Detecting and Responding to Threats Fast: Building a SOC with Limited Resources

Over the last 18 months, the need for greater cybersecurity across the globe has risen due to a significant shift to remote working and more vulnerable security infrastructure as a result of this. Organisations need to detect and neutralise a threat before it attacks, not play catchup once the impact has been felt.

 Some organisations use formal security operations centres (SOCs) to counter the increasing threat landscape. Formal 24x7 SOCs are tightly secured areas where teams of dedicated analysts carefully monitor for threats around the clock, every day of the year.

Unfortunately, most organisations cannot afford a 24x7 SOC. According to 2020 Forrester research, less than 20% of teams have a solution in place that can effectively provide visibility across networks, applications, and endpoints. The cost of having well-trained analysts onsite at all times outweighs the benefit for almost every organisation. Instead, most organisations either make do with an informal SOC or have no SOC at all.

This leads to major delays in responding to many incidents, while other incidents go completely unnoticed. And when an event does occur, many organisations can’t efficiently and effectively respond because they lack formal incident response processes and capabilities.

For organisations caught between the prohibitive cost of a formal SOC and the wholly inadequate protection from an informal SOC, there is a solution that finds a balance between these two extremes: building a hybrid SOC that automates as much of the work as possible. 

The Steps to Success

An effective hybrid SOC encompasses nearly every aspect of the detection, response, and recovery process. To create an effective SOC, organisations need three components: people, processes, and technology. This minimises reliance on people and enables decentralisation of the SOC team. For SOCs, the power of automation cannot be overstated.

1. People

The two most fundamental roles in a SOC are the security analyst and the incident responder. Security analysts work primarily in the monitoring and detection phases of a SOC. Incident responder tasks may include:

• Conducting deeper analysis of suspicious security events
• Performing response activities whenever an incident necessitates
• Keeping management apprised of the status of incident response efforts.

Other possible SOC roles include forensic analysts, malware reverse engineers and security architect. Organisations have many options when it comes to how to staff a SOC, such as fully outsourced, fully in-house and hybrid (combination of employees and outsourcing.) A hybrid SOC is the just-right solution for organisations that cannot justify the overwhelming expense of a formal SOC and cannot tolerate the inadequate protection provided by an informal SOC.

     2. Technology

A comprehensive platform is ideal for building a SOC because it includes and integrates all the needed forms of security automation and incident response orchestration into a single display. A security information and event management (SIEM) platform can:

• Centralise all forensic data to eliminate the need to have people looking at the raw security event data 24 hours a day.
• Provide context for security incidents by integrating critical threat intelligence sources and vulnerability data. This context enables security analysts to better determine what an attacker may be attempting to do and why.
• Prioritise events of interest based on their relative risk to the organisation so that SOC staff can pay attention to the most concerning events first.
• Enable automated responses that are automatically associated with specific alarms.

Actions that can be initiated without human interaction, or that require single-click approval, can greatly benefit your team’s time to respond to an incident. A NextGen SIEM platform should recognise common situations and automatically respond so the team can focus on more complex and impactful events and incidents.

   3. Processes

Technology — such as an end-to-end SIEM platform — brings people and processes together to notify a security analyst of something that needs immediate attention. But processes also help people to work with each other.

SIEM solutions can foster much more sophisticated communication, collaboration, workflow, and orchestration capabilities for SOCs. When a major incident occurs, numerous security analysts, incident responders, and forensic specialists may often help to resolve it, and others within the organisation such as system and network administrators may also be involved.

In these cases, having a comprehensive SIEM platform is essential because it performs security automation and orchestration to automate workflows and streamline Case Management to detect and handle threats more rapidly. A SIEM platform also provides the ability to ensure that nothing is overlooked or handled too slowly.

The Costs Involved in Building a SOC

 How much a SOC will cost an organisation is dependent on many factors, as is how much a SOC may save an organisation. Labour and service costs are highest for SOCs not based on a NextGen SIEM platform. This is because there is far more monitoring, analysis, and incident response work to be done by humans instead of the SIEM solution.

The second major type of cost for SOCs is the infrastructure. In general, infrastructure costs are fairly consistent across models for a particular size SOC because most of the same infrastructure needs to be in place whether you have 8x5 or 24x7 onsite staffing. The only exception is the fully outsourced SOC model because it doesn’t require facilities, equipment, or systems for SOC staff.

The final major considerations for SOC costs involve how effective the SOC will be at preventing incidents, detecting and stopping incidents quickly, and restoring normal operations. Converting an informal SOC into a well-structured security operation utilising a SIEM platform could reduce costs by millions of dollars a year for incident handling, loss of user productivity, reputational damage and loss of business from incidents that prevent the organisation from conducting its normal operations. In fact, a 2021 study conducted by Forrester revealed that customers attained an average of 258% return-on-investment (ROI) using a SIEM solution and the investment paid for itself in less than six months.

Optimising SIEM With Automation

 Having a SIEM has become an absolute necessity for implementing an effective SOC to minimise damage caused by attacks. A hybrid SOC that finds a balance between people, processes and SIEM technology achieves immediate and ongoing cost savings as compared to adopting any other SOC model.

 Automation enables your organisation to have a small number of analysts who focus on the most complex and challenging tasks instead of legions of analysts who spend most of their time performing time-intensive, mundane tasks. It also greatly improves the efficiency of SOC operations so that incidents are detected, stopped, and recovered from much more quickly, thus minimising damage and other costs. You can successfully build a SOC, even with limited resources.