{"id":2274,"date":"2025-03-11T06:00:00","date_gmt":"2025-03-11T06:00:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=2274"},"modified":"2025-03-11T06:00:00","modified_gmt":"2025-03-11T06:00:00","slug":"security-operations-centers-are-fundamental-to-cybersecurity-heres-how-to-build-one","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=2274","title":{"rendered":"Security operations centers are fundamental to cybersecurity \u2014 here\u2019s how to build one"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Incident detection and response are fundamental responsibilities for all cybersecurity defenders. In most mid-sized and large organizations \u2014 and even some smaller ones, depending on their risk profile \u2014 these critical activities are managed within a security operations center (SOC), a central hub for detecting and responding to threats in real time.<\/p>\n

\u201cA SOC is a combination of three things,\u201d Daniel Schiappa, chief product and services officer at Arctic Wolf, tells CSO. \u201cIt\u2019s a combination of people, an operational model, and technology.\u201d<\/p>\n

Finding the right balance of these SOC components is challenging for most organizations. The effectiveness of a SOC depends on several factors, including whether an organization invests in high-capex solutions requiring significant technology investments but lower personnel costs or opts for open-source solutions, which reduce upfront expenses but demand a larger, more skilled workforce to operate efficiently.<\/p>\n

Experts advise that before CISOs decide to build or maintain their own SOC, they should examine the two main SOC options:\u00a0 purchasing managed SOC services<\/a> offered by vendors, an easier but potentially less flexible and more costly option over time, or building their own SOCs, a more complex undertaking that requires strategic technology investments but may ultimately lead to a more effective and cost-efficient solution.<\/p>\n

Options for creating a SOC<\/h2>\n

CISOs can approach building a SOC in several ways: hiring external vendors who manage their SOC needs, buying all or some of the technology solutions<\/a> needed for the SOC, hiring security personnel to manage operations<\/a>, or some combination of all these things.<\/p>\n

\u201cAll of those things translate into time, money, or both,\u201d Neil \u201cGrifter\u201d Wyler, VP of defensive services at Coalfire, said<\/a> during a talk at this year\u2019s Shmoocon conference.<\/p>\n

\u201cYou can go out and buy [technology], he said. \u201cOr you can turn around, and there is likely a solid open-source solution for each [technology] as well if you\u2019re a shop that is highly capex.<\/p>\n

\u201cIf you\u2019ve got upfront spend, you can say, all right, we\u2019re going to go out and buy this vendor solution,\u201d Wyler said. \u201cYou have a neck to choke. There\u2019s support that comes with it. But if you have a bunch of bodies, your opex, you have the cash to throw at it, putting things running, then doing an open-source solution might be a better avenue for you.\u201d<\/p>\n

The problem with an outsourced solution is that the organization is at the mercy of the provider\u2019s demands. \u201cThe problem is that if that vendor decides somewhere down the road that they\u2019re going to do a 30% increase in the cost for that platform, suddenly the rip and replace becomes really, really painful.\u201d<\/p>\n

A CISO\u2019s options \u201cstart from the risk profile and what you\u2019re trying to protect,\u201d Tony Paterra, VP of product management at Splunk, tells CSO.<\/p>\n

\u201cUnderstand what you\u2019re trying to protect and defend against. Put the infrastructure in place to protect and defend against that, which is where you start to understand why an organization needs an operational heart to protect its brand and intellectual property. Then you need a team focused on absorbing the telemetry and visibility that comes out of that infrastructure.\u201d<\/p>\n

Breakdown of SOC tools and technologies<\/h2>\n

During their Shmoocon talk, Wyler and his colleague James \u201cPope\u201d Pope, director of technical marketing engineering at Corelight, offered a list of the fundamental technologies CISOs should consider when building or outsourcing a SOC.<\/p>\n

These essential tools include:<\/p>\n

EDR (endpoint detection and response)<\/h3>\n

EDR is a security solution<\/a> that continuously monitors and analyzes endpoint activities to detect, investigate, and respond to cyber threats in real-time. \u201cThis is the tool that sits on the endpoints for all your users and all devices that aren\u2019t even users,\u201d Pope said. \u201cYou want that. You need it for detections and, hopefully, preventions. And then when you don\u2019t prevent something, like something gets past that EDR, you want to be able to reduce that response time by having what I like to call advanced telemetry on monitoring.\u201d<\/p>\n

[ See: EDR buyer\u2019s guide: How to pick the best endpoint detection and response solution<\/a> ]<\/strong><\/p>\n

SIEM (security information and event management)<\/h3>\n

A SIEM system<\/a> collects, analyzes, and correlates security logs and event data from various sources to detect anomalies, generate alerts, and support compliance and forensic investigations. Depending on the EDR vendor and what the organization pays for, it might not have access to the full set of EDR logs it needs. \u201cYou need to either pay to extend them or send them somewhere,\u201d Pope said.<\/p>\n

[ See: SIEM buyer\u2019s guide: Top 15 security information and event management tools \u2014 and how to choose<\/a> ]<\/strong><\/p>\n

NDR (network detection and response)<\/h3>\n

An NDR is a security tool that monitors network traffic<\/a> to identify suspicious behavior, detect threats, and enable rapid response to potential cyberattacks. \u201cI think of this as more video surveillance for your network,\u201d Wyler said. \u201cWatching the packets go by and seeing what\u2019s happening in that environment is like video surveillance. It can be expensive, but it is worth it.\u201d<\/p>\n

SOAR (security orchestration, automation, and response)<\/h3>\n

SOAR is a platform<\/a> that integrates security tools, automates workflows, and streamlines incident response processes to improve efficiency and reduce response times. \u201cYou could argue the orchestration automation part of this does not belong in a SOC,\u201d Pope said. \u201cThat could be a separate trend; a separate group in your operations team is building that.\u201d But, he added, \u201cyou need something that has a playbook that you execute every single time in this order. It shouldn\u2019t be a different playbook each time. And then you want to build automation steps through those playbooks.\u201d<\/p>\n

[ See: SOAR buyer\u2019s guide: 11 security orchestration, automation, and response products \u2014 and how to choose<\/a> ]<\/strong><\/p>\n

TIP (threat intelligence platform)<\/h3>\n

TIP is a system<\/a> that aggregates, analyzes, and prioritizes threat intelligence data to help security teams identify, assess, and mitigate emerging cyber threats. \u201cThreat intelligence should be the foundation of your entire security program,\u201d Pope said.<\/p>\n

\u201cHaving a threat intelligence platform means taking all of the ridiculous feeds that are out there, whether they are community-led ones, ones that you pay for, the secret squirrel ones [and] feeding them into something that allows you to centralize it and then say, okay, what do we care about here.\u201d<\/p>\n

He added, \u201cDon\u2019t just go out and spend money and be like pew, pew, pew, pew, look how cool I am. I\u2019m so elite. Spend the money in the places that say, \u2018This is who\u2019s going to come for me.’\u201d<\/p>\n

UEBA (user and entity behavior analytics)<\/h3>\n

UEBA is a security solution<\/a> that uses machine learning and analytics to detect abnormal user or entity behavior that may indicate insider threats or compromised accounts. Once the files get out of the TIP, they are shipped off to analyze related user and entity behaviors, Wyler said.<\/p>\n

Identity (verify access to resources)<\/h3>\n

Identity and access management (IAM)<\/a> tools authenticate and authorize users, ensuring that only legitimate users can access sensitive systems and data.<\/p>\n

[ See: IAM buyer\u2019s guide: 9 top identity and access management tools<\/a> ]<\/strong><\/p>\n

Personnel challenges in setting up a SOC<\/h2>\n

In any SOC, whether built internally or delivered by an outside provider, having high-caliber personnel who monitor and follow up on the reports from the security technologies is critical. \u201cIf you look at the things that have been around a while, you have workforce turnover,\u201d Splunk\u2019s Paterra says. \u201cIf you have a good analyst, they might go somewhere else tomorrow for a better job offer,\u201d<\/p>\n

Moreover, \u201cthe effectiveness of the analyst is just a very clear problem,\u201d says Paterra. \u201cAnd then there\u2019s just the volume of work. If you take a mass flood of alerts, it hits analysts not being effective,\u201d which, experts say,\u00a0 can ultimately cause<\/a> trauma and burnout.<\/p>\n

\u201cAnalyst fatigue and burnout are fairly common, whether that\u2019s in a SOC or if you\u2019re in incident response,\u201d Wyler tells CSO. \u201cI think those are two areas of security that often can take a toll on folks because there is a significant amount of responsibility that comes with being in that role.\u201d<\/p>\n

For very large SOCs, it helps to differentiate layers of personnel dependent on their skill level. Schiappa says that Artic Wolf\u2019s SOC, which many organizations use on an outsourced basis, relies on 1,500 security personnel who contribute to or operate the SOC. \u201cWe ingest one and a half trillion security observations daily,\u201d says Schiappa. \u201cWe have multiple tiers of capabilities in there,\u201d he says, from nascent security workers at tier one up to highly skilled security workers at tier three.<\/p>\n

Other factors CISOs should consider when building a SOC<\/h2>\n

When building or maintaining an in-house SOC, experts flag other factors that CISOs should keep in mind. One question CISOs should ask themselves is, \u201chave you equipped your analysts to do their job effectively,\u201d Paterra says. \u201cIf you have to enumerate, go and sit down and just look at what they\u2019re doing from a day-in, day-out perspective. If they have 50 browser tabs, you can very easily say that your analysts are not in a position to do their job effectively.\u201d<\/p>\n

Pope recommends that organizations spend more time in detection engineering. \u201cThat is when you get those alerts, and you\u2019re saying, these are false positives, or the tool shouldn\u2019t have sent it. You [should tune] those alerts so you\u2019re not repeating the same thing tomorrow, the next day, the day after that,\u201d Pope says.<\/p>\n

Moreover, AI is rapidly changing the face of security operations, which can radically improve detection engineering. \u201cThere\u2019s real value in AI right now on upskilling and leveling up SOC analysts,\u201d Pope says. \u201cThat\u2019s here today. It will be there in the future. Maybe it\u2019s not solving everything, but it is making analysts faster and better.\u201d<\/p>\n

See also: <\/strong><\/p>\n

SOC modernization: 8 key considerations<\/a><\/p>\n

How to evaluate SOC-as-a-service providers<\/a><\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Incident detection and response are fundamental responsibilities for all cybersecurity defenders. In most mid-sized and large organizations \u2014 and even some smaller ones, depending on their risk profile \u2014 these critical activities are managed within a security operations center (SOC), a central hub for detecting and responding to threats in real time. \u201cA SOC is […]<\/p>\n","protected":false},"author":0,"featured_media":2261,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-2274","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/2274"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2274"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/2274\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/2261"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2274"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2274"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2274"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}