So you have finally arrived at the conclusion that you have the variables in place at your organization, and that it’s time to establish your very own SOC.
You are well aware of the complexities of building a SOC, and that there are so many variables to consider. First the outer shell concept, then the roadmap – planning and building and developing Use Cases. Onto the personnel there is team building planning, Standard Operating Processes and Scope of Work. Then comes the definition of responsibilities for each team member and response levels. This is just the initial work.
In order to pull principles from the mountain of work involved here, when setting up a Security Operations Center, we need to build the framework for organizing the three key functionalities of a SOC: People, process, and technology.
Things to consider: In order to adequately respond to your security issues – how many personnel need to be put in place? How will these experts be located and trained and what is your budget for these activities?
Once personnel have been determined for your SOC, the next step is to set the right processes that standardize security workflows.
Before an organization has a SOC, IT security issues are scattered throughout an organization with no clear and consolidated responsibility. It is difficult to create procedures for scattered ownership. Once you decide to streamline all processes and tasks – then your IT security becomes a whole ecosystem that needs to be addressed in a systematic way. Principles might include: Who is responsible for threat monitoring, who takes care to promote security events to incident level, which personnel are mandated with solving the problems discovered?
Once these principles have been laid out you will have the data you need to create your plan from the outside in taking into consideration how to optimize your security operations. Initially SOC workflows should be established making sure that each step in the process fulfils the larger vision. Workflows make clear the role of every team member and their responsibilities so that the SOC that you put in place is air tight.
Every aspect and process including Monitoring, Alerting, Escalation, Investigation, Incident management, Monitoring and Reporting are the chapter headings that cover all major security events that could apply to your business — from malware to phishing scams, and from zero-day attacks to advanced persistent threats (APT).
Key tools will need to be identified to effectively monitor, detect and respond. The tools that you select should support the strategy that you put into place. Both your strategy for network visibility and the one for your incident response, and should then be considered for budget. Some other considerations to take into account include: What environment does your network operate in? What are the particular types of threats that your organization is more prone to? What are the regulatory and compliance aspects that you need to include when planning your network?
In this way, once you have covered these broad aspects, you will be able to engineer whether there are any gaps in coverage or overlaps in functionality with the tools you already have.
The challenge of building a security operations center (SOC), and your ability to navigate rough waters will enable you to roll out and maintain the right SOC for your organization. It is not enough to understand the fundamental aspects of building a SOC but it is applying those principles to your organization’s current security posture, risk tolerance, expertise and budget. Working within your organizations particular limitations, while constantly remaining on the offence to achieve clear margins, your SOC can be successful in its mission to create companywide IT security.