The SOC Lone Ranger: Achieving More with Less

It's not news that lack of budget and resources when it comes to IT security are common problems within organizations. The question we are facing now, when hit with the cold, hard reality that a quick fix is unlikely, is how to work around the limitations of a small security team. And it is not so bleak as it may seem; there are several key factors that contribute to the success of small security teams: knowing your environment, good communications skills, automation, setting a routine and taking advantage of threat sharing.

Know Your Environment

This may seem obvious, but in order to protect your environment, you must understand it and what your users are doing in it. What websites are popular with your users? This can help you pre-empt or prevent watering hole attacks. Where are your users located? A user logging in from an unusual location could be the first indicator of an intrusion. What games are they playing during down time? If those games are exposed to Flash exploits or the game owner has been compromised it can become a problem on your network. All of this is useful information to incorporate into network defence. Remember, though: it is not your goal to spy, only to monitor and protect.


Often overlooked, good communication skills are needed by the security practitioner to effectively create security awareness amongst senior management and staff. It's about communicating the right message to the right people in the right way.

Communication style will greatly impact how you are perceived within your organization and in turn make you more effective at your job. After all, scaring everyone constantly about the ‘next big zero day apocalypse’ will only desensitize your organization to the next threat and possibly inhibit cooperation between teams. Rather than fright, teaching and demonstrating proper security practice will give a higher return on the time you invest with your users. This return comes in the form of compliance and cooperation reducing the number of incidents.


In a small SOC, it is important to automate tasks whenever you can to help save time and resources. Projects like ad-hoc reporting, technology integration and data interfaces between other teams are great places to start. An experienced security professional will learn when and perhaps what not to automate because remember you can't automate everything. Security must always take priority, so don't let automation consume you. To help your automation tasks, take the time to learn a scripting language, something popular that your servers are running and can be translated to other areas of your work.


Having a routine process for tasks on a daily, weekly, or maybe even hourly basis is phenomenal practice for a small security team. For example, daily routines might involve reviewing alarms first and foremost every day. Do not stop until all critical and high severity alarms are closed. Secondly, review events. This can be done by taxonomy (exploit, malware, authentication), data source or simply by volume. Performing this review on a daily basis will help you get a feel for what is normal and make finding the unusual easier. This review process can also help you tune and create policies to refine your baseline of activity in a logical and consistent manor.

Weekly routines consist of vulnerability scans. Scans should be targeted and group similar servers or subnets together. Scanning the entire environment at once will only increase the time of the scan and make it difficult for reporting. Before a vulnerability scan takes place, make sure you have an established remediation plan, otherwise you waste time and leave that portion of the network exposed while you scramble to come up with the procedure to patch.

Other forms of organization include making use of your SIEM's ticketing system or creating a wiki to which you can add information from investigations or scripts. When the security team (eventually) grows, this will help new recruits get up to speed and learn quickly.

Threat Sharing

Finally, there are numerous threat intelligence sharing feeds security professionals can utilize to garner knowledge from thousands of others in the same boat as you. Access to threat intelligence puts the power of many systems into a form factor that is easy to integrate and utilize. The two-way interaction of sharing is vital to learning about the latest and most critical threats facing businesses.

Being a SOC ‘lone ranger’ can seem daunting, but with a little preparation and organization, you can establish the habits to run it effectively, no matter what the size.

About the Author

Joe Schreiber is a solutions architect with AlienVault who has been doing IT security since the days of dial-up. With his team at AT&T Managed Security Services, Joe built one of the world's largest SIEM systems, bringing thousands of devices under real time security management and monitoring more than two petabytes of network traffic daily.

What’s Hot on Infosecurity Magazine?