Architecting and implementing a Security Operations Centre (or SOC for short) for today’s threat environment is not easy. Modern businesses need the ...Login Get full Access
- Architecting and implementing a SOC is not an easy task, with a SOC needing to be custom designed to be an integral part of the business.
- Implemen ...
3 What is a SOC and why should you have one?
The need for a SOC can be unclear for many businesses, yet an imperative for others. However, the decision to build a SOC is an expensive commitment; ...Login Get full Access
3.1 Why do you need a SOC?
Businesses are constantly being attacked, from random exploits that circulate on the Internet hoping to strike lucky, to the targeted attacks of organ ...Login Get full Access
3.2 What is a SOC?
A SOC (security operations centre) is a dedicated team that monitors, assesses and proactively takes action on information security issues on an organ ...Login Get full Access
3.3 Interfacing to other teams
A SOC will interface to a multitude of other teams and business processes.
- The CISO & their security team (and may be a part of that team)
- The s ...
4 Designing a SOC
Designing a SOC is not a stand-alone process, or one that can be outsourced (though expert guidance may be sought). It touches every part of the organ ...Login Get full Access
4.1 The function of a modern SOC
The most effective SOC teams will secure and monitor the network’s perimeter, data, customers, and remote users so that the SOC can detect, analyse, ...Login Get full Access
4.2 Starting the design process
The first design process when building a SOC is threat modelling, and you should be able to answer the following questions:
- What threats does my o ...
4.3 Feeding your SOC with data
Where will your information feeds come from? What inputs will you feed into your SOC?
Login Get full Access
Good data is the lifeblood of any SOC; data that is incompl ...
4.4 External data feeds
Monitoring your environment for anomalous activity assumes that you have seen it before and therefore know how to find this activity across your infra ...Login Get full Access
4.5 Tools to detect and manage the threats
Within the SOC a number of tools to consume and analyse the data feeds will be required.
Technology to consume and store data sources
- Network ac ...
5 Staffing a SOC
As in building any new team, the staff you select, together with the management hierarchy, will be key to developing a high performing SOC. Staffing a ...Login Get full Access
5.1 The SOC Team - Roles and Responsibilities
A SOC and its security information and event management software (SIEM) is only useful if you have the people, processes and intelligence to maintain ...Login Get full Access
It’s really important that every analyst receives the same training experience and tools. This not only helps ensure consistency, but also a shared ...Login Get full Access
5.3 Staffing an incident
Organisations can rarely fully meet the demands of a major incident using solely the SOC teams. It is important to plan for and understand how you wil ...Login Get full Access
5.4 Finding the right skills
Good staff are a rare commodity and often need a range of other skills in addition to their technical ability; depending on your business you may need ...Login Get full Access
When working globally, correct language recognition and usage can be critical. When resourcing a SOC or multiple SOCs, understanding which languages n ...Login Get full Access
6 SOC Tools & Processes
The availability of specific tools and functions in a SOC can vary dramatically depending on the platforms and technologies used to power it. Discussi ...Login Get full Access
A tool that offers dashboarding will provide visibility into teams and ticket activity everywhere. Dashboards are very effective at helping everyone s ...Login Get full Access
6.2 Collaboration tools
Teams in different time zones or remote areas will rely on collaboration tools for quick discussions and handoffs. Tools like Slack, Google Hangouts o ...Login Get full Access
6.3 Daily handoffs
Issues must be passed on to other shifts for continued attention when one shift ends and another begins, or handed off to other SOCs in a follow-the-s ...Login Get full Access
6.4 Things to think about when selecting tools for your SOC
Start any tool selection by looking at what is already in use within your organisation. Look at its suitability for re-use into the SOC environment, a ...Login Get full Access
7 Budgeting for a SOC
Building and resourcing a SOC is not cheap! Having just one staff member available 24x365 takes five people (3 x 8-hour shifts, then factor in holiday ...Login Get full Access
7.1 Budgeting for a small or basic SOC
A small, simple SOC budget could consist of the following items:
- Building work to create/modify premises
- Software initial purcha ...
7.2 Can I combine it with other organisation functions?
When planning a SOC then you should look at the other teams and processes that your organisation uses, with the aim of combining facilities, simplifyi ...Login Get full Access
7.3 Can I outsource the SOC?
For a smaller organisation, then outsourcing a SOC may seem an attractive proposition, especially if there is minimal budget or little management appe ...Login Get full Access
8 Maintaining and evolving your SOC
Implementing a SOC together with the staff, tools, wider technical and physical infrastructure will be challenging; however, ongoing maintenance and e ...Login Get full Access
8.1 Management Metrics
Good metrics should be planned in from the start; a SOC is expensive to build and run, and so the ability to prove your worth to the organisation is k ...Login Get full Access
8.2 Key performance indicators (KPIs)
KPIs can inform the SOC staff of the SOC's effectiveness and improvement over time, as well as senior management. SOC metrics typically include the fo ...Login Get full Access
8.3 Board-level reporting
Remember that however pretty your “management” dashboard is; the board will not be interested in it! Board level metrics must be specifically tail ...Login Get full Access
8.4 Staying relevant
Security technology and threats move at an alarming pace! It is important to stay current with technology and be on top of emerging threats. This is a ...Login Get full Access
8.5 Communicating laterally as well as vertically
SOCs are all affected by external resource constraints. Most organisations score poorly when it comes to keeping up with system patches, and even wors ...Login Get full Access
8.6 Senior Leadership
Your SOC and its management need clear support and sponsorship from the board so it is empowered to act when an incident happens.
Local management m ...Login Get full Access
9 Why SOCs fail (or fail to deliver ROI)
Implementing a SOC is a large financial and operational commitment; and with pressures on all business budgets the SOC, as a “below-the-line” cost ...Login Get full Access
9.1 Understanding why SOCs fail or underperform
A SOC is a major investment in people, technology, time and money; therefore, it is important to understand some of the reasons why a SOC may not deli ...Login Get full Access
9.2 Questions to ask yourself
No SOC has unlimited resources. In fact, most are understaffed and spend their time catching up with their workload. The noise-to-signal ratio is simp ...Login Get full Access
Implementing a SOC is expensive and therefore should not be entered into without a great deal of thought and planning. Even a basic SOC has the potent ...Login Get full Access
10.1 Summary Recommendations
Before you start, understand the potential threat (and associated cost) faced by the business that a SOC may potentially mitigate.
11 Related Research
Advisory Note: Real Time Security Intelligence - 71033
Advisory Note: Managing Risks to Critical Infrastructure – 70819
Advisory Note: Maturity Level Matrix for Cyber Security – 72555
Advisory Note: EIC 2015 Trends and Hot Topics – 71301
Advisory Note: Sustainable Infrastructures through IT Compliance - 72025
Leadership Compass: Cloud Access Security Brokers – 71138
Leadership Compass: Database Security – 70970
Leadership Brief: How to close the skill gap in your Cyber Defence Centre – 72800
Leadership Brief: Do I Need Endpoint Detection & Response (EDR)? - 80187
Executive View: Emerging Threat Intelligence Standards – 72528
Executive View: TechDemocracy CRS&G Cyber Risk Governance Services Framework - 72536
Digital Risk and Security Awareness Survey - 71252