John Turo
asked on
Creating a IT cyber security business on a budget
I've worked in the IT security sector for the past few years and I wanted to take a stab at servicing small to medium size business within this realm. I was told that Fortinet has their own SIEM that I can take advantage of and wanted to hear the pros/cons with this product as well as costs. I wanted to also create a SOC as some point and wanted to know my options as far as to starting this adventure. I have a friend who is already helping small business with the day-to-day IT for the business and wanted to add value by doing the cyber security side of IT. I know I have many considerations, but wanted to get some insight as to what softwares/ideas I should be considering. This would also include any budget softwares I can try or start working with while on a low budget. Might be over my head here, but I always wanted such a business and would welcome all I can learn from the experts.
Going into a SOC is non trivial. You need to have a more structure strategy and business plan e.g.
1. What are the use cases that that you are differentiating from the rest of managed security services?
This may include vulnerability management, threat hunting, penetration testing and security monitoring. As well providing consultancy for leveling up the posture of the customer against best practice like NIST cybersecurity framework
2. What are the expertise that you required to deliver and sustain reliable services?
This requires niche team of experienced personnel that you have or from a networks that you actively involved and have reached too. This is critical as people is your most valuable asset to make the business successful. There are the operational tier of manpower resource that is non trivial to sustain due to fatigue which need increase in automation and right technology use as a relief.
Certification such as SANS provides a good breadth and depth on the technical capability. Should have a look.
3. What are the KPI and CSF metric to get out of this SOC business?
This calls out for governance, capability, competency and ROI that have to be developed which you need to consider a "build or buy or collaborate" scheme. Starting from zero is going to be hard. Getting the right tools and asset will not be giving these metric as straightforward as you may think. A proper governance with stakeholder giving oversight and process in constant review of the milestones are necessary.
Also building a SOC team is another big consideration in building a SOC team :
1. People - Training to understand the threats and the tools they have at their disposal. Threat actors will evolve, and ongoing informal and formal training is required to maintain skills.
2. People - Effective people management to ensure analysts have the tools they need to be successful today and a path for generating additional value for the organization as they mature as a professional.
3. Process - Metrics to measure how well they are performing. Focus on a more meaningful metric such as time to remediate threats to promote a focus on quality and eliminating threats before they cause material damage, instead of relying on time for case closure.
4. Technology - gives analysts visibility and data processing power.
There are open tool like OpenSOC but it do need expertise in use of open tool like ELK and Hadoop
https://opensoc.github.io/
Not as familiar with Fortinet as a SIEM, but looks like its has a suite for kick starting the capabilities aspect using their integrated NOC SOC solution.
https://www.fortinet.com/blog/business-and-technology/fortinet-delivers-the-industry-s-first-integrated-noc-soc-soluti.html
That said, designing a SOC is way more complex than hiring a team and buying some tools. It has a lot to do with investing in the right things at the right time, look forward to identifying threats that might be in the near future, and align security strategy with the business needs.
1. What are the use cases that that you are differentiating from the rest of managed security services?
This may include vulnerability management, threat hunting, penetration testing and security monitoring. As well providing consultancy for leveling up the posture of the customer against best practice like NIST cybersecurity framework
2. What are the expertise that you required to deliver and sustain reliable services?
This requires niche team of experienced personnel that you have or from a networks that you actively involved and have reached too. This is critical as people is your most valuable asset to make the business successful. There are the operational tier of manpower resource that is non trivial to sustain due to fatigue which need increase in automation and right technology use as a relief.
Certification such as SANS provides a good breadth and depth on the technical capability. Should have a look.
3. What are the KPI and CSF metric to get out of this SOC business?
This calls out for governance, capability, competency and ROI that have to be developed which you need to consider a "build or buy or collaborate" scheme. Starting from zero is going to be hard. Getting the right tools and asset will not be giving these metric as straightforward as you may think. A proper governance with stakeholder giving oversight and process in constant review of the milestones are necessary.
Also building a SOC team is another big consideration in building a SOC team :
1. People - Training to understand the threats and the tools they have at their disposal. Threat actors will evolve, and ongoing informal and formal training is required to maintain skills.
2. People - Effective people management to ensure analysts have the tools they need to be successful today and a path for generating additional value for the organization as they mature as a professional.
3. Process - Metrics to measure how well they are performing. Focus on a more meaningful metric such as time to remediate threats to promote a focus on quality and eliminating threats before they cause material damage, instead of relying on time for case closure.
4. Technology - gives analysts visibility and data processing power.
There are open tool like OpenSOC but it do need expertise in use of open tool like ELK and Hadoop
https://opensoc.github.io/
Not as familiar with Fortinet as a SIEM, but looks like its has a suite for kick starting the capabilities aspect using their integrated NOC SOC solution.
https://www.fortinet.com/blog/business-and-technology/fortinet-delivers-the-industry-s-first-integrated-noc-soc-soluti.html
That said, designing a SOC is way more complex than hiring a team and buying some tools. It has a lot to do with investing in the right things at the right time, look forward to identifying threats that might be in the near future, and align security strategy with the business needs.
With SOC, technology alone is not enough, SOC = People + Process + Technology. SOCs, despite their differences in size, scope, and responsibility, tend to be designed with a few key principles in mind. A SOC should be:
• Equipped to perform incident response duties.
• Supported by organizational policies, giving it the authority it needs to be effective.
• Aware of the strengths and limitations of each tool it uses.
• Aware of the nuances involved in monitoring to be able to separate the signal from the noise.
• Able to balance its size and its presence in the organization, without overstepping its bounds.
• Able to incorporate a wide variety of security processes into a single operations center.
• Prepared to leverage its strongest processes while minimizing the use of its weakest ones.
• Staffed with motivated, skilled professionals and not overstaffed with under-qualified personnel.
• Able to protect the SOC's own systems and infrastructure from attack.
• Willing to collaborate with other SOCs to share valuable information on threat intelligence and mitigation techniques.
Security Operations Center should have:
SOC Checklist includes:
*Services and SLAs:
Notification and Escalations
Compliance Monitoring
Vulnerability Assessments
*Security Team:
Tiered support
Security expertise
Incident Response processes
*Total Cost of Ownership:
Based on volume of logs, number of devices - monitored, or unlimited
Monthly subscriptions, up-front costs?
*Advanced Threat Detection:
Threat intelligence feeds
User behavior analytics
Customizable policies
References:
https://www.alienvault.com/forms/ebook-thank-you/how-to-build-a-security-operations-center-on-a-budget
https://arcticwolf.com/
https://www.siemplify.co/blog/best-practices-for-building-security-operations-center
https://securityintelligence.com/best-practices-for-designing-a-security-operations-center/
https://www.mitre.org/sites/default/files/publications/pr-13-1028-mitre-10-strategies-cyber-ops-center.pdf
https://blog.rapid7.com/2016/06/07/how-to-structure-a-security-operations-center/
https://digitalguardian.com/blog/how-build-security-operations-center-soc-peoples-processes-and-technologies
https://www.alienvault.com/resource-center/ebook/building-a-soc/soc-team
https://researchcenter.paloaltonetworks.com/2014/09/importance-process-security-operations-center-soc/
https://digitalguardian.com/blog/how-build-security-operations-center-soc-peoples-processes-and-technologies
https://aws.amazon.com/about-aws/whats-new/2018/02/amazon-cloud-directory-demonstrates-soc-and-iso-compliance/
https://a-lign.com/soc-2-vs-iso-27001
https://www.cm-alliance.com/news/2016/05/us-client-want-isae-soc-2-report-i-already-iso-27001-certified-i
https://www.experts-exchange.com/articles/31793/Vulnerability-Assessments-versus-Penetration-Tests.html
https://www.experts-exchange.com/articles/32132/Better-Security-in-the-Cloud.html
https://www.experts-exchange.com/articles/32316/What-Gives-SIEM-a-Good-Name.html
https://www.experts-exchange.com/articles/31763/Incident-Handling-and-Response-Plan.html
https://www.ssae-16.com/soc-2/
https://www.experts-exchange.com/articles/33606/CISSP-Process-Guide.html
https://blog.aujas.com/security-operations-center-maturity-a-step-by-step-diy-guide
• Equipped to perform incident response duties.
• Supported by organizational policies, giving it the authority it needs to be effective.
• Aware of the strengths and limitations of each tool it uses.
• Aware of the nuances involved in monitoring to be able to separate the signal from the noise.
• Able to balance its size and its presence in the organization, without overstepping its bounds.
• Able to incorporate a wide variety of security processes into a single operations center.
• Prepared to leverage its strongest processes while minimizing the use of its weakest ones.
• Staffed with motivated, skilled professionals and not overstaffed with under-qualified personnel.
• Able to protect the SOC's own systems and infrastructure from attack.
• Willing to collaborate with other SOCs to share valuable information on threat intelligence and mitigation techniques.
Security Operations Center should have:
- Centralized security visibility
- Unify people, process and technology
- Monitor, detect, and respond to threats
- Manage risk, compliance and security
SOC Checklist includes:
*Services and SLAs:
Notification and Escalations
Compliance Monitoring
Vulnerability Assessments
*Security Team:
Tiered support
Security expertise
Incident Response processes
*Total Cost of Ownership:
Based on volume of logs, number of devices - monitored, or unlimited
Monthly subscriptions, up-front costs?
*Advanced Threat Detection:
Threat intelligence feeds
User behavior analytics
Customizable policies
References:
https://www.alienvault.com/forms/ebook-thank-you/how-to-build-a-security-operations-center-on-a-budget
https://arcticwolf.com/
https://www.siemplify.co/blog/best-practices-for-building-security-operations-center
https://securityintelligence.com/best-practices-for-designing-a-security-operations-center/
https://www.mitre.org/sites/default/files/publications/pr-13-1028-mitre-10-strategies-cyber-ops-center.pdf
https://blog.rapid7.com/2016/06/07/how-to-structure-a-security-operations-center/
https://digitalguardian.com/blog/how-build-security-operations-center-soc-peoples-processes-and-technologies
https://www.alienvault.com/resource-center/ebook/building-a-soc/soc-team
https://researchcenter.paloaltonetworks.com/2014/09/importance-process-security-operations-center-soc/
https://digitalguardian.com/blog/how-build-security-operations-center-soc-peoples-processes-and-technologies
https://aws.amazon.com/about-aws/whats-new/2018/02/amazon-cloud-directory-demonstrates-soc-and-iso-compliance/
https://a-lign.com/soc-2-vs-iso-27001
https://www.cm-alliance.com/news/2016/05/us-client-want-isae-soc-2-report-i-already-iso-27001-certified-i
https://www.experts-exchange.com/articles/31793/Vulnerability-Assessments-versus-Penetration-Tests.html
https://www.experts-exchange.com/articles/32132/Better-Security-in-the-Cloud.html
https://www.experts-exchange.com/articles/32316/What-Gives-SIEM-a-Good-Name.html
https://www.experts-exchange.com/articles/31763/Incident-Handling-and-Response-Plan.html
https://www.ssae-16.com/soc-2/
https://www.experts-exchange.com/articles/33606/CISSP-Process-Guide.html
https://blog.aujas.com/security-operations-center-maturity-a-step-by-step-diy-guide
This question needs an answer!
Become an EE member today
7 DAY FREE TRIALMembers can start a 7-Day Free trial then enjoy unlimited access to the platform.
View membership options
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
I would suggest first start working as an employee of a IT security company, learn and then spin off your own company.