Professional Documents
Culture Documents
How To Build A Soc With Limited Resources White Paper PDF
How To Build A Soc With Limited Resources White Paper PDF
Technology
Processes
People
Processes
Technology
Develop a Strategy
Design the Solution
Create Processes, Procedures, and Training
Prepare the Environment
Implement the Solution
Deploy End-to-End Use Cases
Maintain and Evolve
14 Conclusion
Introduction
Some organizations have formal security operations centers For organizations caught between the prohibitive cost
(SOCs). Formal 24x7 SOCs are tightly secured areas where of a formal SOC and the wholly inadequate protection
teams of dedicated analysts carefully monitor for threats from an informal SOC, there is a solution: building a SOC
around the clock, every day of the year. The analysts are that automates as much of the SOC work as possible.
checking their organization’s enterprise security controls to Automation can help a team perform constant security
identify possible signs of intrusion and compromise that may event monitoring and analysis in order to detect possible
require a response by the organization’s incident responders. intrusions. It can also provide incident response automation
Unfortunately, most organizations cannot afford a 24x7 SOC. and orchestration capabilities to manage and expedite
The cost of having well-trained analysts onsite at all times incident handling. A threat lifecycle management platform
outweighs the benefit for almost every organization. Instead, is the ideal foundation for building a SOC because it
most organizations either make do with an informal SOC provides all of these automated capabilities in a single,
comprised of a small number of analysts who have many fully integrated system.
other duties to perform or have no SOC at all and rely on The purpose of this white paper is to show you how you can
borrowing people from other roles when needed. Security successfully build a SOC, even with limited resources. The
events are not consistently monitored around the clock. This paper first explains the basics of the Cyber Attack Lifecycle
leads to major delays in responding to many incidents, while and the need to address it through the Threat Lifecycle
other incidents go completely unnoticed. It’s a dangerous Management framework. Next, the paper explains the basics
situation that results in damaging cyber incidents. It is of SOCs, providing details of what SOCs mean in terms of
also highly unlikely that analysts will have any time to be people, processes, and technology. Finally, the paper walks
proactive in looking for threats and attacks. And when you through a methodology for building a SOC with limited
an event does occur, many organizations are not able to resources, focusing on tactics to make your rollout smooth
efficiently and effectively respond, because they do not have and successful. After reading this paper, you should be
formal incident response processes and capabilities in place. ready to start planning your own SOC.
WWW.LOGRHYTHM.COM PAGE 3
HOW TO BUILD A SOC WITH LIMITED RESOURCES
The Cyber Attack Lifecycle indicates that organizations often have numerous opportunities
to detect and respond to an attack in progress because a single attack involves many steps.
WWW.LOGRHYTHM.COM PAGE 4
HOW TO BUILD A SOC WITH LIMITED RESOURCES
WWW.LOGRHYTHM.COM PAGE 5
HOW TO BUILD A SOC WITH LIMITED RESOURCES
Discover The ribbons at the top of Figure 2 indicate that the first
In the Discover phase, the collected data is analyzed three TLM phases involve detection and the next two phases
to identify potential threats. The two types of involve response. In order to identify threats as early in the
analytics are search analytics and machine analytics. Cyber Attack Lifecycle as possible, TLM’s detection phases
Search analytics are performed by people with assistance must be performed at all times. Similarly, TLM’s response
from technology that provides different ways for people to phases must be performed rapidly whenever needed. The
perform searches and view the data. Machine analytics are combination of near-immediate detection and rapid response
performed automatically by software using combinations of promotes finding and stopping attacks long before they
advanced techniques, such as machine learning, in order to are able to reach their ultimate targets and accomplish the
find potential threats within enormous volumes of data. attackers’ objectives.
As if the need for around-the-clock monitoring, detection,
Qualify and response was not daunting enough, consider the sheer
Each potential threat must be qualified, which volume of data. People simply cannot study all this data in a
means that it is assessed to determine if it is a timely fashion, nor can they readily correlate pieces of data
legitimate concern, its level of risk, and whether the risk from different times to piece together a serious attack—
merits further investigation or mitigation. During this especially when there is not a large staff to do so. The only
phase, alarms are generated from machine analytics and practical solution to TLM is to rely heavily on automation
then reviewed, qualified, and prioritized. techniques that do as much of the work as possible and
involve people only when needed.
Investigate
Once a threat has been qualified, it needs to be fully
investigated to undeniably determine whether a
security incident has occurred or is in progress. Rapid access
to forensic data and intelligence is paramount. Automation
of routine investigatory tasks and tools that facilitate cross-
organizational corroboration is ideal for optimally reducing
mean time to respond. (See Figure 3.) Ideally, your team
would have a facility in which to keep track of all active and
past investigations so that this information is well organized
and available for future investigations.
Neutralize
The ultimate objective of the Neutralize phase is
to mitigate the risk presented by the threat. The
Figure 3: The impact of a breach is directly related to mean time to
actions to be performed depend on the threat’s progress, but detect (MTTD) and mean time to respond (MTTR).
common examples include isolating compromised systems
and deactivating user accounts with stolen credentials.
Recover
The last phase, Recover, focuses on recovering
normal operations and making sure that the threat
cannot successfully perform a similar attack in the future.
This phase is when exploited vulnerabilities are identified
and addressed so that they are not exploited again, as well
as where systems are rebuilt, user credentials are reset, and
altered data is restored from backups so that operations
can resume. Many other tasks also occur within this phase,
including reporting on the root cause of incidents, reviewing
how efficiently and effectively incidents were handled,
and adapting the organization’s practices to take lessons
learned into account.
WWW.LOGRHYTHM.COM PAGE 6
HOW TO BUILD A SOC WITH LIMITED RESOURCES
WWW.LOGRHYTHM.COM PAGE 7
HOW TO BUILD A SOC WITH LIMITED RESOURCES
WWW.LOGRHYTHM.COM PAGE 8
HOW TO BUILD A SOC WITH LIMITED RESOURCES
Technology
How LogRhythm Powers Your SOC
A TLM platform is ideal for building a SOC because it includes and integrates all
LogRhythm delivers end-to-end Threat
the needed forms of security automation and incident response orchestration
Lifecycle Management by bringing
into a single display. Here are some examples of what a TLM platform can do: together historically disparate
• Centralize all forensic data supporting effective machine analytics and enabling solutions into one unified platform.
rapid investigations, so it can be monitored at all times and analytics can be The LogRhythm platform gives your
utilized to identify events of particular interest, this eliminates the need to have SOC a single pane of glass from
people looking at the raw security event data on monitors 24 hours a day. which to evaluate alarms, investigate
threats, and respond to incidents.
• Provide context for security events and incidents by integrating critical
threat intelligence sources and vulnerability data, as well as information from LogRhythm’s patented security
integrated systems in human resources, finance, contracting, etc. regarding analytics capabilities automate the
business systems and assets. This context enables the TLM and security analysts detection and prioritization of real
to better determine what an attacker may be attempting to do and why. threats. In addition, the platform
provides mechanisms to orchestrate
• Prioritize events of interest based on their relative risk to the organization so
and automate the incident response
that SOC staff can pay attention to the most concerning events first.
workflow. The delivery of all TLM
• Pull evidence together in one location and safely and securely share it with capabilities, combined with strong
authorized individuals, such as remote staff and outsourcers involved in an automation, ensures that your
incident response effort. SOC can work more efficiently and
• Use workflow capabilities to alert each person/role when it is their turn to do effectively to realize faster mean
something for the SOC, such as reviewing an event it has flagged as high risk. time to detect and respond.
• Interface with asset management, vulnerability management, trouble ticketing, The LogRhythm platform enables
intrusion prevention, and other existing systems to automatically integrate SOC organizations to build cost-effective
processes with business processes. This greatly expedites workflow and reduces SOCs that reduce risk and prevent
workload for staff in numerous departments. major data breaches and other
compromises. This also frees
• Enable automated responses that are automatically associated with specific
organizations to get much better
alarms. Actions that can be initiated without human interaction, or that require
value from their staffs, utilizing them
single-click approval, can greatly benefit your team’s time to respond to an
more for strategic projects with long-
incident. The TLM platform should recognize common situations, such as a basic term benefits rather than manual
malware compromise, and automatically respond so the team can focus on more daily operations. For more information
complex and impactful events and incidents. on the LogRhythm platform, visit
A TLM platform used in conjunction with a sensible SOC staffing model and robust logrhythm.com/demo
processes can provide seamless integration, workflow, and communication
for all SOC-related tasks, regardless of the use of outsourcing. This combination
also enables immediate access to the information, data, events, and investigation
records that are needed by authorized in-house and outsourced parties at any
time and from any location.
WWW.LOGRHYTHM.COM PAGE 9
HOW TO BUILD A SOC WITH LIMITED RESOURCES
Around-the-clock monitoring from a TLM platform and an MSSP would have detected
and stopped the malware incident very early, preventing almost all of those systems
from being affected and saving nearly $100,000 in costs. That’s more than what the
MSSP services would cost for three months.
WWW.LOGRHYTHM.COM PAGE 10
HOW TO BUILD A SOC WITH LIMITED RESOURCES
Incident responders 1 FTE @ $145K each 4 FTEs @ $145K each 8 FTEs @ $145K each
Specialists (malware reverse engineers, 0 FTEs; outsource and pay when needed 2 FTEs @ $150K each 5 FTEs @ $150K each
forensic analysts, etc.) (est. $50K/year)
Management 1 FTEs @ $150K 2 FTE @ $150K 3 FTEs @ $150K each
Fully In-House TLM-Enabled SOC 8x5 Onsite 16x5 Onsite 24x7 Onsite
Security analysts 1 FTE @ $120K each 4 FTEs @ $120K each 8 FTEs @ $120K each
Incident responders 1 FTE @ $145K each 2 FTEs @ $145K each 4 FTEs @ $145K each
Specialists (malware reverse engineers, 0 FTEs; outsource and pay when needed 1 FTEs @ $150K each 2 FTEs @ $150K each
forensic analysts, etc.) (est. $25K/year)
Management 0.25 FTEs @ $150K 0.5 FTE @ $150K 1 FTE @ $150K
Hybrid TLM-Enabled SOC 8x5 Onsite, Offsite MSSP all IR Onsite 16x5, all Others Offsite Offsite MSSP 24x7
Other Times MSSP 24x7
Security analysts 0.5 FTE @ $120K each 0 0
Incident responders 0.5 FTE @ $145K each 2 FTEs @ $145K each 4 FTEs @ $145K each
Specialists (malware reverse engineers, 0 FTEs; outsource and pay when needed 0 FTEs; outsource and pay when needed 0 FTEs; outsource and pay when needed
forensic analysts, etc.) (est. $25K/year) (est. $50K/year) (est. $100K/year)
Management 0.25 FTEs @ $150K 0.25 FTE @ $150K 0.5 FTE @ $150K
Fully Outsourced TLM-Enabled SOC Offsite MSSP 24x7 Offsite MSSP 24x7 Offsite MSSP 24x7
Security analysts 0 0 0
Incident responders 0.5 FTE @ $145K each 1 FTE @ $145K each 1.5 FTEs @ $145K each
WWW.LOGRHYTHM.COM PAGE 11
HOW TO BUILD A SOC WITH LIMITED RESOURCES
Echoing the advice under step 1 about limiting the initial iii. d
efining the workflows for events and incidents to
scope of the SOC, it may be best to pursue a few quick wins align with the organization’s existing processes
instead of creating a full-scale, broad-function SOC solution. iv. p
lanning to automate the solution as much as possible,
Choose a few business-critical use cases and define the including the necessary technologies to have complete
initial solution based on those use cases, keeping in mind visibility of the threat landscape for the systems and
that the solution must be able to scale in the future to meet data in the initial SOC scope and to thwart attacks as
additional needs. Having a more narrowly scoped initial early in the Cyber Attack Lifecycle as possible
solution also helps to reduce the amount of time needed to v. determining if the technical architecture is sound,
implement it and achieve initial results more quickly. When such as performing tabletop exercises for all use
designing the SOC solution, important actions include cases to identify potential issues
the following:
A.Define the functional requirements. These requirements
should be tied to business objectives whenever applicable.
WWW.LOGRHYTHM.COM PAGE 12
HOW TO BUILD A SOC WITH LIMITED RESOURCES
Step 3: Create Processes, Procedures, and Training Step 6: Deploy End-to-End Use Cases
These must cover all six phases of TLM. If the SOC staffing Once solution capabilities are deployed, you can implement
will be partially outsourced, it is important to work with use cases across the analytics tier and security automation
the outsourcer to ensure that processes, procedures, and and orchestration tier, such as detecting compromised
training on both sides take that into account. credentials and successful spear phishing campaigns. Testing
should be performed during a variety of shifts and during
shift changeovers. All the forms of solution automation
Step 4: Prepare the Environment mentioned earlier are particularly important to test
Before deploying the SOC solution, it is critically important rigorously. The reliability and security of remotely accessing
to ensure that all the elements are in place to provide a the solution should also be verified to the extent feasible.
secure environment for the solution. Notable elements
include tightly securing SOC staff desktops, laptops, and
Step 7: Maintain and Evolve
mobile devices; having secure remote access mechanisms
in place for staff (and outsourcers if applicable) to interact Once the solution is fully in production, it will need ongoing
with the SOC solution; and requiring strong authentication maintenance, such as updating configuration settings and
for remote access to the SOC solution at a minimum (and tuning over time to improve detection accuracy, and adding
preferably for local access as well). other systems as inputs or outputs to the solution. Other
maintenance will be needed periodically, including reviewing
the SOC model, SOC roles, FTE counts and so forth, so that
Step 5: Implement the Solution adjustments can be made.
The key to implementing the solution itself is to focus on
taking full advantage of the technology to minimize the
workload on people. This solution is a ground-up process
that begins by:
A. bringing up the log management infrastructure
B. o
nboarding the minimum collection of critical data sources
C. bringing up the security analytics capabilities
D. onboarding the security automation and
orchestration capabilities
E. begin deploying use cases that focus on end-to-end
threat detection and response realization
Another important element is achieving seamless
interoperability with other systems, both to collect data
from sources and to issue actions and commands to help
apply context, contain, and remediate in alignment with
workflows. The latter is particularly helpful for reducing
the mean time to detect and to respond to incidents. The
solution should also incorporate threat intelligence feeds
and other intelligence sources as automated inputs to
improve detection accuracy.
WWW.LOGRHYTHM.COM PAGE 13
HOW TO BUILD A SOC WITH LIMITED RESOURCES
Conclusion
Having a security operations center has become an absolute necessity for
implementing Threat Lifecycle Management to minimize damage caused by
successful attacks. A SOC is the just-right solution for organizations that cannot
About LogRhythm
justify the overwhelming expenses of a formal SOC and cannot tolerate the
LogRhythm, a leader in Threat
inadequate protection provided by an informal SOC.
Lifecycle Management, empowers
The LogRhythm platform is the ideal technology for building a SOC. Organizations organizations around the globe
that adopt this strategy can achieve immediate and ongoing cost savings as to rapidly detect, respond to and
compared to adopting any other SOC model. This strategy also leads to a material neutralize damaging cyberthreats. The
reduction in risk for the organization. Specific ways in which the LogRhythm company’s patented award-winning
platform benefits organizations include the following: platform unifies next-generation
SIEM, log management, network and
• Uses advanced capabilities for threat detection and analysis, such as user
endpoint monitoring, user entity and
and entity behavior analytics, that can find and understand the significance
behavior analytics (UEBA), security
of many types of threats that cannot easily be detected by other means. This
automation and orchestration (SAO)
is particularly helpful for identifying insider threats attempting to access and
and advanced security analytics. In
steal sensitive data.
addition to protecting customers from
• Provides highly sophisticated workflow capabilities that transfer responsibility the risks associated with cyberthreats,
for specific tasks from person to person or role whenever needed. This keeps LogRhythm provides compliance
things moving and minimizes miscommunications that could inadvertently automation and assurance, and
delay action or cause duplicated efforts. enhanced IT intelligence.
• Automates incident response orchestration so that all people involved in Among its many industry accolades,
incident response have immediate access to necessary information LogRhythm has been positioned
LogRhythm’s security automation and orchestration capabilities significantly as a Leader in Gartner’s SIEM
improve the efficiency and effectiveness of incident response. Magic Quadrant, received SC Labs’
“Recommended” rating for SIEM and
UTM for 2017 and won “Best SIEM” in
SANS Institute’s “Best of
To see how you can build your own SOC with LogRhythm, schedule 2016 Awards.”
a customized demo today: logrhythm.com/schedule-online-demo/
WWW.LOGRHYTHM.COM PAGE 14
HOW TO BUILD A SOC WITH LIMITED RESOURCES
WWW.LOGRHYTHM.COM PAGE 15
Contact us:
1-866-384-0713
info@logrhythm.com | www.logrhythm.com
Worldwide HQ, 4780 Pearl East Circle, Boulder CO, 80301