Building a new SOC capability may involve lot of planning and would attract huge initial investment.
While there are multiple approaches to address this, given below are some of the simple steps one can follow:
1. Understanding Business Goals, type of business, organization culture & constraints & budgets
2. Gap Analysis with the existing set up and formulating milestones for implementation based on priorities
3. Lessons learnt from previous incidents forms major input in designing people, process and technology structure for SOC
4. Incremental SOC building approach is better than one time heavy investment to de-risk some of the unknowns
5. Collaboration with people – multiple functions within organization (People), technologies deployed & various processes. This collaboration needs to be handled carefully and it forms a part of critical success factor.
5. Based on organization culture, existing set up and availability of in house skills, decide right mix of in house and outsourced team. In some cases day to day SOC monitoring and operations can be handled by in house team while incident response (IR) requiring special skills to handle crisis can be handled through outsourced professional team
6. Clear definition of Tier 1, 2 ,3 team structure with roles and responsibilities
7. Establish processes to cover preparation, identification, containment, eradication, recovery and lessons learnt
8. Be careful of compatibility issues with technologies v/s system working in silos w.r.t reporting tool (SIEM) integration with network logs, system logs, endpoint logs etc.
9, Based on level of integration, actions can be planned for manual or automated for patching firewall modification, revocation of access, system quarantine or reimage
10. To reduce false positives, best practice is to build baselines by monitoring network devices and endpoints for a period of time and then identifying abnormal suspicious activity to generate alert
11. Subscribe good Threat intel – CyberThreat Intel (CTI)
12. Slowly build Incident "hunter" culture and not waiting to work for escalated incidents.
13. Continuous updates and trainings on change in Threat Landscape and technologies are very much essential to face ever challenging nature of security. This training needs to be planned at all levels - SOC team, top management and others.
14. Build maturity over time using -
- lessons learnt-
- new security posture
- swiftly detecting and prioritizing investigations incidents
- risk tolerance
- continuous hardening to minimize attack surface
- available expertise and budget
- continuous improvements within org constraints & pushing boundaries, striving to achieve its critical security mission
In the next article, will discuss about Next Generation SOC.
FireCompass is an AI Assistant for Cyber Security Decision Making. Discover & Compare 1,000+ Cyber Security Products. Grab your FREE Account Now (For a Limited Time ONLY).