How to Build a Security Operations Center (On a Budget)

  • Building a Security Operations Center (SOC) with Limited Resources is a Race Against Time
  • There are 2 critical functions in building a SOC
  • How do I know if I need an MSSP?

Security Operations Center (SOC) teams are responsible for monitoring, detecting, containing, and remediating IT threats across critical applications, devices, and systems in their public and private cloud environments as well as physical locations. Using a variety of technologies and processes, Security Operations Center (SOC) teams rely on the latest threat intelligence to determine whether an active threat is occurring, the scope of the impact, and the appropriate remediation.

Security Operations Center (SOC) roles and responsibilities have continued to evolve as the frequency and severity of incidents continue to increase.

Building a Security Operations Center (SOC) with Limited Resources is a Race Against Time

For many organizations (unless you work for a large bank), building a SOC may seem like an impossible task.

For many organizations (unless you work for a large bank), building a SOC may seem like an impossible task. With limited resources (time, staff, and budget), setting up an operations center supported by multiple security monitoring technologies and near-real-time threat updates doesn’t seem all that DIY.

In fact, you may doubt that you’ll have enough full-time and skilled team members to implement and manage these different tools on an ongoing basis. That’s why it’s essential to look for ways to simplify and unify security monitoring to optimize your SOC processes and team.

There are 2 critical functions in building a SOC.

The first is setting up your security monitoring tools to receive raw, security-relevant data (e.g. login/ logoff events, persistent outbound data transfers, firewall allows/denies, etc.). This includes making sure your critical cloud and on-premises infrastructure (firewall, database server, file server, domain controller, DNS, email, web, active directory, etc.) are all sending their logs to your log management, log analytics, or SIEM tool.

The second function is to use these tools to find suspicious or malicious activity by analyzing alerts; investigating indicators of compromise (IOCs like file hashes, IP addresses, domains, etc.); reviewing and editing event correlation rules; performing triage on these alerts by determining their criticality and scope of impact; evaluating attribution and adversary details; and sharing your findings with the threat intelligence community.

How do I know if I need an MSSP?

We wish that there was a hard and fast rule to knowing precisely if/when you’d need to outsource your SOC to a service provider. Staff size and skillset is certainly a factor. At the same time, some of the largest enterprises rely on MSSPs instead of building their own SOCs.

The choice really comes down to answering one question: How confident are you that your team has the resources and skilled staff to detect, contain, and respond to a data breach? If your team’s resources are concentrated on other priorities, it may be wise to utilize an MSSP to manage your SOC.

The Cyber Kill Chain in Practice

The critical key to success is identifying attacker activity in the early stages of an attack, before sensitive data and systems are affected. As an attacker moves up these kill chain stages, it becomes more likely they’ll be successful in their attacks. By looking at environmental behavior and infrastructure activity from an attacker’s perspective, you’ll be able to determine which events require your attention now.

As a SOC analyst, it’s essential to document every stage of an investigation: which assets you’ve examined, which ones have “special” configuration or are owned by VIPs (aka execs), and which events are false positives.

As a SOC analyst, it’s essential to document every stage of an investigation: which assets you’ve examined, which ones have “special” configuration or are owned by VIPs (aka execs), and which events are false positives. AlienVault USM makes this part of the process easy.

From any alarm, event, or vulnerability that AlienVault USM detects within your environments, you can easily open and track tickets with third-party productivity tools like ServiceNow® and Jira®, without leaving the USM platform. You can also use labels within USM to classify, track, and search vulnerabilities and alarms. Documenting the investigation provides an audit trail in case it’s targeted again or is involved in future suspicious activity. Even if your company is not subject to an audit now, having this valuable information may prove useful in the future.

Know your network and all its assets

Asset discovery and inventory is one of the most important and yet most overlooked cybersecurity capabilities. When you’re on the SOC team, having access to an updated and automated asset inventory is invaluable.

Prevention vs. Detection

The key point to emphasize here is the importance of detection (vs. prevention). Of course organizations need to implement preventative tools (e.g. firewalls, AV, etc.) along with providing that vulnerabilities are patched among other prevention-type activities (e.g. security of desktop configurations and account management and strict password policies, etc.). But in the last few years, detection has quickly risen in importance.

Attackers have evolved their capabilities–consider the rise in cybercrime attacks like ransomware and DDoS threats– to the point where they execute these attacks without being noticed. In the AT&T Marketplace Pulse: Global State of Cybersecurity* , they found that it was common for victims to learn that they’d been breached from a third party versus discovering these breaches themselves.

Smaller organizations, with limited budgets and time, need a new approach—one that combines the essential tools for building a SOC into a workflow that can be easily supported by small teams. These essential SOC capabilities include asset discovery, vulnerability assessment, behavioral monitoring, intrusion detection, and SIEM (security information and event management).

Smaller organizations, with limited budgets and time, need a new approach—one that combines the essential tools for building a SOC into a workflow that can be easily supported by small teams. These essential SOC capabilities include asset discovery, vulnerability assessment, behavioral monitoring, intrusion detection, and SIEM (security information and event management).

Get all 4 chapters of “How to build a Security Operations Center (on a budget) in 1 eBook! You’ll get an in-depth look at how organizations with limited resources can set up an operations center for monitoring, detecting, containing, and remediating IT threats across applications, devices, systems, networks, and locations.

The chapters you’ll read focus on:

  • The roles and responsibilities involved in a security operations team
  • The key processes to build a security operations center (SOC)
  • The essential security monitoring tools needed for a fully functional security operations center
  • How threat intelligence is used in a security operations center

Download this eBook today to learn how to build a SOC without requiring costly implementation services or large teams to manage it.

Download Whitepaper Now

Only $1/click

Submit Your Ad Here

 

Jack Suri

Tech Cloud Link is the place to get free technology whitepapers downloads in a variety of formats, including PDF versions of popular articles tech briefs, tech whitepapers, and research articles into profoundly diverse spectrum within IT landscape. Here you will resolve trending IT concerns on topics like – Network Communication – Storage – Data Center – Server – Network Security. The whitepapers accurately address convergence between industrial and enterprise networks and collections of Articles, Features, Slide Shows and Analysis on Enterprise IT, Business and Leadership strategies that focus on critical
https://techcloudlink.com/

Leave a Reply