You have to know four things before building anything, whether it's something "simple" like assembling your new furniture from IKEA or breaking ground on an entire community of homes:1. What you're building
2. The materials you'll need
3. Who is going to build (and maintain) it
4. How you'll build (and run) it
Building (or improving) an effective security operations center (SOC) is no different. And, it's no easy feat. Unlike that new dresser, there is no single guide for how to build it. Your organization has its own unique requirements and you have to come up with a tailor-made mix of the right SOC processes, people and technologies that fit.
So, what are you building?
Yes, you're building a security operations center. But what sort of SOC are you building? What kind of capabilities does it need to have? How will it be organized? Asking and answering some basic questions up front allows you to create the roadmap that will drive the decisions to come on things like tooling and talent (read: the parts that cost money).
Some of the key things to include in your plans are:
- Hours and availability - are you going to staff your SOC 24x7 or 8x5?
- Organization - do you want a standalone SOC or an integrated SOC/NOC? Are you planning to handle everything in-house or would you consider using a managed security services provider (MSSP) to help with certain tasks?
- Capabilities and priorities - is security the primary driver or is compliance also a factor? Does monitoring appear to be the main priority or will you require proactive capabilities like penetration testing or ethical hacking?
- Environment - are you securing a single on-prem environment or a hybrid environment? Is your organization planning to make cloud a bigger part of its strategy?
You may be wondering why budget isn't mentioned here. First, it's hard to build a budget if you don't know what your endgame is. But more than that, the harsh truth is that throwing money at cybersecurity won't ensure that you've covered all your bases. Yes, budget is important - but only if you know how you are going to use it most effectively.
The answers to the larger questions will dictate how you move forward. Good SOCs, like good houses, are built upon solid foundations. Using some foresight and a base of knowledge goes a long way to ensure your security operation starts out on solid ground.
It's tool time
With your plans in hand, you're ready to think about technology. It can't be understated that the capabilities of your security operations center are heavily reliant on the competence of the technology you use to build it.
Regardless of your strategy, you want your technology to be capable of collecting and aggregating data, thus detailing and managing threats both before and as they happen. By making data quality, not just quantity, a priority you can lessen the amount of false flags that you would otherwise allocate your resources to (which, believe us, are extensive). After all, garbage in, garbage out, right?
A SANS Institute study agrees that data collection and aggregation pays major dividends for SOC analysts in the long run, stating that “an effective security monitoring system incorporates data gathered from the continuous monitoring of endpoints (PCs, laptops, mobile devices and servers) as well as networks and log and event sources.” In other words, gathering data from all possible sources and using it in the effort to build your security operations center is not only incredibly effective, but vital.
As you explore technology solutions, determine whether you want to opt for best-of-breed tools that serve each specific function or a more platform-driven approach. There are, of course, pluses and minuses to each. According to Cisco's 2018 Cybersecurity Study, organizations overwhelmingly favor specialized tools to get the most robust capabilities across their environment. The more disparate technology a SOC uses, the greater the need for a security orchestration and automation platform to help tie everything together. So as you embark upon creating your technology shopping list, ensure that you are contemplating not just the tools needed for prevention and detection but also the tools needed to minimize chaos and ensure the greatest levels of usability for your team.
There's no "I" in SOC
It goes without saying that you need a well-trained team of professionals to operate the technology you have invested in. Without proper personnel handling the execution of your strategy, it is impossible to even take the first step.
Identifying the right talent for the various roles in your SOC is of paramount importance. Making the right hires is directly tied to the capabilities you determine your security operations center needs to have and the types of technologies you select. Ensuring you've properly defined the roles will drive your ability to attract and retain the right people for those roles.
At the very least, you'll want to have positions for a CISO, SOC manager, security analysts and security engineers. Depending on the other skills you need to deliver on your requirements, you may also explore roles in the areas of compliance, threat intelligence, incident response, penetration testing and so forth.
Developing an in-house cybersecurity team is a large endeavor in light of the fact the supply of experienced security professionals is vastly below the demand. Even average security pros get approached by recruiters regularly and staffing shortages in the industry are expected to stretch over the next several years. That said, more people doesn't always mean more secure anyway.
Regardless of the size or scope of your team, they will be required to know your security operations inside and out in order to effectively detect dangerous irregularities and prevent vital information from falling into the hands of a threat actor.
The ties that bind
Security operations processes are the glue that brings everything together to ensure that the people and technologies are delivering upon the SOC's objectives. If this is the area that seems to be the most perplexing, don't feel alone. Process is the toughest component for all security operations teams. That's why you'll find that most SOCs - even mature ones - are heavily reliant on processes that are manual, undocumented and maybe even a little outdated.
Keep in mind, your processes will evolve over time. As your SOC gains experience, as you run into new threats, you'll optimize and create workflows and playbooks along the way. The best thing you can do is to ensure that, as you go, you create documented processes that can be executed consistently throughout your team.
Once you have a set of processes defined, you'll start to identify areas that would benefit from automation. Tasks that are highly routine and/or repetitive in nature are great candidates. Response activities related to known threats can also be automated to maximize the time your security analysts have to
To get started, focus on identifying gaps in any current procedures that exist and look for ways to improve and possibly automate them. Document changes and enhancements to keep your team on the same page. Being open to clearly communicating your processes and their evolution demonstrates security operations maturity.
Why Build a Security Operations Center Now?
An old Chinese proverb once stated that “The best time to plant a tree was 20 years ago. The second best time is now.” The same goes for your SOC. By developing your SOC predicated on process , technology and a proper team to support it, you are immeasurably increasing the odds that critical information for your enterprise remains uncompromised. So long as you allow a thoughtful implementation of new SOC technology that is mitigated by consummate professionals, you are decreasing the chance that severe threats will breach your system infrastructure. More importantly, you will decrease the damage that these threats have the potential of causing.