How Can I Build a Cost-efficient SOC?
06.04.2018
Read
IT security breaches have become a norm of the day at innumerable organizations around the world. Most of the attacks indicate that the enterprises should highly focus on their mitigation capabilities, incident detection, and investigation processes. Preventing highly sophisticated cyber attacks is a daunting task unless companies have the capability to detect and then respond quickly. To accomplish this goal, some enterprises have 24/7 Security Operation Centers (SOCs) wherein teams of dedicated security analysts diligently monitor, detect, contain, and remediate IT threats across critical systems, devices, and applications, in their physical locations as well as private and public cloud environments. On the contrary, most enterprises cannot afford 24/7 SOCs and rely heavily on borrowing analysts when needed because spending bulk currency on establishing 24/7 SOCs and hiring security folks is out of the question for them. The ultimate solution for these enterprises is to build a SOC with limited resources which could automate as much of the SOC operations as possible. With SOC automation, you will be able to get a more consistent response to alerts, better focus on high priority items and more. Before building a SOC, you must understand the Triad of SOC that includes People (collaborate and communicate with multiple functions, Technology (different security products), and Process (varying processes and procedures). Figure 1 below is demonstrating Triad of SOC including its building blocks. 
SOC also involves Cyber Attack Lifecycle that includes six phases including Reconnaissance, Initial Compromise, Command & Control, Lateral Movement, Target Attainment, and Exfiltration, Corruption, and Disruption. Besides, you also need to know about Threat Lifecycle Management (TLM) that is indispensable and cost-effective for reductions in Mean Time to Respond (MTTR) and Mean Time to Detect (MTTD). TLM framework incorporates six phases that must be implemented for effective detection and response. These six phases include Collect, Discover, Qualify, Investigate, Neutralize, and Recover. The following sections illustrate some other essential considerations and steps required to build a SOC with limited resources.
The costs of the SOC depends on its size such as small, medium, or large. The main expense of the SOC is due to labor and services. TLM platform involves a little cost because most of the cost is consumed by the investigation, monitoring, analysis, incident response, and forensic data that is associated with humans, not with the TLM platform. In addition, various other factors also involve costs such as facilities, infrastructure, systems, software, equipment, networks, and subscription fees. The TLM platform can help the organization in reducing an ample cost (even millions of dollars) for loss of user productivity, incident handling, and business loss from incidents that prevent the enterprise from carrying out its normal everyday operations.
Once you have understood the SOC thoroughly including its Triad (e.g., People, Technology, and process), Foundations, and costs, then you need to know 7 steps involved in building a SOC with limited resources. These steps are listed below:
Strategy development includes two parts. The first part involves the assessment of SOC capabilities in terms of people, technology, and process. While building the SOC, the key features must be attained first such as detection, monitoring, recovery, and response. The second part will focus on assisting the enterprise in achieving its business goals.
When designing a SOC, you need to define its functional requirements such as determining performance requirements (e.g., response time) and identifying the sources of log and event data to be monitored. After that, you need to select a SOC model based on functional requirements. This involves some decisions—like which roles the SOC will play and how many Full-Time Equivalents (FTEs) will be required per role. FTE is the ratio of the total number of paid hours during a specific time period (e.g., contracted, full time, or part-time). The last step in this phase involves the designing of technical architecture that includes planning, composition, and configuration of solution components such as TLM platform.
This step involves all the six phases of TLM discussed in the previous section. Moreover, you need to outsource your SOC staffing partially and work with your outsourcer to make sure that procedures, processes, and training components on both sides have been taken into consideration.
Prior to the deployment of SOC, it’s imperative to provide all necessary elements including the tight security for the IT infrastructure such as servers, laptops, Desktop PCs, and Bring-Your-Own-Device (BYOD) that are associated with your SOC staff.
This step involves the implementation of the solution that will minimize the workload on people by using a technology. This include onboarding the orchestration capabilities and security automation, bringing up the security analytics capabilities, and onboarding the minimum collection of critical data sources.
In this step, you need to deploy “Uses Cases” across the orchestration and automation tier and analytics tiers, such as detecting phishing campaign and compromised credentials. Moreover, you also need to perform testing on the solutions discussed in the previous stage (Stage 5).
Ongoing maintenance of implemented solutions is a prerequisite to achieving maximum performance of your SOC. Besides, such maintenance should be applied periodically.
Conclusion
Building a SOC with 24/7 maintenance and excessing staffing will cost a bulk currency to your organization. However, you can build a SOC with limited resources by knowing some essential elements of SOC and the following 7 steps. This can help you to enhance your corporate’s mitigation capabilities, incident detection, and investigation processes.
