A primer for building and managing robust security operations centers
Building a security operations center (SOC) is a major undertaking, but it’s also an investment which empowers innovation and accelerates growth without adding undue risk. Establishing a SOC requires extensive planning combined with the optimal blend of technology, people, and process.
The modern SOC is as much about people as it is technology. Success depends on the strong management of teams consisting of a diverse range of experiences and opinions. It’s about recognizing the wisdom of the crowd in a time when cybersecurity is everyone’s responsibility. That’s something which requires strategy and leadership.
Here are nine proven tips for building a world-class SOC:
Tip 1: Establish tiered support
Among the key responsibilities of a SOC team is to investigate suspicious activities, contain them, and take steps to prevent them from occurring again. This demands a broad range of skills, such as data science and networking infrastructure, but everyone on the team requires a certain degree of technical expertise and experience.
The most common approach is the tiered support model. In this case, the lowest tier might be responsible for detecting potential threats before flagging them for analysis and review by the second tier. But there are other ways to structure a team, such as by having more experienced members handle more cases, or segmenting by specialization.
Tip 2: Balance automation and human processes
Talk to almost anyone about automation, and it likely won’t be long before artificial intelligence makes its way into the conversation. But while AI is playing an increasingly important role in security operations, it’s not the same thing as automation. Neither is automation the holy grail of security operations, but it does play a key role.
As a general rule, anything that’s repeatable and can be written out as a procedure should be automated. At the same time, manual, non-alert-based analysis methods remain essential in the management and remediation of more complex threats. Automation shouldn’t be viewed as a way to replace human expertise, but as a tool to empower people to do their jobs better.
Tip 3: Implement and manage range training
Cybersecurity is widely viewed as a technology challenge, but the reality is that almost every incident includes a human element. Moreover, attacks do not discriminate when it comes to the size and type of organization they target or the individual they exploit. Security awareness training is critical throughout the company.
Since SOC teams need to be adaptable and able to recognize new and emerging threats, the need for ongoing training is even greater. Range training provides hands-on exercises with a strong emphasis on teamwork. Security leaders need to establish a robust training program that ensures everyone is kept up to speed.
Tip 4: Choose between physical and virtual operations
One of the biggest decisions security leaders face is choosing between a physical, in-house SOC or a distributed team where operations are coordinated remotely. In recent years, there has been a dramatic shift towards remote work, thanks in part to lower costs and the fact that the physical security of assets is often not as important as it once was.
Both models have their pros and cons, and the best choice depends on factors like company culture and operational infrastructure. On one hand, managing remote teams helps overcome obstacles like geographical boundaries and time zones, but it also makes oversight harder. On the other, a physical SOC typically empowers stronger teamwork and cooperation.
Tip 5: Manage the threat hunting process
Threat hunting is one of the main responsibilities of any SOC, but there’s a widespread lack of consensus as to what it actually means. It is often used interchangeably with terms such as digital forensics or data science when, in reality, these are simply processes and technologies designed to aid in threat hunting.
Being something of a catch-all phrase, it is crucial SOC leaders clearly define what they mean by threat hunting and identify the various roles and responsibilities it depends on. Going back to the tiered support structure, the threat hunting process may begin with tier-one engineers detecting and identifying threats, while tier-two specialists mitigate the attacks they detect.
Tip 6: Define the role of security operations in response
The primary goal of a SOC is to detect and identify threats, but the way the company at large responds to those threats is every bit as important. Traditionally, the role of the SOC revolves around technological disciplines, such as data analysis and digital forensics. As such, the SOC often isn’t viewed by other departments and teams as an integral part of the organization.
Even if the SOC plays a participatory role, it must be abundantly clear who is responsible for what. Creating a culture of accountability throughout the organization requires deep alignment between the SOC and all other departments, and not the widespread disconnect that currently exists between security and other business operations.
Tip 7: Define key performance indicators (KPIs)
Key performance indicators (KPIs) are critical for establishing crucial goals and determining the effectiveness of an organization’s cybersecurity operations. Defining the right KPIs is one of the hardest things to do, since there are no set benchmarks to go by. While any SOC should provide a holistic view of security-related insights, KPIs must be relevant and actionable.
Perhaps the most common examples of KPIs in the context of security operations are metrics like the total number of alerts or reported incidents. But these are largely irrelevant, since they are not actionable. KPIs must be clearly defined and aligned with key operational goals and unique infrastructure of the organization and its critical components.
Tip 8: Align security operations with network operations
Both network operations centers (NOCs) and SOCs play central roles in the operation of an organization’s technology and network infrastructure, so it is critical that their operations align. In reality, however, they often collide around things like identity and access management and other mission-critical operations.
Not least because identity is the new perimeter in the age of cloud computing, the roles of the NOC and SOC must complement one another. This also means both teams must be clear on their roles and responsibilities. Vulnerabilities are far more likely to arise if these two teams fail to work closely together.
Tip 9: Select the right tools
Complexity is one of the biggest challenges facing today’s security teams. Incident detection and response often happens across a huge range of different data sources and tools. At some point, it becomes impossible to manage everything effectively, thus giving rise to vulnerabilities that could have otherwise been addressed.
SOC operations revolve around security information and event management (SIEM) systems, which aggregate data from multiple sources and identify activities that deviate from the norm. Choosing the right vendor must be done with utmost care – SOC leaders need a solution that aligns with their KPIs, as well as the skills and capabilities of their teams.
Cybrary helps security leaders close skills gaps and empower their teams to better tackle the challenges of today, and tomorrow. Request your demo of Cybrary for Teams today.