Building SOC operations from the ground up is a complex process that varies tremendously from one organization to the next. As pointed out in Gartner’s report on How to Plan, Design, Operate and Evolve a SOC, following the right process can help you avoid many of the known pitfalls. Here are some tips to ensuring your SOC is designed – implemented – and operates – for success:
- Planning your security operations center: Define the SOC’s scope of responsibility, including what functions and services will be part of it, how each component will be implemented, and how the many parts will interact. Decisions regarding scope are the starting point – as they determine which processes, people, and technology the SOC will require. Many organizations build a SOC for threat monitoring and detection but include other operational activities as part of its responsibilities.
- Determining the organizational structure: Develop the structure and components of the SOC operations, including internal groups and functions, physical structure, and organization. Consider a hybrid model, analyzing which components should be outsourced; anything that is generic – not unique to your business, or reliant on deep knowledge of how your organization functions – may be suitable for delegating to managed security service providers.
- Implementing the Process Framework: Core SOC processes include monitoring and alert triage, incident response, and remediation. SOCs may also include advanced security services such as malware analysis, threat hunting, threat discovery, and access management and security device management.
- Deploying or integrating tools: A “bare bones” SOC, at a basic maturity level, can operate with just a SIEM for visibility. Depending on the sensitivity of your business data, the SOC might need additional tools and processes providing greater visibility into your attack surface as well as tools for analysis, action, case management, and collaboration. Large SOCs also need orchestration and automation capabilities to streamline operations.
- Assembling a team: The hardest aspect of a successful SOC operation may well be the skills shortage, which makes it hard to find good and experienced security professionals. Retention is also an issue – so once you’ve got a team, you might want to offer retention bonuses, training, and other benefits to retain analysts and keep them on board longer. Roles in a SOC include Level 1 and Level 2 analysts, a team manager, shift duty manager, a SOC engineering manager, a threat intelligence analyst, digital forensics & incident response engineer; and any 24/7 SOC requires an absolute minimum of eight to twelve people.
- Operating the SOC: The key challenges of day-to-day operations include the difficulties of running a 24/7 operation; issues related to workforce management; and the complexity of interacting with third parties. Attrition is a tough issue, particularly for SOCs working 24-hours a day – and many SOC managers are continuously looking to fill empty seats. If you want to avoid maintaining a 24/7 SOC operation in-house, consider developing a distributed, “follow-the-sun” arrangement in different time zones – which provides continuous coverage without asking teams to work through the night.
- Measuring performance: It’s a golden rule of SOC management that performance must be tracked. Metrics are crucial to illustrating that the SOC helps detect threats faster and handles them better, leading to overall risk reduction. Specific performance measurements include the time from alert generation to first action and triage, the number of alerts correctly escalated per analyst, which tools deliver more valuable insights, etc. Generating these metrics can be challenging – and this is where SOAR (security orchestration, automation & response) tools can be effective, with their ability to track key indicators.
- Implementing automation & orchestration: SOAR tools are significant in improving and streamlining workflows, automating tasks, and reducing the amount of unnecessary and routine work that analysts are required to do. SOAR automatically enriches alerts and adds context information to enable either automated triage or faster manual triage. The technology enables SOCs to improve consistency and improve analysts’ productivity. No less important is the fact that SOAR makes the job less tiresome, thereby reducing staff attrition.
- Using advanced analytics: Advanced analytics and machine learning tools provide the SOC with a deeper, more comprehensive level of understanding and context; for example, many use cases implemented on a SIEM could be moved to the SOAR (Security Orchestration, Automation and Response) platform for more effective and rapid implementation.
- Testing the SOC: Constant exercises of attack and defense are crucial to cyber security. For starters, every SOC should run a simulated attack at least once a year. But simulated attacks merely check the SOC is minimally effective; they don’t prove excellence. Additional techniques include penetration tests and red team tests (without notifying the SOC team), which can reveal weaknesses. Breach & attack simulation tools that seek to simulate post-attack activities (like data exfiltration) are an additional approach – while tabletop “virtual” tests,” in which the team gets together to discuss how attacks are detected, provide another method.
Managed Security Service Providers Deliver the Expertise You Need
Running your SOC successfully and achieving the results you need requires an in-depth knowledge at all levels: evaluation, implementation, operation, and testing.
If you’re interested in learning more about how CyberProof can help you, please let us know and we’ll up a call for you with one of our security experts. Contact our team today!