How to Build a Modern SOC
Most organizations do not have a full Security Operations Center (SOC) working 24/7, but there are ways to ensure that your security team can handle the demanding workload of IT security now. Building a fully operational SOC can be challenging, but it is worthwhile if you want the ability to handle any internal or external threats to your organization.
A SOC employs processes and technologies to monitor, detect, contain and remediate IT security threats across both cloud and on-premises environments. The tools and techniques outlined in this post can help you get started on building your SOC as you assemble your security team, plan their workload and coordinate their efforts.
#1. Plan for Operational Continuity
Organize your security team for seamless shift handover and provide contingency plans for escalations, such as delegating tasks to a third-party team or leveraging external infrastructure. You may not have all the capabilities you need in-house, so you may want to take advantage of a managed security service provider (MSSP) or hire a specialist to help you in the case of a surge of security events.
It is also important to manage your team’s time. You can plan your security engineers’ shifts according to a specific time zone, if your SOC is distributed across multiple locations or if engineers work remotely, or you can apply a rotational model in which fresh workers take on the post of previous shift-takers in the same location. Coordination is key, and an important element in achieving it is by using shift reports to assess and plan schedules.
#2. Make Sure You Have the Right People
Your staff should be certified and well versed in a range of security scenarios. Security engineers should be able to think on their feet and adapt to changing security threats. Another factor to consider is how trustworthy employees are, and anyone with a high-security clearance must be properly vetted.
Security teams should be able to constantly learn and take initiative. However, employers must also take responsibility for ensuring that security staff is adequately trained, and provide updates if necessary.
There are a number of roles in a SOC, and the people filling those roles may need to meet different requirements: for example, incident responders, analysts and general SOC managers each need to have a different set of skills and perhaps even different levels of access.
#3. Adopt an Integrated Security Model
For your security operations center to function efficiently, implement agile and responsive processes to adapt to the needs of a fast-paced IT operations environment. For example, you may want to adopt a SecOps approach that places security at the center of your software delivery and maintenance agenda. This involves shifting security and integrating security procedures to the left or the earlier stages of the development lifecycle.
For this approach to be successful, you will need to involve non-security personnel in the process of securing your environment and applications. The SOC will still remain a vital function and support your standard ops teams, but the workload of security engineers could be significantly reduced by incorporating SecOps practices into your overall process.
#4. Use a Security Intelligence Platform
An essential tool for any SOC is a security intelligence platform, which will enable the aggregation of security data in a single, centralized location. For example, a Security Information and Event Management (SIEM) correlates data from multiple sources and alerts SOC engineers when a threat is detected. SIEMs use sources ranging from third-party intelligence feeds to internal threat monitoring systems.
You can augment SIEM capabilities by integrating AI tools such as Security Orchestration, Automation and Response (SOAR), which can automatically respond to low-level threats and thus save time for security engineers. SOAR can also help filter out false positives and streamline your security intelligence feed.
Security intelligence tools should also be linked to documentation tools, enabling forensic analysis. Make sure you have a good documentation system to complement your security intelligence capabilities.
#5. Keep Compliance in Mind
Your SOC should adhere to the processes required by regulations such as the HIPAA, GDPR, NIST and PCI DSS. Align your SOC processes to the guidelines provided by industry standards and apply the stipulated security controls. Make sure your security personnel is familiar with the requirements of these standards by incorporating the relevant procedures into your company’s security policy. Your SOC is also responsible for logging security events and reporting their activities, and the records may be necessary for both for internal analysis and legal purposes.
#6. Establish a Threat Modeling Capability
One of the central roles of a SOC is to perform threat modeling, which requires an intelligent human element and cannot rely solely on automated tools and AI technologies. Threat modeling allows security teams to understand what threats they may encounter, how attacks may be carried out, and how the SOC can detect, block or remediate security events. Make sure that your security team has the necessary expertise and tools to model threats and make important decisions, such as prioritizing the more critical threats.
Managing a security operations center can be challenging, with many moving parts that need to be addressed daily, and in a timely manner. With planning and a clear process, you can build a SOC that can protect and future-proof your organization against emerging threats.