A security operations center immediately incites images of a large, windowless room filled ceiling-to-floor with large flatscreen monitors. Security analysts sit dutifully at desks, taking in information from several screens at once, ready to pounce on even the slightest anomaly.
This vision of a security operations center, or SOC, is rooted in reality but only for a select few. The types of setups and capabilities showcased in these portrayals exist for large enterprises, such as Fortune 500 companies, major government agencies, or international finance organizations.
The reasoning is simple: Operating an entire SOC is a tremendous undertaking that requires significant investments in technology and personnel. It is often not practical, or even possible, for small and medium-sized businesses to strive for this type of environment. Instead, they should look to build a SOC that meets their needs at a price point that fits within their overall security expenditures.
They need to build a SOC on a budget.
What Exactly is a SOC?
A SOC is an organizational framework for security. It combines many components of a robust security environment, including people, processes, and tools that can detect, respond, and analyze security threats. SOCs run 24 hours a day, seven days a week, with security analysts interacting with environmental data to watch for emerging threats and respond as required.
Along with the SOC, organizations may also hear the terms SIEM (security information and event management) and EDR (endpoint detection and response).
SIEM is a centralized logging tool. As its name suggests, it takes data from many places, including applications, systems, servers, antivirus trackers, and EDR, to notify team members of suspicious activity.
EDR is a type of software that runs on endpoints to detect incoming threats. It provides real-time monitoring with an automated response that helps mitigate known issues.
Who Works in a SOC?
Along with the technology components, a SOC leverages several levels of cybersecurity analysts. They are broken up into tiers and manage different tasks based on their experience.
Tier 1 (Triager): An entry-level position that works on the front lines of the SOC, typically triaging and prioritizing the hundreds of alerts that get set. This person may also provide end-user support and endpoint installation. Since this role can be tedious, employees often do not stay in it for long due to stress and burnout.
Tier 2 (Security Investigator): A more experienced team member, this person provides deeper analysis and investigation into the sources of an attack. They may also be involved in mitigation strategies.
Tier 3 (Advanced Security Analyst): This person takes a high-level approach to SOC maintenance, identifying known vulnerabilities and reviewing past threat information. They often create detections and reports and look for trends. They also may help with incident response.
SOC Manager: Outside of the tier system, this person manages SOC operations and communications with technology leadership, such as the chief information security officer and chief technology officer.
What Are The Challenges Of Building a SOC?
SOCs rely on technology and people to operate. Information security is a universal business need, making the fight for talent tough. Organizations must commit to recruiting, hiring, and retaining professionals in a competitive industry that currently has more jobs than qualified employees.
Hiring outside staffing firms can help cut time from this process, but often the cost is prohibitive for small businesses. Even once they are hired, a Tier 1 analyst with just a few years of experience can command a significantly higher salary on the open market.
Along with hiring, there is also the challenge of technology. While different security solutions provide a range of essential roles, the excess technology in a SOC can become overwhelming. This results in a phenomenon known as “alert fatigue,” where team members become numb to the constant barrage of security threats.
This can lead to decreased performance and employee burnout. Too many false positive alerts can contribute to this as well. False alarms account for about 40% of all alerts and further encourage the bad habit of ignoring these warnings, especially during busy times.
The Costs of a SOC
The staffing component of a SOC eats up most of the cost. For a traditional SOC, organizations should expect to hire a minimum of five security analysts. Even if organizations employ junior team members to monitor the SOC, they should expect to budget a minimum of $500,000 for these analysts alone. Some organizations choose to hire experienced engineers and build automated alerting tools, but even that scenario requires paying a team member $150,000 annually or more.
Other costs include technology licenses, certification programs for analysts, and hardware. According to Ponemon, the average organization spends $2.86 million per year to run an in-house SOC.
Building on a Budget
A SOC is a strong option for large enterprises, but it is undoubtedly cost-prohibitive for small and medium-sized businesses. Those with smaller budgets should aim for the capabilities a SOC provides without the cost.
The ultimate goal of a SOC is to provide visibility into an environment and detect and respond to threats. Smaller organizations can achieve that with a solid monitoring strategy and a few key tools deployed in the correct areas. The best approach is to start slowly, collecting data logs from the most important sources in an environment.
Begin with systems that already deliver security logs, such as IPS/IDS and endpoint protection. This will allow IT teams to become familiar with the software and configuration options while combining applications into one log management system. From there, keep adding logs for high fidelity programs such as Windows, DNS, honeypots, applications and databases that can provide more visibility into your infrastructure.
Centralized logging provides visibility into the environment, but analyzing log files from multiple sources can be overly time-consuming. A SIEM can provide analytics, search, and reporting capabilities to provide context around these events and alert to suspicious behavior. Find a SIEM solution that can consume the log data affordably. Some SIEMs charge based on log ingestion, while others do not, so look for a product that fits your budget.
With a SIEM that can better manage alerts, users can ensure they only get actionable items. Accompany alerts with context or built-in workflows and playbooks that give suggestions for next steps. With the right SIEM, you can quickly respond immediately to critical threats and delay lower threats to when time allows.
Leveraging a SIEM along with data logs can create many of the same functionalities of a SOC without the high cost. While a SOC is not possible for everyone, the capabilities and a secure network are something everyone can afford with the right approach.
This article originally ran in Security, a twice-monthly security-focused eNewsletter for security end users, brought to you by Security magazine. Subscribe here.