How to build a Security Operations Center on a budget

As organizations continue to face increasingly sophisticated cyber threats, the importance of having a robust security operations center (SOC) has become clear.

However, for many organizations, the cost of setting up a SOC can be prohibitive, especially for small to medium-sized businesses.

Fortunately, with the right tools and strategies, it is possible to build a functional SOC on a budget. For this post I was inspired by AlientVault’s excellent ebook entitled ‘How to build a Security Operations Center (on a budget)’, which provides the following tips.

---

Leverage Open Source Tools

One of the biggest expenses for building a SOC is the cost of security tools. However, there are many open source tools available that can be used to set up a SOC without incurring any costs.

In addition, a team of IR experts had started a project to build a complete SOC, including data collection, data parsing and normalisation, visualisation and automation, using only open source components.

The project currently uses the following set of components

• Elastic SIEM

• TheHive

• Cortex

• MISP

• Snort

• Wazuh

• Honeypot Dionea

• Jupyter Notebook

• IntelOwl

• Atomic Red Team

• Shuffle

• Twitter Bot

• Elastic EDR

---

Use Cloud-Based Solutions

Another way to reduce the costs associated with building a SOC is to utilize cloud-based solutions.

By compiling information from various articles and papers (e.g. this, this and this), a simple comparison chart can be created between Cloud and on-premises SIEM solutions:

Feature	Cloud SIEM	OnPrem SIEM
Cost	Subscription-based pricing, typically lower upfront costs and lower total cost of ownership	Higher upfront costs, including hardware and software costs, but lower monthly costs compared to Cloud SIEM
Maintenance and Upkeep	No need for local hardware and software maintenance, typically handled by the provider	Requires local hardware and software maintenance, which can add to costs and require IT expertise
Scalability	Easily scalable to accommodate growing data and security needs	Limited scalability, as it requires purchasing additional hardware and software
Flexibility	Provides greater flexibility, allowing users to add or remove services as needed	Limited flexibility, as changes require manual hardware and software updates
Data Management	Data management is handled by the provider, which includes data storage, backup, and recovery	Data management must be handled locally, which requires IT expertise and resources
Integration	Integration with other security tools and services is typically easier with Cloud SIEM	Integration with other security tools and services may require additional hardware and software

By leveraging cloud-based security tools and services, organizations can take advantage of economies of scale and avoid the upfront costs associated with setting up a SOC.

---

Build a Strong Team

Having a strong team is key to building a successful SOC. It is important to have individuals with the right skills, knowledge, and experience to ensure that the SOC runs smoothly. According to this good article by Gowtham Vishwanath, a lot of free security training course are available, for example:

• Splunk Single-Subject Courses

• Fortinet NSE Institute

• Qualys Training and Certification

• Palo Alto Cortex Soar training

• AWS Security Fundamentals

• Microsoft Azure: Security Operations Analyst Associate

Additionally, having a team of experts can help to minimize the costs associated with training and support.

---

Automate where Possible

Automating tasks in the SOC can help to reduce costs by reducing the need for manual labor. By automating tasks such as security monitoring, incident response, and reporting, organizations can free up their team to focus on more important tasks.

GitHub user cyb3rxp has collected a useful list of documentation and tools in the “Awesome SOC” repository, from which I have taken this automation-related chapter:

Simple and commonly needed automation tools

• Online automated hash checker (script):

  • my recommendation: Munin, or with PowerShell Posh-VT

• Online URL automated analysis:

  • my recommendation: CyberGordon, URLScan.io

• Online automated sample analyzer:

  • my recommendation, via script and without sample submission: Malwoverview;

  • my recommendations for online dynamic analysis: Hybrid-Analysis, Joe’s sandbox

• (pure) Windows tasks automation:

  • My recommendations: AutoIT, Chocolatey

• SaaS-based (and partly free, for basic stuff) SOA:

  • Shuffle

Common automations

My recommendations for detection (alerts handling):

Try to implement at least the following automations, leveraging the SOA/SIRP/TIP/SIEM capabilities:

• Make sure all the context from any alert is being automatically transfered to the SIRP ticket, with a link to the SIEM alert(s) in case of.

  • Leverage API (through SOA) if needed to retrieve the missing context info, when using built-in integrations.

• Automatically query the TIP for any artefacts or even IOC that is associated to a SIRP ticket.

• Automatically retrieve the history of antimalware detections for an user and/or endpoint, that is associated to a SIRP ticket.

• Automatically retrieve the history of SIEM detections for an user and/or endpoint, that is associated to a SIRP ticket.

• Automatically retrieve the history of SIRP tickets for an user and/or endpoint, that is associated to a new SIRP ticket.

• Automatically query AD or the assets management solution, for artefact anrichment (user, endpoint, IP, application, etc.).

My recommendations for response (incident response, containment/eradication steps):

• Block an IP on all firewalls (including VPN), SWG and CASB.

• Block an URL on SWG.

• Block an email address (sender) on SEG.

• Block an exe file (by hash) on endpoints (leveraging antimalware/EDR or AppLocker).

• Block an exe file (by hash) on gateways and CASB: SWG, SEG, CASB.

• Reset an AD account password.

• Disable an AD account (both user and computer, since computer account disabling will block authentication with any AD account on the endpoint, thus preventing from lateral movement or priv escalation).

• Report a (undetected) sample to security vendors, via email. Here are a few addresses, in case of:

  • Files samples (to be attached in a password-protected Zip file, with ‘infected’ as password): samples@eset.com, newvirus@kaspersky.com, report@sentinelone.com, virus_submission@bitdefender.com, vsamples@f-secure.com, virus_malware@avira.com, submitvirus@fortinet.com, virus_research@avertlabs.com, virus_doctor@trendmicro.com

  • URL/IP samples: samples@eset.com, samples@kaspersky.com, report@sentinelone.com, virus_submission@bitdefender.com, vsamples@f-secure.com, phish@office365.microsoft.com, report@openphish.com, reportphishing@apple.com, abuse@clean-mx.de, datasubmission@mcafee.com

• Report a false positive to security vendors, via email;

  • You may want to have a look at this page to know the required email address.

• Report a malicious URL (for instance, phishing) to a security vendor for takedown steps

  • My recommendation: Netcraft via API, or PhishReport.

  
  

---

Focus on Priority Threats

Finally, it is important to prioritize threats and focus on the most critical ones. By focusing on the most pressing threats, organizations can make the most of their limited resources and avoid wasting time and money on low-risk threats.