Security operations centers often go by different names, such as SOC or CIRT. Regardless of what they are called, building a SOC is essential for any organization's security plan. SOCs exist to collect and analyze security-related data to detect and stop cyberattacks. Achieving this goal requires building a team with the right skillsets and building the appropriate infrastructure for these teams to use effectively. The following is a guide on how to develop an effective SOC for your organization.
The People That Compose A SOC
Hiring the right people is arguably one of the most critical aspects of building a SOC. A team without skilled individuals will never be able to do their job effectively. When it comes to a SOC, a tier system is typically used to appoint team members with various levels of expertise and responsibilities. The following are the roles that need to be filled for building a SOC:
- Tier 1 - The Triage Specialist: The most junior SOC member. They are responsible for analyzing and sorting the alerts by their level of priority. Triage specialists need to have a deep understanding of the most common attack vectors and recognize them when they appear in logs or alerts. A triage specialist should have sysadmin skills, programming skills (such as Python and Java), and security skills (such as CISSP and GCIA).
- Tier 2 - Incident Responder: Incident responders are responsible for investigating the alerts reported by the triage specialists. They are also responsible for conducting further investigations into any threats or vulnerabilities in the system as needed. An incident responder should have a good understanding of the network and systems being protected. They should also have experience building threat models, what they look for in logs or alerts, and how to identify malicious activity from legitimate actions.
- Tier 3 of Security Analyst - Threat Hunter: A threat hunter is responsible for seeking threats and vulnerabilities inside a system. They do this by reviewing data assets and building a profile of normal behavior. The goal is to find anomalies and deviations from the norm to be reported to SOC analysts for further investigation, thereby allowing a better defensive strategy to be developed. A threat hunter should have all the skills required of triage specialists and incident responders while also familiar with data visualization and penetration testing tools.
- Tier 4 - The SOC Manager: The SOC manager is the supervisor of the team. They are responsible for hiring and training the SOC team. They are also responsible for reviewing incident reports, running compliance reports, supporting the audit process, developing a crisis communication plan, and more.
The Process For Developing A SOC
When building a SOC, you'll need to implement a standardized process to ensure that no security issues are overlooked. You should also follow specific guidelines in developing this process, such as the NIST (National Institute of Standards and Technology) SP 800-61 document. This document is a protocol for building a SOC. The NIST document defines five phases of building a SOC:
- The first step is building the team.
- The second step is to build the infrastructure and tools needed for the team to use effectively, such as building data pipelines, custom dashboards, and other tools to help the team work better.
- The next step is building incident response procedures, defining how to triage alerts, building search queries, building threat models, and building team workflows.
- The fourth step is defining the SOC's rules for monitoring activity, such as handling false positives, building data retention policies, and building a list of scheduled tasks.
- The final step is conducting risk assessments to identify vulnerabilities that may be exploited and building a plan of action to address them.
Once your SOC team is built, and all protocols are in place, you'll want to standardize the operating procedures of your SOC. The following are the four stages of a standard SOC process:
Stage One: The Classification Phase
The first phase of building a SOC is to classify all security issues into four groups: Critical, High, Moderate, and Low. Doing so helps determine how much time and effort should be spent on each alert to ensure no critical issues are overlooked. During this state, triage specialists review and classify alerts. Those alerts deemed serious will be escalated to an incident reporter.
Stage Two: The Analysis
During this stage, the team's threat hunters need to analyze the alerts that have been escalated to them and prioritize them in order of importance. The issues that will affect the company's operations and business continuity most need to be prioritized. For instance, any activity indicating that someone has infiltrated the system, such as through the installation of a backdoor or a rootkit/RAT should be responded to immediately.
Stage Three: The Recovery
During stage two, any attacks on the system are addressed. In stage three, the damage done by those attacks is assessed and repaired by the security analysts. Different types of attacks will require different recovery steps. Some of these steps may include updating your systems, restoring backups, re-configuring network access, validating patch procedures, running vulnerability scans, reviewing monitoring capabilities, and more.
Stage Four: The Audit
The last stage is the audit. The SOC manager typically oversees the audit. It's essentially a thorough evaluation of existing systems performed to identify and fix any vulnerabilities before someone takes advantage of them. Such an audit generally includes running network vulnerability scans, reviewing SOC processes, and generating compliance reports.
What Makes an Efficient SOC?
An effective SOC is an efficient SOC. The following are some of the metrics that are critical to a SOC team's ability to remain effective and to keep improving:
- Average incident detection time - This metric is calculated by taking the total time it takes to detect an incident and dividing it by the number of incidents detected. It's important because it's a good measure of how fast the SOC is identifying incidents.
- Average time from discovery to remediation - This metric is important because it shows how long an issue takes to get resolved.
- Number of tickets closed - This metric gives a sense of the efficiency of the SOC. A higher number indicates that they are efficient at building threat models and building incident response procedures to ensure that incidents get resolved as quickly as possible.
- Number of incidents per analyst - A high number on this metric is good because it shows that the team is building more efficient task workflows and threat models to help detect security issues sooner.
- Incidents by device or application type or by type of threat - It's essential to know how many incidents are detected by device or application type. This metric can help analysts build more effective threat models, building search queries that are more effective for building incident response procedures.
- Time between threats or incidents - This metric should be low to show that the SOC is building more efficient threat models and building search queries for incident response procedures.
SOC Best Practices
In addition to following the NIST protocol for developing your SOC, there are several practices that you should implement to ensure that your SOC team is as effective and efficient as possible. These practices include:
- Implement The Right Strategy For The Right Situation - It's essential to know the right strategy for building an effective SOC. The correct approach depends on your business and its specific needs and developing an efficient and scalable strategy.
- SOC Needs To See Everything Across The Organization - The SOC should be building search queries and building threat models that help them see everything across the organization to ensure that they implement efficient security processes that protect the entire organization.
- Invest In Right Tools And Services - At the very least, your team will need SIEM (security incident and event management) software. However, other valuable tools for SOC teams include EDR (endpoint detection and response) tools, malware quarantine and analysis tools, ticketing software, and UEBA (user and entity behavior analytics) tools, to name a few.
- Hire And Train Wisely - Hiring the right employees is critical to building an effective SOC. The more experienced and skilled your analysts are, the better they will be at building more efficient processes and building threat models that will help them see everything across the organization. Additionally, you'll need a SOC manager capable of training your team to follow your organization's processes and effectively use your available tools.
- Consider All The Available Options - There are several options available to building a SOC. For example, what tools you decide to invest in, whether you develop your team internally or you outsource, and more. Consider your options based on what your organization's needs are.
Building An Effective And Efficient Security System For Your Organization
One of the most important decisions you can make as an organization is building an effective and efficient security system for your business. Without adequate security, your company is vulnerable to a wide range of cyber attacks that can not only cause disruptions and hurt your reputation but can also cripple your operations. As such, you need to build a SOC that allows you to monitor, detect, and address incidents promptly. You'll also need the right people and tools to ensure that security issues are fixed correctly and that potential vulnerabilities are identified and addressed before they are taken advantage of.