1 Summary

Architecting and implementing a Security Operations Centre (or SOC for short) for today’s threat environment is not easy. Modern businesses need the ...

2 Highlights

• Architecting and implementing a SOC is not an easy task, with a SOC needing to be custom designed to be an integral part of the business.
• Implemen ...

3 What is a SOC and why should you have one?

The need for a SOC can be unclear for many businesses, yet an imperative for others. However, the decision to build a SOC is an expensive commitment; ...

3.1 Why do you need a SOC?

Businesses are constantly being attacked, from random exploits that circulate on the Internet hoping to strike lucky, to the targeted attacks of organ ...

3.2 What is a SOC?

A SOC (security operations centre) is a dedicated team that monitors, assesses and proactively takes action on information security issues on an organ ...

3.3 Interfacing to other teams

A SOC will interface to a multitude of other teams and business processes.

• The CISO & their security team (and may be a part of that team)
• The s ...

4 Designing a SOC

Designing a SOC is not a stand-alone process, or one that can be outsourced (though expert guidance may be sought). It touches every part of the organ ...

4.1 The function of a modern SOC

The most effective SOC teams will secure and monitor the network’s perimeter, data, customers, and remote users so that the SOC can detect, analyse, ...

4.2 Starting the design process

The first design process when building a SOC is threat modelling, and you should be able to answer the following questions:

• What threats does my o ...

4.3 Feeding your SOC with data

Where will your information feeds come from? What inputs will you feed into your SOC?

Good data is the lifeblood of any SOC; data that is incompl ...

4.4 External data feeds

Monitoring your environment for anomalous activity assumes that you have seen it before and therefore know how to find this activity across your infra ...

4.5 Tools to detect and manage the threats

Within the SOC a number of tools to consume and analyse the data feeds will be required.

Technology to consume and store data sources

• Network ac ...

5 Staffing a SOC

As in building any new team, the staff you select, together with the management hierarchy, will be key to developing a high performing SOC. Staffing a ...

5.1 The SOC Team - Roles and Responsibilities

A SOC and its security information and event management software (SIEM) is only useful if you have the people, processes and intelligence to maintain ...

5.2 Training

It’s really important that every analyst receives the same training experience and tools. This not only helps ensure consistency, but also a shared ...

5.3 Staffing an incident

Organisations can rarely fully meet the demands of a major incident using solely the SOC teams. It is important to plan for and understand how you wil ...

5.4 Finding the right skills

Good staff are a rare commodity and often need a range of other skills in addition to their technical ability; depending on your business you may need ...

5.5 Languages

When working globally, correct language recognition and usage can be critical. When resourcing a SOC or multiple SOCs, understanding which languages n ...

6 SOC Tools & Processes

The availability of specific tools and functions in a SOC can vary dramatically depending on the platforms and technologies used to power it. Discussi ...

6.1 Dashboards

A tool that offers dashboarding will provide visibility into teams and ticket activity everywhere. Dashboards are very effective at helping everyone s ...

6.2 Collaboration tools

Teams in different time zones or remote areas will rely on collaboration tools for quick discussions and handoffs. Tools like Slack, Google Hangouts o ...

6.3 Daily handoffs

Issues must be passed on to other shifts for continued attention when one shift ends and another begins, or handed off to other SOCs in a follow-the-s ...

6.4 Things to think about when selecting tools for your SOC

Start any tool selection by looking at what is already in use within your organisation. Look at its suitability for re-use into the SOC environment, a ...

7 Budgeting for a SOC

Building and resourcing a SOC is not cheap! Having just one staff member available 24x365 takes five people (3 x 8-hour shifts, then factor in holiday ...

7.1 Budgeting for a small or basic SOC

A small, simple SOC budget could consist of the following items:

Initial Costs

• Building work to create/modify premises
• Software initial purcha ...

7.2 Can I combine it with other organisation functions?

When planning a SOC then you should look at the other teams and processes that your organisation uses, with the aim of combining facilities, simplifyi ...

7.3 Can I outsource the SOC?

For a smaller organisation, then outsourcing a SOC may seem an attractive proposition, especially if there is minimal budget or little management appe ...

8 Maintaining and evolving your SOC

Implementing a SOC together with the staff, tools, wider technical and physical infrastructure will be challenging; however, ongoing maintenance and e ...

8.1 Management Metrics

Good metrics should be planned in from the start; a SOC is expensive to build and run, and so the ability to prove your worth to the organisation is k ...

8.2 Key performance indicators (KPIs)

KPIs can inform the SOC staff of the SOC's effectiveness and improvement over time, as well as senior management. SOC metrics typically include the fo ...

8.3 Board-level reporting

Remember that however pretty your “management” dashboard is; the board will not be interested in it! Board level metrics must be specifically tail ...

8.4 Staying relevant

Security technology and threats move at an alarming pace! It is important to stay current with technology and be on top of emerging threats. This is a ...

8.5 Communicating laterally as well as vertically

SOCs are all affected by external resource constraints. Most organisations score poorly when it comes to keeping up with system patches, and even wors ...

8.6 Senior Leadership

Your SOC and its management need clear support and sponsorship from the board so it is empowered to act when an incident happens.

Local management m ...

9 Why SOCs fail (or fail to deliver ROI)

Implementing a SOC is a large financial and operational commitment; and with pressures on all business budgets the SOC, as a “below-the-line” cost ...

9.1 Understanding why SOCs fail or underperform

A SOC is a major investment in people, technology, time and money; therefore, it is important to understand some of the reasons why a SOC may not deli ...

9.2 Questions to ask yourself

No SOC has unlimited resources. In fact, most are understaffed and spend their time catching up with their workload. The noise-to-signal ratio is simp ...

10 Recommendations

Implementing a SOC is expensive and therefore should not be entered into without a great deal of thought and planning. Even a basic SOC has the potent ...

10.1 Summary Recommendations

10.1.1
Before you start, understand the potential threat (and associated cost) faced by the business that a SOC may potentially mitigate.
10.1.2
Pe ...

11 Related Research

Advisory Note: Real Time Security Intelligence - 71033
Advisory Note: Managing Risks to Critical Infrastructure – 70819
Advisory Note: Maturity Level Matrix for Cyber Security – 72555
Advisory Note: EIC 2015 Trends and Hot Topics – 71301
Advisory Note: Sustainable Infrastructures through IT Compliance - 72025
Leadership Compass: Cloud Access Security Brokers – 71138
Leadership Compass: Database Security – 70970
Leadership Brief: How to close the skill gap in your Cyber Defence Centre – 72800
Leadership Brief: Do I Need Endpoint Detection & Response (EDR)? - 80187
Executive View: Emerging Threat Intelligence Standards – 72528
Executive View: TechDemocracy CRS&G Cyber Risk Governance Services Framework - 72536
Digital Risk and Security Awareness Survey - 71252