What makes a good SOC?

What makes a good SOC?

Michael Cormack, Senior Consultant at Context Information Security, explains how businesses can proactively build resiliency and develop their internal cyber security capability in the form of a Security Operations Centre and how to keep it relevant

By Michael Cormack

Senior Consultant

19 Dec 2019

SOC is a widely used term, but for clarity, our definition is a one-stop-shop for managing cyber security related incidents within an organisation and ensuring they are properly identified, investigated, remediated and reported. To firstly understand the requirements of a SOC, it is important to consider the threat landscape and ask yourself a few questions, such as what information would be of interest to attackers? Who are they and what they may be capable of? But the primary focus is on understanding what your weaknesses and vulnerabilities are and identifying the risks and how to prepare, protect, detect and respond to attacks.

Nation states and advanced criminal groups will have a different style of attack and cause different business impacts to that of hacktivists and script kiddies. You also need to take into account previous compromises and those experienced by peer organisations and then ascertain the acceptable risk tolerance of the business, as some risks may be acceptable and do not justify the cost of defending. By evaluating threat and risk, an organisation gains a vital insight into any future attacks and will be able to make informed decisions about where to best focus SOC resources.

Based on this, work out the business drivers and alignment within the business to help build a picture of the capabilities the SOC will need to have. Next, map your existing resources and identify the SOC’s level of maturity for each capability, using this to prioritise the changes and investment that need to take place. Establish what skills the current team members have and look at existing processes and technology. Ask what areas can be improved in the short term through little effort and minimal cost.

 

People, process and technology

There are three key areas which need investing in the early stages to start building a capable and efficient SOC. Over time, things change and you need to avoid becoming stagnant; instead focus on continual improvement towards preventing, detecting and responding to threats in the ever-evolving threat landscape.

A fully functioning SOC requires access to people with a range of specialist skills, from platform engineering, network and forensic analysts to software developers and threat intelligence researchers. For existing staff, external training and knowledge sharing can be useful. It is also worth noting that it may not be practical to fill all of these roles on a full-time basis, so outsourcing specialist skills can be used in the event of an incident.

The SOC must also run like a well-oiled machine, ready to make decisions and take appropriate actions quickly in a high-pressure environment. It therefore needs documented processes to ensure incidents are managed in the most consistent and efficient way, but at the same time these processes must be flexible enough to be quickly adapted to new technologies or attack methods.

When it comes to the actual physical technology needed, it’s all too easy to throw money at well-advertised out-of-the-box tools, but these are only as effective as the people who use them. One useful tool for developing a SOC may simply be a log management platform, which collates various log sources in the same place and facilitates the querying of large amounts of data.

The following key elements of a model which aligns with business objectives usually include:

  • Advanced analytics
  • Threat intelligence and hunting
  • Machine Learning
  • End point detection and response
  • Automation and orchestration tools
  • Incident responsibilities

Measuring success

It is notoriously difficult to measure the success or effectiveness of a preventative capability and that can be problematic when justifying the need for investment. So, how can an organisation measure the value and success of its SOC? Statistics such as ‘number of incidents detected’ are misleading, particularly while a SOC is new and growing, because new technology and people will have different views on what is considered to be an incident and results will vary significantly depending on the threat landscape at the time.

Similarly, measures such as ‘time from incident detection to closure’ will vary, depending on severity, who is investigating and the processes followed. KPIs like these may have a detrimental effect on performance, because staff should not be encouraged to close an alert or incident quickly without a thorough investigation.

It could be best to measure success by communicating with peer organisations within the same industry and/or of a similar size and see if there are any similar attacks. So, stay up to date with security news of attacks in your sector.

Overall, an effective SOC must not only identify threats, but be able to analyse and investigate them, report the vulnerabilities discovered and plan to identify and prevent similar occurrences in the future. With this, a mature SOC will have increased visibility and understanding of the business when dealing with security problems and continually work to improve its security posture. The impact of this will benefit the prevention, detection and response to cyber security issues in order to minimise impact and improve business reputation in the event of an incident.

Subscribe for more Research like this

About Michael Cormack

Senior Consultant

Michael Cormack is a member of our Advisory team.

CREST
CREST STAR
CHECK IT Health Check Service
CBEST
Cyber Essentials
CESG Certified Service
First - Improving Security Together
BSI ISO 9001 FS 581360
BSI ISO 27001 IS 553326
PCI - Approved Scanning Vendor
NCSC CCSC - Assured Service Provider
ASSURE Cyber Supplier - CAA