, ,

Security Operations Center (SOC) Team Development

Programming editor for CSS language

Image Credit Pexels

Building a SOC is on every organization’s TODO list these days, at least since the Target breach if not before. Following are few unique characteristics about the SOC that I have observed from my experience of building a SOC in last three years.

The SOC team has an interactive role within the team as well as with the broader IT organization. As a team, you are always being tested. You are tested by your internal users, as well as by your adversaries (outside hackers) on a continuous basis.

The SOC team has a real fine line to walk between keeping the organization safe and enabling/inhibiting business functions. Your teams are out on the ground analyzing activities that are being performed by your adversaries, trying to reverse engineering pieces of code. They are making fast decisions about determining motives and recommending appropriate course of actions. They are making recommendations to executives and business partners with speculations and expectation in regard to business impact.

This is why developing the SOC team is very critical.

The dynamics, diversity, and the chemistry of the SOC team is critical to its success and effectiveness. The larger the organization, the more is the importance of diversity.

I have been involved in developing security operation centers for the past 3 years and had numerous discussions with leaders from many sides and trades of the IT industry. With every discussion it seems more clear that a successful SOC is more of an art than science. Or even better, no one will build your SOC but you.
Starting up an operation security team is overall a very complex process… Let’s get down one layer in the onion to get better visibility.

Some of the skills required for SOC are hard to transfer from an environment to another. They are the ones that will have to be developed in place and it takes time. You can’t build a SOC over the weekend and there are no turnkey solution. It will take time to build the SOC and start recognizing the return on your investment. Vendors may help but it is you who have to plan and make it happen.

Developing an effective and functional SOC is and will continue to be -in your organization- a work in progress.
In other words your SOC will only mature over time.

First Thing First

Write down your mission (this one should be relatively easy and straightforward, get it from your superiors, leadership team, CIO, CISO, Risk management leadership) more or less whoever you work for.

Write down your vision (This is obviously harder as no one can help you with this one, this will take time to look good, it will develop as you go).

Write down your objectives (both short term and long term).

Developing the Team

“People” is a very critical component in the SOC, as we always say people, process and systems. For any SOC, people will develop processes, and people will tune the system, so if you think about it, it’s all about the people.
Depending on the organizational culture, technology, discipline, segmentation and other considerations, you may have to build a virtual fence around your SOC in order to maintain and encourage certain behaviors within the SOC. I have seen organizations starting a new company to serve as a SOC for both limiting the liability as well as seeking the segmentation mentioned above.Depending where you are starting from, the effort involved in developing the team could vary.

Required Skill Set for SOC Team 

Here are the different skills that you need to have in your core team members:

  • Log management system knowledge; Do you have one in place, are you picking one? This is another topic for another day! This is the system component, the goal is to centrally store the logs in a usable format.
  • Endpoint expertise: Windows, Linux or Mac workstations (software, hardware, baseline.)
  • Servers (functions, virtualization, cloud communications)
  • Network expertise (Understanding what’s normal? Ports and protocol, time of the day.)
  • Malware expertise
  • Application development expertise
  • Scripting expertise
  • People management expertise (team leadership)
  • Organizational management expertise. This one or more person that is prepared to deal with the outside world when needed

It would save you a lot of time and effort if you can find people in your organization that have these expertise (not necessarily in security capacity) and have the passion to learn and do security. You still need at least one person who has some investigation knowledge either from working in a SOC or from other sources.

You will also need to utilize someone with process and workflow expertise. They don’t have to be part of the team on full time basis.

Certifications and Training

SANS 504 (or an equivalent) is a great training and certification for the team members to have within the first 3 month. Especially for those who lack the security and/or the investigation background. This is the only training that I would recommend to use as a baseline for folks who have not done investigations before. Other than that it’s very useful to have a training coordinator. Part of his duties to develop on-boarding training contents as well as on-demand training. Training in the SOC is a rich topic that I would hope to dedicate a separate blog for it.

Roles and responsibilities

  • Team lead: It is the most important role. Team Lead has to be a “people person” with technical foundation. He/she will speak on behalf of the team when needed, assign and delegate responsibilities. More importantly this person will pull the team together, and know how to motivate them.
  • Tuning and automation staff: This function has to stay to an arm length from the core investigation team for integrity purposes.
  • Training coordinator: Discussed briefly above, the responsibilities of this role is to develop the training strategy and not be the subject matter expert in everything.
  • Quality assurance: Its an important objective to meet and helps building confidence in your process.
    Shift lead can be an important role depending on the size of the team and the volume of the incoming work


“Work with what you have” or “Build to suit” are two approaches and they sit at the two ends of one spectrum. My advise is start small and allow the team size to grow only as needed.

At the beginning you will have a small workload. ust keep in mind that your first task is to make the decision as to what to alert for and what not, which I have to admit it’s a daunting task. It’s not easy and I am hoping to address this discussion in a separate blog. To make the story short, don’t build your SOC to suite the number of events you are receiving unless you have done everything you can to validate that these events are what really matters for the organization.

Building up a SOC is a journey, has its unique turns and bumps, sharing it with dedicated, reliable and passionate people makes enjoyable.

Each area that I touched above can have a life of its own. I am hoping to cover some of those topics in more detail in the near future, until then If you are interested in discussing any of them, feel free to contact me.

About the Author

Amgad Fahmy has a wide range of IT experience. With a level of depth in common areas makes makes him comfortable diving into complex activities with valuable expertise. He holds CISSP since 2007 and is an active member of information security community. He is focussed on adding value and improving the overall security posture of his organization. He can be reached at @fahmy_amgad

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply