As the onslaught of cyberattacks continues, many organizations are setting up security operations centers, or SOCs,...
to monitor, assess and defend their networks and information systems. Setting up a SOC can take a significant amount of time and effort, so it's important to do it right.
It's tempting to jump right into selecting tools for the SOC and creating procedures. However, taking the time to first carefully plan and design your SOC will ensure it performs the right functions and that its processes are effective and efficient.
There is no one right way to set up a SOC. Each SOC must be organized to meet the needs and priorities of its organization. Still, there are core principles that all organizations should follow when setting up their SOC.
Senior management support when setting up a SOC is very important. Create a formal, documented charter that is annually approved by senior management.
The charter should describe the mission of the SOC and its primary responsibilities, its scope -- for example, will the SOC monitor all of an organization's information systems and networks or just a subset? -- and it should authorize the SOC to respond to cybersecurity incidents. The charter provides a clear guide for both SOC employees and others in the organization who will interact with the SOC, plus shows that the SOC is supported by senior management.
SOCs can provide many different services for an organization. It's critical that an organization formally define what services a SOC will and will not provide. Typical SOC services include:
- monitoring and triage of user reports and data feeds to identify cybersecurity incidents;
- long-term analysis and correlation of data feeds and incident data;
- incident response coordination;
- security log management -- collection, normalization and storage of security event log data;
- threat and vulnerability intelligence;
- threat assessment;
- vulnerability management; and
- forensic analysis.
The type and amount of services a SOC provides are highly dependent on the budget allocated for the SOC, as well as the overall organization and the maturity of the organization's cybersecurity team. For instance, an organization may want to have another person or team perform vulnerability management or forensics.
SOCs typically evolve and mature over time, so services can be modified and added.
Key performance indicators
An organization should have formal, documented SOC key performance indicators (KPIs). KPIs are important because they help a SOC stay focused on its responsibilities, help ensure that SOC processes stay aligned with the overall objectives of the organization and identify SOC progress and areas that need improvement.
Typical SOC KPIs include:
- average incident detection time;
- average incident response time;
- event and ticket queue backlog -- the number of SOC tickets not addressed within the expected time;
- first call resolution -- percentage of time first calls to SOC were resolved;
- first call escalation -- percentage of time first calls to SOC were escalated;
- headcount to incident ratio -- average number of incidents handled by SOC employees; and
- headcount to ticket ratio -- average number of tickets handled by SOC employees.
When setting up a SOC, an organization must define types of employees and their operational hours, such as 8/5 or 24/7. There should always be at least two people in a SOC, and there should be a clear hand off of information and incident status when shifts change.
A typical approach is to have three types of SOC employees.
- Tier 1 -- alert analyst. This employee performs initial analysis and triage of incident reports and data feeds. They escalate events to tier 2 employees per operating procedures.
- Tier 2 -- incident responder. This team member provides initial response to incidents identified by tier 1 employees. They escalate to and coordinate with non-SOC employees, such as internal subject matter experts (SMEs) and third parties, as appropriate.
- Tier 3 -- SME or hunter. This type of employee has significant experience with cybersecurity incident response and will often lead an organization's response to complex incidents. When not doing incident response, this employee proactively hunts for suspicious or malicious behavior on information systems and networks.
Many SOCs start with tier 1 and 2 employees and, as they mature from being reactive to being proactive, bring in tier 3 employees.
A key responsibility of a SOC is to collect data, so it's critical to decide what data will be collected from what sources and how such data will be collected -- what format and via what protocols. SOC staff should work closely with information system and network SMEs to identify types of events and how they are logged. The goal is for the SOC to consistently receive alerts of significant events without being drowned in data. Typical sources of data include:
- network intrusion detection and intrusion prevention systems (IDS/IPS);
- host IDS/IPS;
- antimalware software;
- identity and access management servers;
- VPN servers; and
- file integrity monitoring tools.
Most of the above sources use common, well-known formats for event logging, such as syslog or Windows event log. The NetFlow protocol can be used to monitor network traffic.
Once an organization has defined the data its SOC will collect, it can create the requirements for its SOC data collection tools.
A SOC can be a valuable part of your organization's cybersecurity strategy. Follow the above recommendations when creating and setting up a SOC to ensure that it is performing the right tasks and effectively protecting your organization.
Learn more about improved threat detection and incident response
Read a chapter of Designing and Building Security Operations Center
Find out if security operations centers are the key to better security