Building a Successful Security Operations Center (SOC) – Part One

Photo credit pixabay

Photo credit pixabay

Building a successful security operations center is a significant undertaking. One needs to consider a number of aspects when making a strategic decision about SOC implementation. To cover major SOC considerations, we are going to publish multiple articles about building SOC. This is the first one of the series.

Success of SOC is a combination of good planning, selection of appropriate tools, executive sponsorship, and a strong focus on people working in SOC

The objective of this article is to paint a very high level picture about SOC components and general considerations. Following are few ideas to think about before starting your SOC journey.

SOC Planning

Planning is the crucial part that will set you up either for success or failure. When planning for SOC, think about the following:

  • Define mission and purpose
  • Get executive sponsorship by building a strong business case.
  • Explore different options and answer questions like “Is it necessary to build a SOC inside the organization or are there other options available by third parties?”
  • Create a list of tools and technologies needed for SOC. Keep it high level instead of going to a specific products. For example, you need to have a SIEM tool but don’t need name a product at this stage.
  • Think about whether it be a 24×7 operations or something different?
  • Estimate how many people are needed to run the SOC and at what expertise level. Develop their job descriptions.
  • Think about logistics for physical space, furniture, location, network and others.
  • Think about business continuity and disaster recovery for the SOC.
  • Develop budget and project plan.
  • Create a governance model and organizational chart for SOC.

In the Planning Phase, focus on the bigger picture and components of SOC.

These items will be helpful in exploring your options, crafting and estimated cost and hiring requirements, and build an overall business case.

Define Log Sources

You will collect and analyze log data from many sources within your organization. Think about the sources of all log data and the criticality of logs from different sources. Make a list of these log sources, which will help you in estimating log volumes and IT teams you need to collaborate with. There may be gaps in log collection, especially in the applications space.

The log collection needs significant collaboration with other teams.

You may need to make an assessment of bandwidth needs in case the log sources are spread in multiple cities or countries. You also need to make estimates about storage and processing capacity. There are a number of compliance needs associated with logs collection and analysis, like PCI (Payment Card Industry) and Sarbanes Oxley act. List all compliance needs that you need to meet with logs.

Tools and Technologies

A number of tools are required to run a successful SOC. At minimum you will need a SIEM solution, logging infrastructure, forensic tools, vulnerability assessment, manage incident lifecycle, physical security arrangements for things like chain of custody, and many others. While you will budget for the tools during the planning; implementing and operationalizing these technologies is a project in itself.

You also need to plan for general IT operations of SOC like change management, patching, software and hardware upgrades and so on.

Risk Intelligence Feeds

In most of the modern SOC operations, you have to rely on risk intelligence from internal as well as external sources. Open source as well as commercial risk intelligence feeds are available that you can subscribe to. You also need to think about how to integrate these feeds into different tools.

Threat Hunting

Proactive threat hunting using different means including full packet capture and analysis is a key function for SOC. Highly qualified security professionals and tools are needed for threat hunting. Depending upon how sophisticated you want to be, this could add significant cost to overall budget.

Policies and Procedures

Like any other IT operations, SOC requires policies and procedures. We will talk about these policies and procedures in a later post.

People Planning

Depending upon the type of SOC operations, you may need anywhere from 10 to 20 people for SOC operations. Define jobs functions for each person, schedule shift and rotations, plan for continuous training, and think about how different activities will be coordinated.

Well-trained and well-equipped people are key to your success.

SOC personnel need to interface with other IT and non-IT groups on an ongoing basis. You have to develop these interfaces and the type of information exchanged inside and outside the SOC.

Reporting and Metrics

Define criteria for SOC success and develop reports for technical as well as for executive consumption. Make sure these reports show the value of SOC and meets the business objectives defined in the planning phase.

Incident Response

Incident response is a main function of any SOC. Detailed incident response process and procedures are required for successful operations. An internal knowledge base also helps for long term knowledge sharing about incidents. Some SOCs use Wiki software for documenting and sharing knowledge.

This is a very high level summary of main items that you need to consider while thinking about SOC. In the next posts, we will take up each of these in more detail. Success of SOC is a combination of good planning, selection of appropriate tools, executive sponsorship, and a strong focus on people working in SOC.

About the Author

Rafeeq Rehman is the creator of “CISO Mind Map”, a blogger and consultant. He is helping many Fortune 500 global organizations achieve their business goals using latest innovations in technology. His areas of  focus include Information Security, IoT, and Advanced Networking. He can be reached @rafeeq_rehman and on his personal blog site.