Building a Scalable Security Operations Center: A Focus on Open-source Tools

Given the prevalence of a wide variety of cyber attacks against businesses of all sizes, it is essential to ensure that adequate security monitoring of organizational assets and infrastructure is in place to ensure the early detection and response to security incidents. By using a security information and event management (SIEM) tool in collaboration with other security tools, such as an extended detection and response (XDR) tool, all housed in an organizational unit, adequate security monitoring and response to detected incidents can be achieved. This research builds a SOC architecture with various components to ensure complete security visibility across endpoints and digital assets. Then, it proposes low-cost open-source tooling that can be used to implement this architecture. To validate the performance of this architecture, the architecture was implemented using the proposed tools, which included the Wazuh platform as the XDR and SIEM tool, TheHive for case management, and Suricata for network intrusion detection. Subsequently, various cybersecurity scenarios, such as brute force attacks, malware downloads, and DoS attacks, were executed against endpoints monitored by this deployed architecture. The results show that the tools implemented performed the correct exposure assessment and successfully detected and responded to the various scenarios. This paper proposed a security operations center architecture utilizing open-source tools and successfully implemented it to detect common cybersecurity attacks.