Building a SOC team

Building a new SOC capability may involve lot of planning and would attract huge initial investment.


While there are multiple approaches to address this, given below are some of the simple steps one can follow:

1. Understanding Business Goals, type of business, organization culture & constraints & budgets

2. Gap Analysis with the existing set up and formulating milestones for implementation based on priorities

3. Lessons learnt from previous incidents forms major input in designing people, process and technology structure for SOC

4. Incremental SOC building approach is better than one time heavy investment to de-risk some of the unknowns

5. Collaboration with people – multiple functions within organization (People), technologies deployed & various processes. This collaboration needs to be handled carefully and it forms a part of critical success factor.

5. Based on organization culture, existing set up and availability of in house skills, decide right mix of in house and outsourced team. In some cases day to day SOC monitoring and operations can be handled by in house team while incident response (IR) requiring special skills to handle crisis can be handled through outsourced professional team

6. Clear definition of Tier 1, 2 ,3 team structure with roles and responsibilities

7. Establish processes to cover preparation, identification, containment, eradication, recovery and  lessons learnt

8. Be careful of compatibility issues with technologies v/s system working in silos w.r.t reporting tool (SIEM) integration with network logs, system logs, endpoint logs etc.

9, Based on level of integration, actions can be planned for manual or automated for patching firewall modification, revocation of access, system quarantine or reimage

10. To reduce false positives, best practice is to build baselines by monitoring  network devices and endpoints  for a period of time and then identifying abnormal suspicious activity to generate alert

11. Subscribe good Threat intel – CyberThreat Intel (CTI)

12. Slowly build Incident "hunter" culture and not waiting to work for escalated incidents.

13. Continuous updates and trainings on change in Threat Landscape and technologies are very much essential to face ever challenging nature of security. This training needs to be planned at all levels - SOC team, top management and others.

14. Build maturity over time using -  

 - lessons learnt-

-  new security posture

- swiftly detecting and prioritizing investigations incidents

- risk tolerance

- continuous hardening to minimize attack surface

- available expertise and budget

- continuous improvements within org constraints & pushing boundaries, striving to achieve its critical security mission

  In the next article, will discuss about Next Generation SOC.


Discover & Compare 1000+ Cyber Security Products (It's Free!)

FireCompass is an AI Assistant for Cyber Security Decision Making. Discover & Compare 1,000+ Cyber Security Products. Grab your FREE Account Now (For a Limited Time ONLY).

>>Click Here To Sign Up For FREE

E-mail me when people leave their comments –

You need to be a member of CISO Platform to add comments!

Join CISO Platform

CISO Platform

A global community of 5K+ Senior IT Security executives and 40K+ subscribers with the vision of meaningful collaboration, knowledge, and intelligence sharing to fight the growing cyber security threats.

Join CISO Community Share Your Knowledge (Post A Blog)



CISO Breakfast at BlackHat Las Vegas 2024!

  • Description:

    We are thrilled to invite you to the CISO Breakfast at BlackHat 2024. 

    CISOPlatform is a community partner for the event which is co-hosted by Silicon Valley Bank, Stage One, First Rays Venture Partners, Latham & Watkins.


    Event Details: 

    • Date: Thursday, August 8th,…
  • Created by: pritha
  • Tags: blackhat usa, las vegas, ciso breakfast, usa