Building Affordable SOCs
Cyberattacks don’t wait—and neither can our defences. As threats grow more frequent and sophisticated, Security Operations Centres (SOCs) have become the nerve centres of cybersecurity across the world. But what happens when institutions can’t afford one? This article breaks down how SOCs function, who runs them, and why most educational and mid-sized organisations are left out of the loop. It also introduces a bold, open-source initiative from IITB Trust Lab that’s reimagining the SOC—making it free, customisable, and operable even without expert staff. Read on to find out.
A Security Operations Centre (SOC) is the hub of an organisation’s cybersecurity efforts. It is a centralised unit tasked with safeguarding the organisation’s digital infrastructure by monitoring and responding to security threats, every second of every minute of every hour.
At its core, an SOC combines people, processes, and technologies to form a cohesive defence mechanism. It aims to detect and neutralise threats before they cause harm. For example, if an attacker attempts to hack into an organisation’s server, the SOC should be able to detect the suspicious activity, then take steps to block the attacker, and investigate how and why the attack occurred.
Beyond dealing with threats, some also proactively perform vulnerability assessments by scanning the organisation’s infrastructure to identify weaknesses, like outdated software, that attackers might exploit.
Some SOCs also work to develop security policies and procedures, which define how employees and systems should behave to minimise security risks. They provide security awareness training, as employees are often considered to be the weakest link in security, often falling prey to phishing scams, and adopting bad practices like using weak passwords.
SOCs also collaborate with other departments to ensure that the right people are informed about security incidents. For example, if a breach compromises sensitive customer data, the SOC will notify both technical teams and executives, enabling the organisation to respond appropriately.
The way an SOC is structured can vary depending on an organisation’s size, complexity, and needs. The architecture is broadly classified into three types:
- Centralised: All data from various locations — like offices, subsidiaries, or even remote branches—is sent to a single, central SOC for analysis. This approach ensures consistent oversight but can become a bottleneck if the volume of data is too high.
- Decentralised: Several smaller SOCs operate semi-independently but report to one or more central SOCs. This structure is often chosen to avoid a single point of failure. For instance, if a central SOC goes offline during an attack, the decentralised units can continue to operate and protect the organisation.
- Distributed: Works like a unified system spread across multiple locations. While it appears to end users as a single entity, its components may be located in different places.
Towards a Safer Digital Future
An SOC is run by a team of specialists, each with defined roles and responsibilities.
- Triage Specialist
These individuals are the first line of defence. They collect raw data from various sources, such as network logs or security alerts, and review alarms to determine which ones require further investigation. Think of them as the cybersecurity equivalent of an emergency dispatcher—they decide which alerts need urgent attention. - Incident Responder
Once the triage specialists identify a serious threat, incident responders step in to analyze the incident in detail. For example, if a triage specialist identifies malware on a system, the incident responder investigates how it got there and what damage it may have caused. - Threat Hunter
The most experienced members of the SOC, threat hunters proactively search for hidden or emerging threats that automated tools might miss. They also oversee advanced tasks like penetration testing and vulnerability assessments. For instance, they might simulate a cyberattack on the organisation to find weaknesses before real attackers can exploit them. - SOC Manager
The manager oversees the entire SOC team, ensuring that everyone works together effectively. They provide technical guidance, especially during high-stakes incidents, and coordinate with other departments to align security operations with business goals.
Processes Involved in an SOC
Running an SOC involves several well-defined processes that help teams respond quickly, and function smoothly in times of crisis
- Collection of Data
The SOC collects vast amounts of raw data from different sources, such as firewalls, servers, and endpoint devices. This data is then normalised (converted into a common format), filtered (irrelevant information is removed), and aggregated (grouped for analysis). For instance, instead of analysing thousands of individual login attempts, the SOC might summarise them into trends to identify anomalies. - Detection and Analysis
The heart of an SOC’s work is making sense of the data to detect threats. This process often combines automated tools (like AI-driven alert systems) with human expertise. For example, if an automated system flags unusual login behaviour—like someone accessing an account from two countries within an hour—analysts investigate further to determine if it’s a legitimate user or a hacker. - Containment, Eradication, and Recovery
If malware is detected on a server, the SOC isolates it to prevent it from spreading. Then the malware is removed, and any compromised files are restored from backups. Finally, systems are brought back online, ensuring they are secure before resuming normal operations.
Project Motivation & Objective
SOCs are indispensable for protecting organisations from the ever-evolving landscape of cyber threats. However, building or outsourcing SOC capabilities is prohibitively expensive, making them accessible primarily only to large corporations with substantial budgets and government agencies, or organisations handling highly sensitive data, such as banks or healthcare institutions, where having such a facility is paramount.
For many smaller organisations and businesses, including educational institutions, such expenses are out of reach. Unfortunately, these organisations are not immune to cyber threats. In fact, attackers often target these entities because they tend to have weaker security postures.
Educational institutions, in particular, are vulnerable because they often store sensitive information, such as student banking details, personal data, and intellectual property. Additionally, attackers may not just exploit the institution but also use it to breach more valuable third-party systems. For instance, a university breach could expose student banking details, which might then be used to compromise the banks themselves.
Currently, many of these organisations rely on distributed preventive security solutions, such as firewalls, antivirus software, spam filters, and Privilege Access Modules to limit access to sensitive data. While these tools provide some level of protection, they operate in isolation.
This lack of event correlation means the organisation cannot piece together the full picture of an ongoing attack. For example, an alert from a firewall about suspicious traffic might not be connected to a phishing email flagged by a spam filter, even if the two events are part of the same attack. This gap leaves vulnerabilities unaddressed.
Our Goal
The idea of simply providing such institutions and organisations with a traditional SOC or SIEM system for free is impractical. Such systems often require significant resources and expertise to operate effectively—something they lack.
This project aims to bridge that gap by creating a SOC that is one, free to set up, removing financial barriers; two, free to modify, allowing customisation to meet the specific needs of the organisation; and three, operable with minimal expertise, so that even those without dedicated cybersecurity staff can use it effectively.
To achieve this, the project leverages free and open-source technology and adopts a distributive model. The use of open-source tools minimises costs and also provides flexibility, as the code can be tailored to fit the unique requirements of each institution. And the distributive model ensures scalability making it a robust and accessible solution for under-resourced organisations.
Data Sources
The following are the places from where data is gathered
Web Server
A web server is a system that hosts websites or web applications and delivers content — like webpages, images, or videos — to users over the internet. Think of it as a digital librarian: when you type a website URL into your browser, the web server retrieves the requested web page and displays it on your screen.
In an SOC, web servers play a crucial role in data collection by logging all interactions users have with the hosted websites. These logs record details such as user IP addresses, pages accessed, and the time spent on each page. For example, if someone repeatedly tries to access restricted parts of a website, the SOC can detect this pattern in the web server logs and investigate potential unauthorised access attempts
Mail Server
A mail server is responsible for sending, receiving, and storing emails — it acts as a digital post office, managing the flow of messages between senders and recipients. For example, when you send an email, it first goes to your mail server, which then routes it to the recipient’s mail server. In the context of an SOC, mail servers are essential for monitoring phishing attempts.
Phishing emails involve cybercriminals sending fraudulent messages designed to trick recipients into revealing sensitive information such as login credentials. The email typically includes malicious links or attachments, using company logos and corporate language to establish legitimacy. Clicking the link redirects the victim to a fake website that looks authentic, where they unknowingly input their data. Alternatively, opening an attachment may install malware on the victim’s device. The attackers then use the stolen information for financial fraud, identity theft, or further attacks.
Lightweight Directory Access Protocol
The Lightweight Directory Access Protocol (LDAP) is like a digital phone book that stores and manages information about users, devices, and resources in an organisation. For example, it can store employee usernames, passwords, and access permissions in one centralised system, ensuring that only authorised individuals can access sensitive resources.
In an SOC, LDAP is monitored to ensure secure authentication and access control. If someone attempts to log in multiple times with incorrect passwords or tries to access data they shouldn’t have permission for, these events are recorded in the LDAP logs. The SOC can use this information to detect unauthorised access attempts or potential insider threats.
Firewall
A firewall is like a security guard for a network, controlling what data is allowed to enter or leave. It checks incoming and outgoing traffic against a set of rules to block anything suspicious or harmful. For instance, it can prevent users from visiting malicious websites or block unauthorised attempts to access the network.
In an SOC, firewalls provide logs of all traffic that tries to pass through them. For example, if a firewall detects an unusual number of connection attempts from the same IP address — a behaviour commonly associated with brute-force attacks — it logs the event and blocks the IP. This data is invaluable for the SOC to understand and respond to cyber threats.
Technology Stack
The following are the different tools and technologies used
Log Collector
A log collector is like a vacuum cleaner for data—it gathers logs (records of activities) from various systems, such as web servers, mail servers, firewalls, and more, and sends them to a central repository for analysis. For instance, if a web server logs a user accessing a webpage, or a firewall logs an attempt to block suspicious traffic, the log collector ensures all these records are funnelled to a single place.
In everyday terms, imagine you’re running a store with multiple security cameras. Instead of reviewing footage from each camera separately, a log collector would consolidate all the footage into one central screen. This ensures the SOC can analyze all system activities efficiently and in one place, rather than having to hunt for scattered data.
Logstash
Logstash is a tool used to ingest, process, and transform logs collected from various sources including system logs, website logs, and application server logs. It acts as a middleman that cleans and organises the raw logs into a structured format that is easier to analyze.
For example, if one log records a date as “01/14/25” and another uses “January 14, 2025,” Logstash can standardise these formats so they align perfectly. Logstash can be thought of as a sorting and cleaning process in a recycling facility. Logs arrive messy and disorganised, and Logstash processes them so they can be used effectively.
Kafka
Kafka is a high-performance data pipeline tool that moves logs and data in real-time between systems. It ensures that all the processed logs are delivered reliably and quickly to their next destination, like a database or analytics tool. For example, as logs are cleaned and structured by Logstash, Kafka makes sure they’re promptly delivered to the ELK stack for storage and analysis.
Think of Kafka as a high-speed train network. Each train carries logs (data) from one station (Logstash) to another (the ELK stack). No matter how large the volume of logs, Kafka ensures smooth, efficient transportation without delays or losses.
Elasticsearch
Elasticsearch is a powerful, distributed search and analytics engine often used for tasks such as full-text search, storing and analysing log files generated by applications, servers, or devices, and providing fast and scalable search functionality across large datasets.
For a SOC in an educational setting, Elasticsearch could serve several critical functions. One of its primary roles is centralised log storage and management. Educational institutions operate diverse IT systems and Elasticsearch can aggregate logs from all these sources into a unified repository, enabling SOC analysts to identify anomalies. By consolidating log data, it provides a foundation for better monitoring and analysis.
Kibana
Kibana is used for visualisation. It allows you to create interactive dashboards that display data in an easy-to-understand format. For example, a SOC analyst could use Kibana to view a line graph of login attempts over time, identifying spikes that might indicate a brute-force attack.
Similarly, Kibana makes cybersecurity data accessible and actionable, even for those who aren’t highly technical. A university SOC might use Kibana to show metrics like failed login attempts across departments, helping prioritise where to focus security efforts.
