How to Set Up a Security Operations Centre In 5 Steps
The benefits of a security operations centre (SOC) are most obvious when you don't have one.
For example, imagine it’s 3 am on a Saturday morning and a hacker breaks into your organisation's systems. There’s no one to detect the intrusion and no one to deal with it either. In fact, it’s not until a member of your sales team notices they are locked out of the network on Monday morning that anyone even knows there is something wrong. After that, things start happening very fast.
The company’s files and servers are down, and strange emails demanding a bitcoin payment in 24 hours start popping up in everyone's inbox. The guy who “does security” is on holiday.
Where does your organisation’s cry for help go? Who is going to coordinate remediation and stop attacks like this from happening again?
Security operations centres (SOCs) should be the answer to these questions. By putting key security people and tech in one place, a SOC can help organisations identify and remediate cyberattacks faster, minimising the impact of cyber threats and reducing risk.
Here are the five steps organisations should take when building out a SOC.
Step 1: Identify Your Objectives
What do you want a SOC to do? Primary motivations for setting up a SOC include:
Compliance purposes. Businesses in certain industries need to comply with particular regulatory and industry standards. A SOC can conduct regular audits of a company’s systems to help ensure compliance with standards like the Payment Card Industry Data Security Standard (PCI DSS), General Data Protection Regulation (GDPR), Cybersecurity Maturity Model Certification (CMMC), Gramm-Leach-Bliley Act (GLBA), Sarbanes–Oxley Act (SOX), and others.
Detection and response. One of the main reasons organisations set up a SOC is to detect malicious activities. A SOC can monitor and analyse network activity to determine if a security incident is underway. In the event of system compromise, a SOC can respond to, contain, and remediate the event.
Detection and response and security posture improvement. To have a truly effective SOC, learning from previous attacks and identifying the underlying cause is key. Having a SOC who is able to identify flaws and recommend relevant configuration changes will reduce your likelihood of future incidents and increase your SOC’s efficiency.
Step 2: Determine the Length of Time You Need Monitoring for
Depending on your industry and how and when your business operates, the length of time you need monitoring for may vary from 8 to 5 with out-of-hours on-call to 24/7 to something in between.
Threat actors never sleep, and 24/7/365 SOC provides round-the-clock threat monitoring. At the same time, having an 8 to 5 SOC is better than not having a SOC at all.
Step 3: Set a Budget
Your budget will define what you can and can’t do.
For example, if you want a 24/7/365 SOC, you will need to hire a minimum number of staff to support that function. If your budget can’t cover this minimum number of staff, you won’t be able to run a 24/7/365 SOC.
Instead, you may want to look at outsourcing your SOC from a third-party service provider. A common approach to this is having an outsourced L1/T1-L2/T2 SOC managed service and retaining a smaller skilled set of in-house staff who have significant experience in the industry and your company (i.e., managed security service provider or MSSP) or taking a hybrid approach (i.e., outsourcing consultants and setting up part-time in-house staff).
Step 4: Perform an Inventory Analysis
When building a security operations centre, you’ll need to invest in a suite of security tools that will help your security team monitor your systems and make sense of alerts.
The kinds of technologies and tools you buy will depend on a) the SOC’s purpose, b) your budget, c) how many security team members you have, and d) their skills.
Before you buy new tools, you should look at what you already have. In many cases, having too many tools, especially tools that overlap, can make SOC professionals’ jobs harder rather than easier. By leveraging what you already have, you can avoid redundancies and reduce costs.
With every security solution that is currently deployed, ask yourself:
Is it deployed properly?
Is it installed everywhere it should be installed?
Is it effective?
Step 5: Equip the SOC
At a minimum, a SOC should have the following:
Antivirus solution.
Firewall.
Corporate proxy server.
Email security gateway.
Some way of containing a device, whether through an endpoint detection and response (EDR) solution or, if that’s too expensive, network controls. However, network controls may not always work, for example, if a user is working from home and the device is not in the network.
Security information and event management (SIEM) for centralising log data in one place, correlating alerts, and prioritising potential security threats. Because most SIEMs don’t come with out-of-the-box alerting rules, you’ll need to configure and script them yourself. For SIEMs that do come with alerting rules, you’ll still need to tweak them to fit your business. Be specific about what you’re looking for and what constitutes suspicious behaviour. The MITRE ATT&CK framework is a good way to gain a “defender’s advantage.”
Data loss prevention solution.
Organisations can consolidate their tool stacks and initiate active response with next-generation solutions like security orchestrations, automation, and response (SOAR), extended detection and response (XDR), and SenseOn.
SOCs whose purpose is to fulfil an audit requirement will also need governance, risk, and compliance (GRC) systems.
Whatever technologies and tools you get, make sure you have people on your team who can use them or give them appropriate training. There’s no point in having an expensive SIEM if no one on the team is trained to make sense of the data that’s showing up.
Building a SOC with SenseOn
SenseOn is a security automation platform that consolidates tools like EDR, network detection and response (NDR), SIEM, intrusion detection system (IDS), and SOAR into one centralised platform.
SenseOn gives security teams unparalleled visibility into their digital estates and eliminates the need for organisations to purchase disparate tools to equip their SOC.
With SenseOn, security professionals can perform the following SOC activities:
Threat detection. SenseOn uses blended methods of detection (i.e., rules, signatures, machine learning, behaviour analytics, honey tokens, and more) to perform security monitoring. Our platform can autonomously detect everything from common automated malware to the most advanced cyber threats in real time.
Threat investigation. SenseOn maps suspicious activity to the MITRE ATT&CK framework, flagging only genuine security alerts for security analyst attention. This automates one of the most tedious SOC processes (triage and analysis) and saves SOC analysts from having to sift through countless false positives.
Alert prioritisation. SenseOn priorities alerts using a severity scoring system from Low to Critical highlighting alerts that require urgent action easily.
Incident response. SenseOn can take automated incident responder actions like isolating the affected device in case of time-sensitive threats like ransomware.
Threat hunting. SenseOn collects rich threat intelligence from endpoints and the corporate network, as well as any learned data, to give security professionals a better idea of the unusual events happening in their estate. Analysts can perform narrow and broach searches and use SenseOn’s Query Library to save time.
Whether due to budget or staffing issues, some organisations may not have the capacity to investigate alerts produced by the SenseOn platform in-house.
As a result, we also offer a managed SOC service. Our team will investigate priority alerts identified by the SenseOn platform, notifying security professionals when actual security incidents are underway or remediating events on their behalf.
To try out SenseOn in your SOC, schedule a demo today.