Security operations centers are fundamental to cybersecurity — here’s how to build one – Source: www.csoonline.com

Incident detection and response are fundamental responsibilities for all cybersecurity defenders. In most mid-sized and large organizations — and even some smaller ones, depending on their risk profile — these critical activities are managed within a security operations center (SOC), a central hub for detecting and responding to threats in real time.

“A SOC is a combination of three things,” Daniel Schiappa, chief product and services officer at Arctic Wolf, tells CSO. “It’s a combination of people, an operational model, and technology.”

Finding the right balance of these SOC components is challenging for most organizations. The effectiveness of a SOC depends on several factors, including whether an organization invests in high-capex solutions requiring significant technology investments but lower personnel costs or opts for open-source solutions, which reduce upfront expenses but demand a larger, more skilled workforce to operate efficiently.

Experts advise that before CISOs decide to build or maintain their own SOC, they should examine the two main SOC options:  purchasing managed SOC services offered by vendors, an easier but potentially less flexible and more costly option over time, or building their own SOCs, a more complex undertaking that requires strategic technology investments but may ultimately lead to a more effective and cost-efficient solution.

Options for creating a SOC

CISOs can approach building a SOC in several ways: hiring external vendors who manage their SOC needs, buying all or some of the technology solutions needed for the SOC, hiring security personnel to manage operations, or some combination of all these things.

“All of those things translate into time, money, or both,” Neil “Grifter” Wyler, VP of defensive services at Coalfire, said during a talk at this year’s Shmoocon conference.

“You can go out and buy [technology], he said. “Or you can turn around, and there is likely a solid open-source solution for each [technology] as well if you’re a shop that is highly capex.

“If you’ve got upfront spend, you can say, all right, we’re going to go out and buy this vendor solution,” Wyler said. “You have a neck to choke. There’s support that comes with it. But if you have a bunch of bodies, your opex, you have the cash to throw at it, putting things running, then doing an open-source solution might be a better avenue for you.”

The problem with an outsourced solution is that the organization is at the mercy of the provider’s demands. “The problem is that if that vendor decides somewhere down the road that they’re going to do a 30% increase in the cost for that platform, suddenly the rip and replace becomes really, really painful.”

A CISO’s options “start from the risk profile and what you’re trying to protect,” Tony Paterra, VP of product management at Splunk, tells CSO.

“Understand what you’re trying to protect and defend against. Put the infrastructure in place to protect and defend against that, which is where you start to understand why an organization needs an operational heart to protect its brand and intellectual property. Then you need a team focused on absorbing the telemetry and visibility that comes out of that infrastructure.”

During their Shmoocon talk, Wyler and his colleague James “Pope” Pope, director of technical marketing engineering at Corelight, offered a list of the fundamental technologies CISOs should consider when building or outsourcing a SOC.

These essential tools include:

EDR (endpoint detection and response)

EDR is a security solution that continuously monitors and analyzes endpoint activities to detect, investigate, and respond to cyber threats in real-time. “This is the tool that sits on the endpoints for all your users and all devices that aren’t even users,” Pope said. “You want that. You need it for detections and, hopefully, preventions. And then when you don’t prevent something, like something gets past that EDR, you want to be able to reduce that response time by having what I like to call advanced telemetry on monitoring.”

[ See: EDR buyer’s guide: How to pick the best endpoint detection and response solution ]

SIEM (security information and event management)

A SIEM system collects, analyzes, and correlates security logs and event data from various sources to detect anomalies, generate alerts, and support compliance and forensic investigations. Depending on the EDR vendor and what the organization pays for, it might not have access to the full set of EDR logs it needs. “You need to either pay to extend them or send them somewhere,” Pope said.

[ See: SIEM buyer’s guide: Top 15 security information and event management tools — and how to choose ]

NDR (network detection and response)

An NDR is a security tool that monitors network traffic to identify suspicious behavior, detect threats, and enable rapid response to potential cyberattacks. “I think of this as more video surveillance for your network,” Wyler said. “Watching the packets go by and seeing what’s happening in that environment is like video surveillance. It can be expensive, but it is worth it.”

SOAR (security orchestration, automation, and response)

SOAR is a platform that integrates security tools, automates workflows, and streamlines incident response processes to improve efficiency and reduce response times. “You could argue the orchestration automation part of this does not belong in a SOC,” Pope said. “That could be a separate trend; a separate group in your operations team is building that.” But, he added, “you need something that has a playbook that you execute every single time in this order. It shouldn’t be a different playbook each time. And then you want to build automation steps through those playbooks.”

[ See: SOAR buyer’s guide: 11 security orchestration, automation, and response products — and how to choose ]

TIP (threat intelligence platform)

TIP is a system that aggregates, analyzes, and prioritizes threat intelligence data to help security teams identify, assess, and mitigate emerging cyber threats. “Threat intelligence should be the foundation of your entire security program,” Pope said.

“Having a threat intelligence platform means taking all of the ridiculous feeds that are out there, whether they are community-led ones, ones that you pay for, the secret squirrel ones [and] feeding them into something that allows you to centralize it and then say, okay, what do we care about here.”

He added, “Don’t just go out and spend money and be like pew, pew, pew, pew, look how cool I am. I’m so elite. Spend the money in the places that say, ‘This is who’s going to come for me.’”

UEBA (user and entity behavior analytics)

UEBA is a security solution that uses machine learning and analytics to detect abnormal user or entity behavior that may indicate insider threats or compromised accounts. Once the files get out of the TIP, they are shipped off to analyze related user and entity behaviors, Wyler said.

Identity (verify access to resources)

Identity and access management (IAM) tools authenticate and authorize users, ensuring that only legitimate users can access sensitive systems and data.

[ See: IAM buyer’s guide: 9 top identity and access management tools ]

Personnel challenges in setting up a SOC

In any SOC, whether built internally or delivered by an outside provider, having high-caliber personnel who monitor and follow up on the reports from the security technologies is critical. “If you look at the things that have been around a while, you have workforce turnover,” Splunk’s Paterra says. “If you have a good analyst, they might go somewhere else tomorrow for a better job offer,”

Moreover, “the effectiveness of the analyst is just a very clear problem,” says Paterra. “And then there’s just the volume of work. If you take a mass flood of alerts, it hits analysts not being effective,” which, experts say,  can ultimately cause trauma and burnout.

“Analyst fatigue and burnout are fairly common, whether that’s in a SOC or if you’re in incident response,” Wyler tells CSO. “I think those are two areas of security that often can take a toll on folks because there is a significant amount of responsibility that comes with being in that role.”

For very large SOCs, it helps to differentiate layers of personnel dependent on their skill level. Schiappa says that Artic Wolf’s SOC, which many organizations use on an outsourced basis, relies on 1,500 security personnel who contribute to or operate the SOC. “We ingest one and a half trillion security observations daily,” says Schiappa. “We have multiple tiers of capabilities in there,” he says, from nascent security workers at tier one up to highly skilled security workers at tier three.

Other factors CISOs should consider when building a SOC

When building or maintaining an in-house SOC, experts flag other factors that CISOs should keep in mind. One question CISOs should ask themselves is, “have you equipped your analysts to do their job effectively,” Paterra says. “If you have to enumerate, go and sit down and just look at what they’re doing from a day-in, day-out perspective. If they have 50 browser tabs, you can very easily say that your analysts are not in a position to do their job effectively.”

Pope recommends that organizations spend more time in detection engineering. “That is when you get those alerts, and you’re saying, these are false positives, or the tool shouldn’t have sent it. You [should tune] those alerts so you’re not repeating the same thing tomorrow, the next day, the day after that,” Pope says.

Moreover, AI is rapidly changing the face of security operations, which can radically improve detection engineering. “There’s real value in AI right now on upskilling and leveling up SOC analysts,” Pope says. “That’s here today. It will be there in the future. Maybe it’s not solving everything, but it is making analysts faster and better.”