As organizations continue to face increasingly sophisticated cyber threats, the importance of having a robust security operations center (SOC) has become clear.

However, for many organizations, the cost of setting up a SOC can be prohibitive, especially for small to medium-sized businesses.

Fortunately, with the right tools and strategies, it is possible to build a functional SOC on a budget. For this post I was inspired by AlientVault’s excellent ebook entitled ‘How to build a Security Operations Center (on a budget)’, which provides the following tips.



Leverage Open Source Tools

One of the biggest expenses for building a SOC is the cost of security tools. However, there are many open source tools available that can be used to set up a SOC without incurring any costs.

simpler-soc.png

In addition, a team of IR experts had started a project to build a complete SOC, including data collection, data parsing and normalisation, visualisation and automation, using only open source components.

The project currently uses the following set of components

  • Elastic SIEM

  • TheHive

  • Cortex

  • MISP

  • Snort

  • Wazuh

  • Honeypot Dionea

  • Jupyter Notebook

  • IntelOwl

  • Atomic Red Team

  • Shuffle

  • Twitter Bot

  • Elastic EDR



Use Cloud-Based Solutions

Another way to reduce the costs associated with building a SOC is to utilize cloud-based solutions.

By compiling information from various articles and papers (e.g. this, this and this), a simple comparison chart can be created between Cloud and on-premises SIEM solutions:

Feature Cloud SIEM OnPrem SIEM
Cost Subscription-based pricing, typically lower upfront costs and lower total cost of ownership Higher upfront costs, including hardware and software costs, but lower monthly costs compared to Cloud SIEM
Maintenance and Upkeep No need for local hardware and software maintenance, typically handled by the provider Requires local hardware and software maintenance, which can add to costs and require IT expertise
Scalability Easily scalable to accommodate growing data and security needs Limited scalability, as it requires purchasing additional hardware and software
Flexibility Provides greater flexibility, allowing users to add or remove services as needed Limited flexibility, as changes require manual hardware and software updates
Data Management Data management is handled by the provider, which includes data storage, backup, and recovery Data management must be handled locally, which requires IT expertise and resources
Integration Integration with other security tools and services is typically easier with Cloud SIEM Integration with other security tools and services may require additional hardware and software

By leveraging cloud-based security tools and services, organizations can take advantage of economies of scale and avoid the upfront costs associated with setting up a SOC.


Build a Strong Team

Having a strong team is key to building a successful SOC. It is important to have individuals with the right skills, knowledge, and experience to ensure that the SOC runs smoothly. According to this good article by Gowtham Vishwanath, a lot of free security training course are available, for example:

Additionally, having a team of experts can help to minimize the costs associated with training and support.


Automate where Possible

Automating tasks in the SOC can help to reduce costs by reducing the need for manual labor. By automating tasks such as security monitoring, incident response, and reporting, organizations can free up their team to focus on more important tasks.

GitHub user cyb3rxp has collected a useful list of documentation and tools in the “Awesome SOC” repository, from which I have taken this automation-related chapter:

Simple and commonly needed automation tools

  • Online automated hash checker (script):

  • Online URL automated analysis:

  • Online automated sample analyzer:

  • (pure) Windows tasks automation:

  • SaaS-based (and partly free, for basic stuff) SOA:


Common automations

My recommendations for detection (alerts handling):

Try to implement at least the following automations, leveraging the SOA/SIRP/TIP/SIEM capabilities:

  • Make sure all the context from any alert is being automatically transfered to the SIRP ticket, with a link to the SIEM alert(s) in case of.

    • Leverage API (through SOA) if needed to retrieve the missing context info, when using built-in integrations.
  • Automatically query the TIP for any artefacts or even IOC that is associated to a SIRP ticket.

  • Automatically retrieve the history of antimalware detections for an user and/or endpoint, that is associated to a SIRP ticket.

  • Automatically retrieve the history of SIEM detections for an user and/or endpoint, that is associated to a SIRP ticket.

  • Automatically retrieve the history of SIRP tickets for an user and/or endpoint, that is associated to a new SIRP ticket.

  • Automatically query AD or the assets management solution, for artefact anrichment (user, endpoint, IP, application, etc.).

My recommendations for response (incident response, containment/eradication steps):


Focus on Priority Threats

Finally, it is important to prioritize threats and focus on the most critical ones. By focusing on the most pressing threats, organizations can make the most of their limited resources and avoid wasting time and money on low-risk threats.