If you want to build your own XDR team, you are going to need to find a variety of ‘difficult-to-hire and retain’ security specialists and then find a way to keep them in a career that is very stressful, involves difficult work and long hours, and where affordable training is hard to find.
To top it off, there’s a good chance your XDR vendors will try and poach them.
That’s the grim prognosis of what Allie Mellen, Forrester Research senior SecOps Analyst, cyber security, says is a very stressful role. “You're trying to stop the company from being breached. And so, you have a big responsibility there.”
“This is a job where you have to work outside of your normal hours, you have to do your own research, you have to work very hard to stay in this field. Internal security is not considered a profit centre, they're considered a loss, and because of that, they aren't usually funded to the same level that we'd expect with product teams,” Mellen adds.
She also says many security professionals also find it hard to use the tools they are given. 
“So a SOC can range from having 10 tools, to 30 tools, to 50 tools, depending on the SOC that you're talking about. It's a lot of work to not only be familiar with and, or an expert in, all of these different technologies, but also to manage them over the course of an incident.”
If that hasn’t deterred you and you are still determined to build your own team, you will need to fill roles including those of detection engineer, threat hunters, threat intel managers and perhaps even threat researchers.
The first piece you need is a detection engineer, Mellen says. “This is the person who is actually working in the SIEM or XDR day-to-day and developing detections to find adversary behaviour.”
They are difficult to find, Mellen cautions because it’s a very specialised skill. “This is not an entry-level position… They are difficult to retain because everyone wants a piece of them.”
“Detection engineers build the rules and they have to have an awareness of the environment and of the attackers that are in the environment, plus awareness of the technology that they're working in, which is typically the SIEM. They also need inputs.”
But they also need inputs, which is where the Threat Intel Manager comes in, Mellen says. “The threat intel manager is someone who is gathering threat intelligence from a variety of different sources that they've curated to see who are the latest threat actors and what the company needs to be worried about, and who’s targeting the industry right now.”
Threat hunters meanwhile are out in the environment every day building hypotheses as to what they think a threat actor would take advantage of in the environment. 
“And then they're just looking to see if they can find an attacker that the detection   engineers that have been built in the SOC haven't caught yet.”
Mellen says their job is to look for deficiencies in the product, in particular where the product protection is inadequate.
“It's difficult to measure success because success is not finding an attacker in the environment. Yet their goal is to find that attacker, their outputs typically feed into the detection engineer, because if they do find something, the engineers would then be able to build a detection role based off that.”