Cybersecurity threats evolve; therefore, establishing a Security Operations Center (SOC) is necessary for businesses aiming to protect their digital assets and IP.
As well as providing a blueprint for building a SOC from the ground up, we highlight the challenges, costs, and operational considerations accompanying such a massive undertaking.
We will also explore why a managed SOC might be a more practical solution for many organisations.
Why Build a SOC?
A SOC is vital due to its ability to significantly shorten the time to detect and respond to security breaches, which currently averages around 277 days. With cyber threats becoming more sophisticated, the need for an efficient and proactive SOC is prescient.
The building blocks of a SOC
Step 1: Understand the necessity
Building a SOC is no small feat—it's costly, complicated, and requires specialised expertise. Every organisation has unique security needs that should be thoroughly assessed. The budget for a SOC should correspond to the size of the organisation’s attack surface.
- Conduct a risk assessment: identify your most valuable assets and understand the potential threats to them
- Consider impact of breaches: understand the challenges created from security breaches, consider time and cost to recover, damage to reputation and trust and even employee satisfaction.
- Review compliance and regulatory requirements: ensure compliance, document all the rules and regulations you must abide by and consider governance procedures.
- Be aware of the evolving threat landscape: leverage a dynamic and fully equipped SOC to respond rapidly to changing threats
- Allocate resources: consider financial investment, required skills, and technology
- Strategic alignment: ensure the SOC will be in support of broader business strategy and objectives
All of these elements feature in the following steps, the groundwork and preparation will save you valuable time and secure buy-in from across your business more readily.
Step 2: Follow a framework
The National Cyber Security Council provides a useful guide on building a new or evolving an existing security operations centre as part of a wider approach to managing cyber risks. It is split into five sections, which are the common aspects of a SOC and whilst often linked, are easier to address in turn:
- Operating Model – discusses and align on the various factors that need to be considered when designing a SOC.
- Onboarding – provide guidance on how to determine what logs/information should or could be made available to a SOC and introduces the use of attack trees to help you intelligently make decisions about log sources.
- Detection – discusses the various approaches in detecting cyber attacks.
- Threat Intelligence – touching some of the common issues around threat intelligence and explore the value it adds to the SOC.
- Incident Response and Management – builds on existing guidance and discusses how it fits into the SOC as a whole.
In addition, The National Institute of Science and Technology (NIST) provides a cybersecurity framework that is really useful for setting up a SOC, but is more relevant for companies trading in or with others in the USA. This framework includes five core functions:
- Identification: Understanding what needs protection
- Protection: Implementing measures to guard against threats
- Detection: Monitoring and identifying security events
- Response: Addressing detected security incidents
- Recovery: Restoring systems and strengthening defences post-incident
- Governance: Ensuring compliance and overseeing security operations
Step 3: Charter and Planning
Before diving into tools and procedures, planning and designing step means your SOC will perform efficiently and effectively within your business requirements. First and foremost, obtain approval from senior management, outlining the SOC’s mission, responsibilities, and authority:
- Develop a charter: document the mission, scope, and objectives explaining why the SOC exists
- Define the scope: determine what the SOC will/wont monitor, as well as the resources required
- Outline responsibilities and standard operating procedures: describe the primary responsibilities including monitoring events, managing incidents, compliance, vulnerability assessments etc.
- Authority to act: define what actions (if any) the SOC can make autonomously, when to escalate issues and how to interact with other departments
- User guidance: explain how users and employees interact with the SOC
- Support and endorsement from senior management: documented endorsement and ongoing support from senior management
In addition to developing a charter, strategic planning ensures the SOC is efficient and effective. This should include:
- Assessing current capabilities: understanding the technologies and processes currently in place and how they can be integrated into SOC operations
- Technology and tools selection: deciding the right mix of technology and tools to enable the most efficient and streamlined monitoring, detection, and responses
- Staffing and training: plan for the recruitment of skilled personnel and their ongoing training to keep up with evolving cybersecurity threats
- Continuous improvement: establishing mechanisms for feedback and continuous improvement allows adaptation to the changing threat landscape and evolving business needs
By thoroughly addressing these elements in the charter and planning phase, you can set a strong foundation for your SOC, ensuring it operates smoothly and aligns with your broader security and business strategy.
Step 4: Defining Services
The services a SOC provides can vary greatly. This defining phase is pivotal to outline the specific provisions to meet the security needs of the business. Here’s what this step should look like:
- Service catalogue development: this will detail each service, the tools and technologies required, the personnel responsible, and the processes involved in delivering those services.
- Core services:
- Monitoring and triage: continuous surveillance of your networks to detect and assess security threats.
- Incident response coordination: managing the response to security incidents, including the deployment of strategies to mitigate damage and coordinating internal and external stakeholders.
- Security log management: collecting, normalising, and storing security event data to support effective analysis and incident investigation.
- Threat and vulnerability intelligence: gathering and analysing information about emerging threats and potential vulnerabilities to keep you ahead of potential security issues.
- Advanced services:
- Threat assessment: evaluating potential impact of detected threats and devising strategies to counteract them.
- Vulnerability management: assess and address vulnerabilities to reduce the risk of exploitation.
- Forensic analysis: conduct detailed investigations into how a breach happened, determine extent of instruction, and identify the perpetrators.
- Service alignment with business needs: services offered by the SOC must meet the needs and risk profile of your business. This alignment should be reviewed regularly to adapt to any changes in your business or threat landscape.
- Budget considerations: prioritise services based on risk assessments and the potential impact of threats and make your budget work as best it can.
- Customisation and scalability: services must be customised as per the evolving security requirements of your business. They should also be scalable to accommodate growth and changes in your structure or operations.
- Integration with existing infrastructure: your SOC should not operate in isolation. Ensure services are integrated with the existing IT and security infrastructure and practices to enhance overall security posture without duplicating efforts or resources.
- Implementation planning:
- Resource allocation: assign adequate resources, including personnel and technologies, to each service.
- Process development: establish clear processes for each service, detailing every step from initiation to completion.
- Performance metrics: set up the KPIs for each service to measure effectiveness and facilitate continuous improvement.
Step 5: Establishing Key Performance Indicators (KPIs)
As the final point in the previous step calls out, defining what you will track and measure will help you assess the efficiency of your SOC. Your KPIs will give you a quantitative measure to pinpoint areas for continuous improvement and justification for your investment. Here’s a deeper look at this important step:
- Identify your key metrics and common SOC KPIs
- Average incident detection time: time taken from threat entering the network to when it is identified by the SOC.
- Average incident response time: time taken for the SOC to react to a threat once identified.
- Event and ticket queue backlog: number of tickets addressed within a predetermined time frame.
- First call resolution: percentage of incidents resolved on first call.
- First call escalation: measures how often calls require escalation past first point of contact.
- Headcount to incident ratio: average number of incidents handled per SOC employee.
- Headcount to ticket ratio: average number to tickets handled per SOC employee.
- Set targets: they should be realistic but challenging and push your SOC towards continuous improvement.
- Data collection and analysis: implement systems to automatically collect data relevant to KPIs - regular analysis of this data helps in tracking performance against set targets.
- Regular reviews and adjustments: review your KPIs to ensure they remain relevant.
- Reporting: deliver regular reports so all stakeholders are informed on the SOC’s performance
Step 6: Staffing your SOC
The success of a SOC depends on the people running it. Staffing involves more than selecting the best qualifications. Candidates build the team culture, the structure and future development too. Here’s how to approach this step:
- Defining SOC roles:
- Tier 1 Analysts (Alert Analysts): Handle initial incident reports and data feeds.
- Tier 2 Responders (Incident Responders): Provide a deeper analysis and response to escalated incidents.
- Tier 3 Experts (Hunters or SMEs): Lead the response to complex incidents and proactively search for threats.
- Recruitment: finding individuals with a mix of technical skills, problem-solving abilities, and capacity to make smart decisions under pressure. Considering the current skills shortage, consider candidates with potential and invest in training and development.
- Training and development: continuous learning is essential in cybersecurity. Provide (or source) training sessions on threats, technologies, and countermeasures and encourage certifications and participation in industry conferences or workshops.
- Team integration and communication: ensure clear protocols for information sharing and collaboration between the tiers.
- Employee retention: implement policies that foster a positive work environment such as competitive salaries, benefits, and career development opportunities. Recognise and reward outstanding performances.
- Diversity and inclusion: diverse teams bring varied perspectives that can enhance problem-solving and innovation.
Other factors for consideration should include continuity, outsourcing, shift patterns, and planning for scalability. This is a huge challenge for many organisations and one of the main drivers of outsourcing the management of a SOC.
Step 7: Infrastructure and Data Collection
Adequate infrastructure—comprising both hardware and software—is essential for a SOC's operation. You must determine what data will be collected, from which sources, and in what format. Here’s a detailed look at how to approach building the infrastructure and data collection capabilities of your SOC:
- Selecting technology platforms - choose the right mix of hardware and software. This may include:
- Security Information and Event Management (SIEM) system: to aggregate, analyse, and alert on security data.
- Intrusion Detection System (IDS)/Intrusion Prevention System (IPS): for monitoring network traffic to detect and prevent attacks.
- Firewalls and Antivirus Tools: to block unauthorised access and detect malware.
- Endpoint Detection and Response (EDR) Systems: For continuous monitoring and response to threats on endpoints.
- Data collection strategy - define what will be collected, from which sources, and how. Typical sources include:
- Network devices: routers, switches, and firewalls
- Servers and Endpoints: physical and virtual
- Applications: especially those that handle sensitive or critical operations
- Cloud services: including IaaS, PaaS and SaaS environments
- Data normalisation and storage: once collected, data must be normalised, which involves converting it into a common format that can be easily analysed. The data must also be stored securely and efficiently, with considerations for compliance with data protection regulations.
- Analysis tools and techniques: deploy advanced analytical tools to process large volumes of data and identify patterns that indicate potential security incidents. Machine learning and artificial intelligence are increasingly used in this capacity to enhance threat detection capabilities.
- Integration of systems: ensure all tools and systems are integrated for seamless data flow and sharing. Integration enhances visibility across the entire IT environment, making it easier to detect and respond to incidents promptly.
- Protocol establishment: define how data should be collected, how often, and at what detail level. This includes setting up the necessary configurations on data sources to ensure logs are detailed and useful but not so verbose as to overwhelm the SOC analysts.
Everything rests on this step. All your hard work can come undone through improper tool selection and gaps in the data flow preventing total protection of your organisation. Your choices here are foundations to support all the SOC functions, from monitoring and detection to response and recovery.
Challenges of building a SOC
Even if you follow the guide above, there are major considerations for any organisation and a huge body of work to undertake. Here are the major issues you must tackle ahead of your project:
- Budget constraints: it is hugely expensive to design and build the perfect SOC for your organisation, staff it, and equip it with all the tools you need to keep your business secure
- Expertise scarcity: there is a vast skills shortage for people of a sufficient skill level to run and maintain a SOC. Good talent is expensive to acquire, hard to retain, and is fraught with risk.
- Time Investment: as you can deduce from this guide, it's a hugely time-consuming effort that will draw key personnel away from business-as-usual tasks for extended periods.
- Alert fatigue and false positives: managing high volumes of alerts efficiently can drain time and energy from your teams. And if they are not sufficiently skilled, you can face all sorts of problems down the line.
Why consider a Managed SOC?
Given the complexities and challenges of building and maintaining a SOC, many businesses opt for a managed SOC service. There are many reasons why, but mainly this is due to:
- Cost-effectiveness: reduces the need for in-house expertise and infrastructure.
- Expertise: provides access to top-tier security experts and advanced technologies.
- Scalability: easily scales with your business needs without additional investments.
- Focus: this allows your business to focus on core activities while security experts handle the defences.
Building a SOC is an extensive and demanding process requiring significant investment in time, money, and expertise. For many businesses, particularly small to medium-sized enterprises, a managed SOC represents a more viable and efficient option.