In 2022, global cyberattacks increased by 38% and are showing no signs of slowing. This continued rise in threats has heightened the conversation among security teams around the importance of 24x7x365 monitoring and what it takes to build out an internal security operations center (SOC).
Aaron Cooper, a security operations veteran who has spun up multiple SOC infrastructures, addressed the issue during a recent Nuspire webinar. Aaron broke down what it takes to build an internal security operations organization, including required technologies, talent and staffing, cost breakdowns and options for outsourcing. Read on to learn more.
To build a SOC that can handle the demands of an ever-changing cybersecurity landscape, Aaron said you need to focus on three areas:
It’s important you have people on staff to support a 24-hour operation. Long gone are the days of shutting down on a Friday and expecting to pick things back up the following Monday. Not only should you plan for 24-hour support, but also have backups for each shift.
In addition, a well-functioning SOC should have strong leadership. These days, it’s difficult to not only find cybersecurity talent, but also keep it. Solid leadership that focuses on growth and the right training will go a long way in building a stable team.
A key component of running a SOC is having standard operating procedures (SOPs) in place for every device type and category. This includes the creation of runbooks that match whatever framework you’re using (like MITRE ATT&CK).
“The idea is that you have processes laid out so clearly, even someone with a lower level of experience would know exactly what they need to do,” Aaron said.
Other processes to plan for include discovery, integration with networking and firewall engineering teams, training, ticketing and compliance.
Often the first security tool that comes to mine when talking about a SOC is a SIEM (security information and event management), which is crucial in giving organizations the visibility needed to quickly detect and respond to threats. A SIEM handles log management, leverages data and threat intelligence for event correlation and enables incident monitoring and response.
Additional tools crucial to building a SOC include an enterprise-grade endpoint detection and response (EDR) solution, threat intelligence and a case management platform.
“Case management is critical because it allows you to do ticketing and easily add notes and information that can be handed off to other analysts,” said Aaron. “It also helps you better articulate the history of what happened during a critical event to stakeholders like your legal team, law enforcement and your executives.”
Spinning up a modern SOC isn’t something you can just jump into – it requires careful planning and analysis. Aaron recommended a number of actions to take to ensure you’re in the best position to begin building.
Understand where you are vulnerable
Gain visibility into your software to see where vulnerabilities exist, then work to make updates.
Know your environment
Build a dynamic asset inventory that includes network models, devices, software licenses and revisions. It’s important to know everything connected to your network.
Build a threat model
Create a visual data flow for your mission-critical applications. You can use vulnerability scans to help you uncover opportunities for improvement and where to monitor logs.
Create contact runbooks
Runbooks allow you to know who’s responsible for every aspect of your environment and help you ensure 24/7 support for database administration, network support and executive leadership. Runbooks also provide a clear escalation path for legal teams, C-levels and law enforcement.
Conduct red team pen tests
Penetration tests are a great way to discover where you could be breached. You can do tabletop exercises where you create a breach scenario and run through your response and remediation processes to see if you have any gaps.
The costs to build and operate a SOC can create a bit of sticker shock if you don’t know what to expect. Aaron offered his estimates to operate a five-person SOC for an enterprise with 2,000 employees:
Given the costs of building and operating a 24x7x365 SOC, Aaron acknowledged that many companies may opt to get third-party support through an MSSP. He offered three key areas to focus on when vetting an MSSP for SOC services:
Incident Response – This is the bread and butter of the SOC, including monitoring security alerts and distinguishing between false and true positives.
To get the full breakdown of SOC costs and additional information on team development and regulatory compliance, watch the webinar.