Security Operations Centers (SOC) are evolving from monitoring and responding to threats to identifying risks and collaborating with partners to tackle them. For this reason, it is a difficult project for small and medium-sized businesses to consider. To succeed, security leaders need to take the three steps of defining goals, building a team, and establishing processes.
Step 1: Define the objectives of your SOC
Organizations have been building SOCs for decades. But what problem are they solving? If you don’t know the answer, you could end up spending millions of dollars on a facility and tools that won’t provide a return on investment. To get to the bottom of this question, answer these questions:
- Why are you building a SOC?
- What are your strategic goals?
- What problems are you trying to solve?
This step is crucial because it shapes the rest of the project. The objectives of your SOC will inform the requirements of your facility, the types of technologies you incorporate, and the roles of the team members. This is why many companies fail to achieve success with their SOCs. They don’t start with the right questions. If you struggle to answer them, those are typical question than senior management and board should care about.
Step 2: Identify the necessary tools
In the not so distant past, the SOC was a room full of people. Now it’s a room full of technology. No matter what your objectives are, you need the right tools to achieve them. The first thing to consider is your cybersecurity budget. While you might want to build the most advanced SOC in the world, it’s important to identify what’s realistic given your finances. Find out what the typical budget is for SOCs in your industry, and don’t exceed it by too much.
Before you decide what you need, consult with the team members in your organization who work in the SOC. They have a unique view into the challenges they face, and might have insight into what they need to be successful. They might also have specific requirements, like needing a certain type of internet connection that isn’t readily available in your area.
Most of the time, you will need a Security Data Lake where all the logs of your network are converging. This includes both asset connectivity logs (such as login, traffic, …) and security logs (antivirus, firewall, proxies). The most common mistake is to design a SOC only to detect intrusion and take a reactive posture. By plugging a risk-based vulnerability manager, you will also be alble to watch in real time for technical vulnerability and close the holes before an attacker take advantage of it.
Step 3: Define the roles within your SOC
A SOC is a collaborative environment that requires a team approach to succeed and skilled individuals. You need to define the roles of the individuals who will be working there, including the following:
- Manager – The person accountable for the overall operations of the SOC.
- Operations manager – Supports the SOC manager by managing the day-to-day activities of the SOC.
- Engineers – Technologists who are responsible for managing the SOC infrastructure.
- Analysts – Individuals who investigate suspicious activity within the SOC.
- Moderators – Individuals who manage real-time communications between the SOC and external partners.
- Architect – Responsible for designing the physical and logical architecture of the SOC.
Building a Security Operations Center is a complex project. Successfully implementing one requires careful planning. This involves first defining the objectives of the Security Center and then identifying the necessary tools to support those objectives. Once you’ve done that, you must also define the roles within your SOC. Only after these steps are complete can you begin implementation and successfully build a Security Operating Center that supports your cybersecurity strategy.