify & Automate Threat Protection

With Blumira’s platform, you can get up and running 5x faster than the industry average — using your existing team and infrastructure. Get complete security coverage in hours to rapidly detect and stop attacks.

How Blumira Works

DetectionMonitor and detect real threats

Response Enable your team to quickly respond

Expertise Gain access to security expertise

Benefits of Blumira: Easy for SMBs

  • Faster time to security – deploy in minutes, 5x faster than industry average
  • Replace your SOC – automate manual triage and response
  • Lower TCO (total cost of ownership) – all-in-one platform priced peruser (not data or endpoints)
  • Access to security experts – responsive support included; no
  • need for in-house analysts