Seven Steps to Set Up a SOC Without a Traditional SIEM

Mention a SOC to a traditional enterprise IT crowd and you’ll hear tales of dramatically lit, NASA-like control centers with big, blinky maps and banks of monitors resplendent with all manner of real-time defensive telemetry. Impressive. And cool. And for the past three decades, pretty much table stakes for protecting a global enterprise’s digital assets at scale.

Not so, however, for smaller businesses, particularly today’s newer, born-in-the-cloud contingent. These nimble players eschew the traditional SOC; they favor outsourcing much of the security blocking and tackling to Managed Detection and Response (MDR) providers or MSSPs. With those fundamentals handled, they reason, the in-house security leadership and team can focus more on governance, risk management, and overall cybersecurity strategy.

That’s not to say smaller teams don’t still need to track systems and monitor user activity — and investigate quickly when things look sketchy. They do. But as security ops goes, today’s SOC is often more concept and less physical place in the SMB/SME and cloud-first space. Developing this new generation of hybrid SOC takes some careful consideration, particularly when it comes to tooling. The first question: Do I really need a big, heavyweight SIEM to go with my lean and targeted SOC? Probably not. Here’s why.

What’s a SIEM and Do I Need One?

Like many things in the IT lexicon, SIEM, or Security Incident and Event Management, is a tech segment moniker coined by Gartner. Since 2005, it’s been used to describe tools that compile security alerts, events, and logs and provide analysts a central location to manage investigations and alerts. Modern SIEMs often fold in compliance activities and threat hunting, meaning there’s no real one-size-fits-all solution in the market.

With their burgeoning roster of capabilities, SIEM platforms have grown unwieldy. They’re expensive and come with hefty demands for storage capacity, administrative overhead, human resource requirements, and day-to-day alert management. For all but the big, well-heeled enterprise security shops, a full-blown SIEM is increasingly unaffordable and unmanageable. Smaller teams need a feasible way to quickly and accurately detect the growing number of threats and incidents without all of the hoopla and added costs bundled into the traditional SIEM.

Establishing a SOC Without a Traditional SIEM in 7 Steps

At Turngate, we believe anyone in any size security shop should be able to identify key security events in their SOC without all of the SIEM-powered labeling, sorting, and correlating of log data. Developing a SOC for the defense of smaller and cloud-native organizations requires a tactical game plan. Here’s how that might look:

1. Define the Scope

For most SMB/SME organizations, the bulk of core security operations functions will be handled by your managed security/detection and response outsourcer of choice. Some gap analysis is in order to determine what’s already under control, what’s left on your plate, and where you might want some overlap to facilitate quick investigation and timely incident response. For our purposes, let’s imagine most functions of the SOC will remain, at least in part, under local command and jurisdiction. In this case, you’ll need to consider:

• ‍Inventory and Key Assets: Determine which critical assets you need to protect, including networks, systems, applications, and data. You can’t protect what you don’t know about. This can be as simple as a spreadsheet or as robust as dedicated inventory management software.‍
• Threat Landscape: Your industry (e.g., healthcare, finance, etc.) might be vulnerable to specific types of threats. Know the threats and risks your organization faces in your day-to-day operations.‍
• Compliance: List relevant regulations and requirements for your country, municipality, and industry. Don’t forget compliance for security controls, particularly if you choose to pursue SOC-2 or ISO-27001 certification.

2. Set the Foundation

• Controls: Make sure your security controls are in place and working well. Otherwise your SOC will get overloaded with alerts from the beginning.‍
• Monitoring: Set up continuous monitoring to detect security events and anomalies. This is often handled by your cloud infrastructure and SaaS providers. Flip all the switches to make sure you’re getting all the alerts you can.‍
• Incident Investigation and Response: Develop procedures for responding to security investigations and incidents. Don’t go crazy on the procedures; focus more on who should be involved and the high level steps.‍
• Threat Intelligence: Bonus points for integrating threat intelligence sources to stay ahead of emerging threats.This can get expensive, so economize by leveraging social media feeds and public resources like CISA’s security alerts.‍
• Reporting: Determine which KPIs will reflect security posture, incidents, and compliance;  if you want to set up a real-time dashboard, Looker and PowerBI are excellent low-cost resources that aggregate multiple data sources. However, ad hoc reporting is often sufficient in the early days while you figure out what’s important and what’s not.‍
• Forensics: Ensure capabilities for investigating security breaches and gathering evidence. These often come natively with your EDR and/or your IT management software. Also, your outside council may have an IR team on call. Make sure you keep that number handy.

3. Choose the Necessary Tools

Assemble a toolset that combines different layers of security monitoring and management. Some must-haves include:

• Log management: Selfishly, we think you should use Turngate to aggregate your SaaS alerts and logs. If you have logs beyond your SaaS environment, deploy centralized log management tools like an ELK/Elastic Stack (Elasticsearch, Logstash, Kibana) or Graylog for log collection, aggregation, and analysis.‍
• Endpoint security: Implement Endpoint Detection and Response (EDR) tools such as CrowdStrike, Carbon Black, or open-source options like OSSEC.‍
• A SIEM for your SaaS: Turngate not only brings your logs into one place, it can be the focal point of your security operations for cloud-native companies. We’ve got dashboards, reports, investigation workflows, and data enrichment to give you everything you need in a SIEM without the baggage of a conventional, heavyweight SIEM.‍
• Network monitoring: Depending on your environment, you may want to use tools like Zeek (formerly Bro), Suricata, or Snort for network traffic analysis. In some organizations, there is very little value in this tech as you are basically running a coffee shop network with a printer, so there can be a great deal of expense with little return.‍
• Vulnerability management: Vulnerability scanning and management tools like OpenVAS or Nessus ensure both IT and your users are updating their systems early and often.‍
• Canaries: We can’t speak highly enough of the crew at Thinkst Applied Research and their fleet of hardware and virtual deception and tripwire devices. Buy a few canaries, deploy them, and hope they never fire. When they do, they are one of the most reliable sources of signal on your network.

4. Map Processes and Workflows

• Incident detection and response: Define and document the steps for detecting, triaging, and responding to security incidents. A properly configured dashboard is vital for visualizing investigations and responses.‍
• Alert management: Create procedures for handling alerts, including clear prioritization criteria and escalation paths; make sure everyone knows where to find them. Turngate supports alerts, and can manage this for you.‍
• Threat hunting: Newer attacks are often unclassified or unknown. Establish a proactive threat-hunting process to identify threats that might bypass automated tools, especially in early days of exploitation before researchers have published more thorough analysis.‍
• Continuous improvement: Regularly review and refine SOC processes based on lessons learned and evolving threats.

5. Assemble a Skilled Team

• Core functions and roles: Assign specific roles such as SOC analysts, incident responders, threat hunters, and forensic experts. If your SOC is actually just your security team periodically wearing a different hat, be sure they know how to prioritize all of their different tasks.‍
• Situational awareness and ongoing education: Provide ongoing training and certification opportunities to keep the team updated on the latest attacks, trends, and techniques. ‍
• Cross-discipline integration: Foster teamwork between SOC team members and other departments, especially IT.

6. Establish Monitoring and Reporting

• Stay current: Prioritize cybersecurity industry reports (e.g., Verizon DBIR) as well as real-time reporting to better understand the threat landscape.‍
• Inform stakeholders: Establish a regular reporting cadence to communicate SOC activities and incidents to stakeholders across the company.

7. Prioritize Simulation and Evaluation

• Tabletop and team exercises: Consider educational tabletop exercises (like Oh Noes!, Backdoors and Breaches, TryHackMe, or HackTheBox) to simulate incidents and test the SOC's response capabilities. Red/ blue/ purple teaming will mimic adversarial testing and better identify weaknesses in defensive strategies.‍
• Metrics: Define and track SOC performance metrics, such as mean time to detect (MTTD), mean time to intercept (MTTI), and mean time to respond (MTTR). Decide which are most important and why. Be careful however, SOC metrics can be tricky to collect and analyze. You might be better with “seat of your pants” metrics than with hard numbers.‍
• Review: Periodically review and adjust the SOC's tools, processes, and team structure to ensure they remain effective against evolving threats. AI and creative threat actors are continually changing the adversarial landscape, so what worked well last month might be useless next quarter.

Conclusion: Practicality, Not Privation

In the end, the SOC should be about right-sizing security to fit the needs of the organization, not lowering standards just to save some scratch. You don’t need to replicate a Fortune 500 SOC to get responsive, resilient security that balances people, processes, and technologies. Remember: Strong cybersecurity is more about strategy than it is about spectacle. Careful planning, a lean toolset, and a clearly defined scope are plenty enough to give smaller teams enterprise-grade visibility, detection, and incident response without the typical SIEM drains on resources — both financial and human. Turngate’s SIEM can streamline your security operations without the complexity of other tools.

Turngate provides the essential fabric for this reimagined SOC. We simplify and accelerate security investigations by consolidating audit logs and alerts from SaaS sources into an intuitive, visual interface. With Turngate, defenders get insights into user behavior (logins, configuration changes, data access, and more) without the need for deep expertise in log formats or complex query languages.

Built to facilitate rapid, user-centric investigations, Turngate normalizes and distills disparate log data so analysts can answer critical questions like "Who is this user?" and "What have they done recently?" within minutes.

Interested? Check out all of Turngate’s features and sign up for a free trial.