To build an effective security operations center (SOC), you must first understand what type of SOC you need by considering its capabilities, organization, staffing hours, and environment. Key planning areas include defining hours of availability, whether to use an MSSP, priority capabilities, and the technology environment. Budget and technology are also important to consider, but only after establishing goals. An effective SOC requires the right mix of processes, people, and technologies tailored to your organization's unique needs.
2. Introduction
You have to know four things before building anything, whether it’s
something “simple” like assembling your new furniture from IKEA or
breaking ground on an entire community of homes:
1. What you’re building
2. The materials you’ll need
3. Who is going to build (and maintain) it
4. How you’ll build (and run) it
3. Building Effective SOC
Building (or improving) an effective
security operations center (SOC) is
no different. Unlike that new dresser,
there is no single guide for how to
build it. Your organization has its
own unique requirements and you
have to come up with a tailor-made
mix of the right SOC processes,
people and technologies that fit.
4. What Sort Of SOC ?
Yes, you’re building a security operations center. But what sort of
SOC are you building? What kind of capabilities does it need to have?
How will it be organized? Asking and answering some basic questions
up front allows you to create the roadmap that will drive the decisions
to come on things like tooling and talent (read: the parts that cost
money).
5. Key Planning Ideas
Hours and availability – are you going to staff your SOC 24×7 or 8×5?
Organization – Are you planning to handle everything in-house or would
you consider using a managed security services provider (MSSP) to help with
certain tasks?
Capabilities and priorities – Does monitoring appear to be the main
priority or will you require proactive capabilities like penetration testing or
ethical hacking?
Environment – are you securing a single on-prem environment or a hybrid
environment? Is your organization planning to make cloud a bigger part of its
strategy?
6. Think About The Budget
You may be wondering why budget isn’t mentioned here. First, it’s
hard to build a budget if you don’t know what your endgame is. But
more than that, the harsh truth is that throwing money at
cybersecurity won’t ensure that you’ve covered all your bases. Yes,
budget is important – but only if you know how you are going to use
it most effectively.
7. Think About Technology
With your plans in hand, you’re ready to think about technology. It
can’t be understated that the capabilities of your security operations
center are heavily reliant on the competence of the technology you use
to build it.
By making data quality, not just quantity, a priority you can lessen the
amount of false flags that you would otherwise allocate your resources
to (which, believe us, are extensive). After all, garbage in, garbage out,
right?
8. Security Orchestration &
Automation Platform
According to Cisco’s 2018 Cyber security automation Study,
organizations overwhelmingly favor specialized tools to get the most
robust capabilities across their environment. The more disparate
technology a SOC uses, the greater the need for a security
orchestration and automation platform to help tie everything
together. So as you embark upon creating your technology shopping
list, ensure that you are contemplating not just the tools needed for
prevention and detection but also the tools needed to minimize chaos
and ensure the greatest levels of usability for your team.
9. There’s no “I” in SOC
It goes without saying that you need a well-trained team of
professionals to operate the technology you have invested in.
At the very least, you’ll want to have positions for a CISO, SOC
manager, security analysts and security engineers. Depending on the
other skills you need to deliver on your requirements, you may also
explore roles in the areas of compliance, threat intelligence, incident
response, penetration testing and so forth.
10. Conclusion
By developing your SOC predicated on process , technology and a
proper team to support it, you are immeasurably increasing the odds
that critical information for your enterprise remains uncompromised.
So long as you allow a thoughtful implementation of new SOC
technology that is mitigated by consummate professionals, you are
decreasing the chance that severe threats will breach your system
infrastructure. More importantly, you will decrease the damage that
these threats have the potential of causing.