HOW TO BUILD A SOC WITH LIMITED RESOURCES
Introduction
Some organisations have formal security operations
centres (SOCs). Formal 24x7 SOCs are tightly secured
areas where teams of dedicated analysts carefully
monitor for threats around the clock, every day of the
year. The analysts are checking their organisation’s
enterprise security controls to identify possible signs of
intrusion and compromise that may require a response by
the organisation’s incident responders.
Unfortunately, most organisations cannot afford a 24x7
SOC. The cost of having well-trained analysts onsite at all
times outweighs the benefit for almost every organisation.
Instead, most organisations either make do with an
informal SOC comprised of a small number of analysts
who have many other duties to perform or have no
SOC at all and rely on borrowing people from other
roles when needed. Security events are not consistently
monitored around the clock. This leads to major delays in
responding to many incidents, while other incidents go
completely unnoticed. It’s a dangerous situation that
results in damaging cyber incidents. It is also highly
unlikely that analysts will have any time to be proactive
in looking for threats and attacks. And when an event
does occur, many organisations are not able to efficiently
and effectively respond, because they do not have formal
incident response processes and capabilities in place.
For organisations caught between the prohibitive cost
of a formal SOC and the wholly inadequate protection
from an informal SOC, there is a solution: building a SOC
that automates as much of the SOC work as possible.
Automation can help a team perform constant security
event monitoring and analysis in order to detect possible
intrusions. It can also provide incident response automation
and orchestration capabilities to manage and expedite
incident handling. A threat lifecycle management platform
is the ideal foundation for building a SOC because it
provides all of these automated capabilities in a single,
fully integrated system.
The purpose of this white paper is to show you how
you can successfully build a SOC, even with limited
resources. The paper first explains the basics of the
Cyber Attack Lifecycle and the need to address it
through the Threat Lifecycle Management framework.
Next, the paper explains the basics of SOCs, providing
details of what SOCs mean in terms of people, processes,
and technology. Finally, the paper walks you through a
methodology for building a SOC with limited resources,
focusing on tactics to make your rollout smooth and
successful. After reading this paper, you should be ready
to start planning your own SOC.
WWW.LOGRHYTHM.COM
PAGE 3
HOW TO BUILD A SOC WITH LIMITED RESOURCES
The Cyber Attack Lifecycle
Understanding the Cyber Attack Lifecycle is a prerequisite to understanding the Threat Lifecycle Management (TLM)
framework—the foundation of SOC operations. The Cyber Attack Lifecycle consists of six phases:
Figure 1: The Cyber Attack Lifecycle
Phase 1: Reconnaissance
Phase 5: Target attainment
This phase can involve a wide range of activities, but at its
core, the attacker identifies a target and determines how
to start the attack against that target.
In the final system compromise, the attacker gains access
to the target system.
Phase 6: Exfiltration, corruption, and disruption
Phase 2: Initial compromise
In the next phase, the attacker attacks a system on the
internal network and gains access to it. This system is
usually not the ultimate target.
Phase 3: Command and control
The attacker installs tools on the compromised system in
order to maintain access to it.
Phase 4: Lateral movement
Next, the attacker uses the compromised system and its
user accounts to identify additional systems to access
and compromise. This may be repeated several times so
that the attacker can move throughout the enterprise.
Finally, the attacker accomplishes the attack’s objective,
such as exfiltrating the system’s sensitive data to an
external location, or disrupting the organisation’s
operations by corrupting the target system’s files or
databases.
The Cyber Attack Lifecycle indicates that organisations
often have numerous opportunities to detect and
respond to an attack in progress because a single
attack involves many steps. The earlier in the lifecycle an
organisation detects an attack, the more likely it is that
the organisation can respond in time to prevent a serious
data breach or other major compromise from occurring.
The Cyber Attack Lifecycle indicates that organisations often have numerous opportunities
to detect and respond to an attack in progress because a single attack involves many steps.
WWW.LOGRHYTHM.COM
PAGE 4
Please complete the form to gain access to this content
