Architecting your Security Operations Centre
1 Summary
Architecting and implementing a Security Operations Centre (or SOC for short) for today’s threat environment is not easy. Modern businesses need the ...
Login Free 30-day Select Access Get full Access2 Highlights
- Architecting and implementing a SOC is not an easy task, with a SOC needing to be custom designed to be an integral part of the business.
- Implemen ...
3 What is a SOC and why should you have one?
The need for a SOC can be unclear for many businesses, yet an imperative for others. However, the decision to build a SOC is an expensive commitment; ...
Login Free 30-day Select Access Get full Access3.1 Why do you need a SOC?
Businesses are constantly being attacked, from random exploits that circulate on the Internet hoping to strike lucky, to the targeted attacks of organ ...
Login Free 30-day Select Access Get full Access3.2 What is a SOC?
A SOC (security operations centre) is a dedicated team that monitors, assesses and proactively takes action on information security issues on an organ ...
Login Free 30-day Select Access Get full Access3.3 Interfacing to other teams
A SOC will interface to a multitude of other teams and business processes.
- The CISO & their security team (and may be a part of that team)
- The s ...
4 Designing a SOC
Designing a SOC is not a stand-alone process, or one that can be outsourced (though expert guidance may be sought). It touches every part of the organ ...
Login Free 30-day Select Access Get full Access4.1 The function of a modern SOC
The most effective SOC teams will secure and monitor the network’s perimeter, data, customers, and remote users so that the SOC can detect, analyse, ...
Login Free 30-day Select Access Get full Access4.2 Starting the design process
The first design process when building a SOC is threat modelling, and you should be able to answer the following questions:
- What threats does my o ...
4.3 Feeding your SOC with data
Where will your information feeds come from? What inputs will you feed into your SOC?
Login Free 30-day Select Access Get full AccessGood data is the lifeblood of any SOC; data that is incompl ...
4.4 External data feeds
Monitoring your environment for anomalous activity assumes that you have seen it before and therefore know how to find this activity across your infra ...
Login Free 30-day Select Access Get full Access4.5 Tools to detect and manage the threats
Within the SOC a number of tools to consume and analyse the data feeds will be required.
Technology to consume and store data sources
- Network ac ...
5 Staffing a SOC
As in building any new team, the staff you select, together with the management hierarchy, will be key to developing a high performing SOC. Staffing a ...
Login Free 30-day Select Access Get full Access5.1 The SOC Team - Roles and Responsibilities
A SOC and its security information and event management software (SIEM) is only useful if you have the people, processes and intelligence to maintain ...
Login Free 30-day Select Access Get full Access5.2 Training
It’s really important that every analyst receives the same training experience and tools. This not only helps ensure consistency, but also a shared ...
Login Free 30-day Select Access Get full Access5.3 Staffing an incident
Organisations can rarely fully meet the demands of a major incident using solely the SOC teams. It is important to plan for and understand how you wil ...
Login Free 30-day Select Access Get full Access5.4 Finding the right skills
Good staff are a rare commodity and often need a range of other skills in addition to their technical ability; depending on your business you may need ...
Login Free 30-day Select Access Get full Access5.5 Languages
When working globally, correct language recognition and usage can be critical. When resourcing a SOC or multiple SOCs, understanding which languages n ...
Login Free 30-day Select Access Get full Access6 SOC Tools & Processes
The availability of specific tools and functions in a SOC can vary dramatically depending on the platforms and technologies used to power it. Discussi ...
Login Free 30-day Select Access Get full Access6.1 Dashboards
A tool that offers dashboarding will provide visibility into teams and ticket activity everywhere. Dashboards are very effective at helping everyone s ...
Login Free 30-day Select Access Get full Access6.2 Collaboration tools
Teams in different time zones or remote areas will rely on collaboration tools for quick discussions and handoffs. Tools like Slack, Google Hangouts o ...
Login Free 30-day Select Access Get full Access6.3 Daily handoffs
Issues must be passed on to other shifts for continued attention when one shift ends and another begins, or handed off to other SOCs in a follow-the-s ...
Login Free 30-day Select Access Get full Access6.4 Things to think about when selecting tools for your SOC
Start any tool selection by looking at what is already in use within your organisation. Look at its suitability for re-use into the SOC environment, a ...
Login Free 30-day Select Access Get full Access7 Budgeting for a SOC
Building and resourcing a SOC is not cheap! Having just one staff member available 24x365 takes five people (3 x 8-hour shifts, then factor in holiday ...
Login Free 30-day Select Access Get full Access7.1 Budgeting for a small or basic SOC
A small, simple SOC budget could consist of the following items:
Initial Costs
- Building work to create/modify premises
- Software initial purcha ...
7.2 Can I combine it with other organisation functions?
When planning a SOC then you should look at the other teams and processes that your organisation uses, with the aim of combining facilities, simplifyi ...
Login Free 30-day Select Access Get full Access7.3 Can I outsource the SOC?
For a smaller organisation, then outsourcing a SOC may seem an attractive proposition, especially if there is minimal budget or little management appe ...
Login Free 30-day Select Access Get full Access8 Maintaining and evolving your SOC
Implementing a SOC together with the staff, tools, wider technical and physical infrastructure will be challenging; however, ongoing maintenance and e ...
Login Free 30-day Select Access Get full Access8.1 Management Metrics
Good metrics should be planned in from the start; a SOC is expensive to build and run, and so the ability to prove your worth to the organisation is k ...
Login Free 30-day Select Access Get full Access8.2 Key performance indicators (KPIs)
KPIs can inform the SOC staff of the SOC's effectiveness and improvement over time, as well as senior management. SOC metrics typically include the fo ...
Login Free 30-day Select Access Get full Access8.3 Board-level reporting
Remember that however pretty your “management” dashboard is; the board will not be interested in it! Board level metrics must be specifically tail ...
Login Free 30-day Select Access Get full Access8.4 Staying relevant
Security technology and threats move at an alarming pace! It is important to stay current with technology and be on top of emerging threats. This is a ...
Login Free 30-day Select Access Get full Access8.5 Communicating laterally as well as vertically
SOCs are all affected by external resource constraints. Most organisations score poorly when it comes to keeping up with system patches, and even wors ...
Login Free 30-day Select Access Get full Access8.6 Senior Leadership
Your SOC and its management need clear support and sponsorship from the board so it is empowered to act when an incident happens.
Local management m ...
Login Free 30-day Select Access Get full Access9 Why SOCs fail (or fail to deliver ROI)
Implementing a SOC is a large financial and operational commitment; and with pressures on all business budgets the SOC, as a “below-the-line” cost ...
Login Free 30-day Select Access Get full Access9.1 Understanding why SOCs fail or underperform
A SOC is a major investment in people, technology, time and money; therefore, it is important to understand some of the reasons why a SOC may not deli ...
Login Free 30-day Select Access Get full Access9.2 Questions to ask yourself
No SOC has unlimited resources. In fact, most are understaffed and spend their time catching up with their workload. The noise-to-signal ratio is simp ...
Login Free 30-day Select Access Get full Access10 Recommendations
Implementing a SOC is expensive and therefore should not be entered into without a great deal of thought and planning. Even a basic SOC has the potent ...
Login Free 30-day Select Access Get full Access10.1 Summary Recommendations
10.1.1
Before you start, understand the potential threat (and associated cost) faced by the business that a SOC may potentially mitigate.
10.1.2
Pe ...
11 Related Research
Advisory Note: Real Time Security Intelligence - 71033
Advisory Note: Managing Risks to Critical Infrastructure – 70819
Advisory Note: Maturity Level Matrix for Cyber Security – 72555
Advisory Note: EIC 2015 Trends and Hot Topics – 71301
Advisory Note: Sustainable Infrastructures through IT Compliance - 72025
Leadership Compass: Cloud Access Security Brokers – 71138
Leadership Compass: Database Security – 70970
Leadership Brief: How to close the skill gap in your Cyber Defence Centre – 72800
Leadership Brief: Do I Need Endpoint Detection & Response (EDR)? - 80187
Executive View: Emerging Threat Intelligence Standards – 72528
Executive View: TechDemocracy CRS&G Cyber Risk Governance Services Framework - 72536
Digital Risk and Security Awareness Survey - 71252