SOC Series: How to Structure and Build a Security Operations Center

Last updated at Tue, 25 Jul 2023 20:31:59 GMT

Building an effective security operations center (SOC) requires organizing internal resources in a way that improves communication and increases efficiencies. Adding to a former post, When to Set Up a Security Operations Center, we're now offering a framework for organizing the three key functions of a SOC: people, process, and technology.

People

To begin building a powerful security operations team, it’s important to inventory your available staff. Some good questions to ask include:

• Is anyone currently in a security-only role?
• Is anyone from IT ready to step up to the plate as a security-only player?
• Do you have an MSSP (managed security service provider)?
• Might you need the expertise of a security contractor for support?
  
  

Many organizations choose to build their SOCs with in-house resources, bringing together existing security functions and providing formal training programs for others interested in joining. Others opt for a hybrid mix of in-house and external resources. The best option for you depends on the available in-house resources, your budget, and the urgency of the threats you face. Here are some questions to ask to help determine the composition and timeline for creating your SOC:

• How many security folks, among others across the organization who will be a part of the SOC, are there?
  
• What is the hiring plan and budget?
  
• What is the total annual security budget? Can we pull any more budget from IT or other departments to support implementing the SOC?
  
• How much are our security pain points affecting us and how soon can we build the SOC to address them?

Once you determine what the people side of the SOC looks like, it’s time to set in place processes that standardize security workflows.

For more detail on how to build out your security operations team, see our full guide:

Get the Guide: How to Hire a Strong and Effective Security Team

Process

Prior to the formation of a SOC, often security tasks are passed around like a hot potato with no process to define ownership and streamline procedures. As you begin to build a more formal and centralized organization, it’s a good idea to evaluate current procedures by asking questions like:

• Who monitors for threats?
  
• Who promotes security events to incidents?
• Who is accountable for fixing them?
• Are the current processes documented?

The answers to these questions can help you to know where things stand now so you create a game plan to optimize security operations. In fact, we wrote a whole post about how to solve six of the most common process challenges security teams face today. 

With a SOC, incident management workflows should be established from the get-go, ensuring that each step in the process is part of a larger strategy. Workflows also help to offer clarity around each team member’s role and responsibilities so that no stone is left unturned.

To get you started, SANS offers a straightforward six-step incident response process: preparation, containment, eradication, recovery, and lessons learned. In general, SOCs should aim to have the following security processes in place before they get started:

• Monitoring
• Alerting
• Escalation
• Investigation
• Incident logging
• Compliance monitoring
• Reporting

These processes should cover all major security events that could apply to your business — from malware to phishing scams, and from zero-day attacks to advanced persistent threats (APT). Not sure what types of events to prepare for? Here are the five types of cyberattacks companies are most likely to face:

• Brute force attack
• Social engineering/cyber fraud
• DDOS
  
• Phishing
• Malware, spyware, ransomware

Most important of all is the process that ties each step together, ensuring the transition of each task is clearly laid out day-to-day and person-to-person. This is so that, in the event of a real attack, everyone in security operations knows their responsibility and how it fits in with the end-to-end process.  

For a framework on creating security processes that solve practical problems: [Get the Guide: How to Create Security Processes That Solve Practical Problems]

Technology

Last, but not least, is identifying the tools you need for effective detection and response. You want tools that will support your strategy for visibility across your networks and incident response and that fit within your budget. The technologies you choose for your organization should be tailored to:

• The environment you operate in (cloud, on-premise, or hybrid)
• The type of threats you face  (malware, phishing, etc.)
• The compliance mandates you’re required to uphold (HIPAA, SOC2, ISO 27001, etc.)
  

Developing your SOC’s technology toolkit also gives you the opportunity to inventory whether there are any gaps in coverage or overlaps in functionality with the tools you already have. For instance, you may have three tools that do security monitoring, but none that are protecting against malware.

There is a lot of great, detailed information out there on building a SOC. Along with the info above, we recommend looking at these resources:

• Building a World-Class Security Operations Center from SANS

It’s also important to understand how your tools are interconnected, so you can find ways to optimize the flow of data across the technology stack to obtain vital security insights, such as where and when data loss occurs or which misconfigured server led to a breach.

SOC automation is an efficient option to connect the people and technology within your organization.