Building an Effective Cloud Security Operations Center

Security and compliance are  some of the top challenges companies face when moving to the cloud. Cyber security attacks are not only increasing in frequency, but the attackers are also becoming more sophisticated as monetary rewards have increased. 

Businesses are investing more in tooling to combat these threats, but the security environment is still at risk without skilled and experienced professionals correctly leveraging these tools. Without the right mix of security talent and tooling, businesses and their security leaders will ultimately have difficulties in overcoming the challenges of delivering real-time, 24x7 detections and response operations to properly protect their cloud environment. 

This blog article discusses the appropriate staffing, capabilities, tooling, and operational costs that need to be taken into consideration to create an effective modern security operation with sufficient viability to detect and respond to commodity and advanced attacks.

Components of a Security Operations Center

A common misconception is that tooling is the main component of a security operations center (SOC). In reality, a SOC is a comprehensive function consisting of people, processes, and tools. Together, an effective SOC continuously monitors and improves an organization’s security while preventing, detecting, analyzing, and responding to cybersecurity threats.

People 

The people that make up your SOC are its most important and expensive asset. 24x7 coverage by experienced personnel is a requirement of a modern SOC given the quickly changing cyber security landscape.

To proactively defend your operations, you want to have enough personnel staffed for 24x7 coverage and account for when employees are away for training, PTO, family leave, and other life occurrences.  Additionally, it's important to provide your team with sufficient support and continuing education on new security and technology platforms to maintain a strong security posture.

Processes

With the right documented and tested processes in place, your people will be able to respond accordingly to the changing security environments and challenges they face. Processes are required for reactive and proactive missions for security response and detection. The right processes enable your SOC to be proactive and handle various incident types.

Tools

Once you have the team and procedures in place, you want to provide them with the best tooling capable of providing visibility across all technology sets. These functions include backend support to analysts, including ticketing, analytics, automation, etc. Simply buying the tools is not enough. Your organization must equip your people with the right tools to be fully effective in a SOC.
‍

Budgeting Considerations for a Security Operations Center

When beginning to create a SOC, every organization will have to think about its risk models in a way that makes sense for them. 

There are many different functions within a SOC. Specific analysts can have overlapping areas of knowledge, but their roles and capabilities are not mutually interchangeable.
‍

SOC Staffing

The number one expense of a SOC is the people. Deciding the number of people in your SOC will be a key driving factor of your cost. An understaffed SOC, unable to meet your company’s mission, is worse than no SOC altogether because it creates a false sense of security. 

To properly budget for staffing considerations, these three staffing capabilities should be kept in mind:

• 24x7 Monitoring - Refers to the SOC’s capability to provide 24x7 monitoring, detection, and response. 

• Resilient - Refers to how capable the organization is of absorbing staffing problems resulting from churn, paid time off, and onboarding and remaining fully employed 100% of the time. 

• Proactive - Refers to the staffing’s expertise and ability to be proactive during any shift.
  ‍

Because support staffing often takes a back seat to analysts in SOC planning, many SOCs find their analysts overwhelmed. Providing proper support staff enables analysts to focus on their primary mission within the SOC. In addition to security analysts, truly effective SOCs require a wide range of staffing such as:

• Defensive Infrastructure - SRE / Operations team experienced in security tooling. Responsible for deploying, monitoring and maintaining all tools used by the SOC

• Vulnerability Research - Team responsible for development and maintenance of vulnerability catalog and research and prioritization of new threats

• Threat Intelligence - Provides tactical and strategic intelligence support to operations and assists analysts in incident investigations

• Compliance Manager - Responsible for development, implementation and evidencing of policies and procedures driven by company compliance goals

• Chief Information Security Officer (CISO) - Senior security leadership responsible for planning, building and running the security organization and briefing leadership

• Non-Security Staffing - Non-security staff supporting the security operations. Includes engineering, IT, legal, sourcing and PR
  ‍

SOC Tooling

Selecting and purchasing tools is the last step in the SOC process. Tooling prices vary wildly based on the amount purchased, overall architecture, and other factors like the number of licenses. Below is a list of descriptions for common security tooling.

• Endpoint - Modern EDR capable tooling. Can include prevention capabilities or not as appropriate

• Network - Network visibility. Can be out of band NTA, IDS / IPS, NGFW, or other options

• Analytics - A SaaS analytics platform. On-premise analytics will generally increase costs

• SOAR - Security orchestration, automation, and response (e.g. ticketing platform) for case management

• Intel - Threat intelligence platform including a reasonable set of feeds (e.g., virus total, etc.)

• On-Call - A notification platform for on-call rotation management and notifications

Tools are only as valuable as the level of expertise and knowledge of the staff using them. While tools alone may feel like adequate security protection, the SOC may still have capabilities gaps without the right people.
‍

Conclusion

After assessing your business’ security needs and defining staffing and tooling requirements based on your environment’s vulnerabilities, your business should now be informed to make the best SOC investments for your organization.

An effective SOC responds and detects everything, from commodity malware to advanced attackers. A SOC is more than dashboards from security tool infrastructure.  It’s more than two security analysts within your IT department responding to alerts. 

An effective SOC with full capabilities comprises processes, staffing, and tooling to provide defense and proactive protection for all assets in your organization. It is a large-scale investment necessary to protect your organization in today’s rapidly changing cybersecurity landscape. 

Working with an AWS MSP for MDR services can help determine the full extent of what a SOC investment could look like for your organization. An AWS MSP for MDR services can give you 24x7 security expertise paired with 24x7 AWS operational expertise. The right partner can help assess your security architecture and IT operations, as well as scope the costs for further investments.

As an AWS Premier Partner, Mission provides a complimentary AWS Security Consultation. Our security analysts can work with you to build a SOC model and cost estimate for that model, depending on your business needs and SOC goals. 

Ready to fortify your IT and security operations? Contact us today.