6 key steps to building a modern SOC

Creating a modern security operations center (SOC) requires so much more than getting the right equipment and hiring experts. In fact, it’s a constant process of keeping up with countless security threats, staying up to date with developing trends and technologies, recruiting and keeping skilled professionals, while also providing them with an environment they can thrive in. All this, while aiming to improve the overall organization’s security posture and performance.

In this blog, we will sum up some of the most important pillars which are essential for building a modern security operations center.

1. Measure your successes and your failures

Security operations centers (SOCs) continuously struggle to follow the rhythm of the countless inbound security alerts and often have difficulty prioritizing those which are most relevant among the influx of false positives. As it often happens, teams lack both time and the right tools for performance measurement, and measuring success is of the utmost importance within a modern SOC. If a SOC team can’t present facts that represent the true value of the team for the company, then the entire existence of the team could be under question. The same thing applies to both success and failure – if team members can’t pinpoint gaps and pain points, then resolving issues like budgeting and recruiting to invest in new technologies or resources might not be possible.

A well-functioning SOC needs essential key performance metrics, and this may include but is not limited to:

• How many events are being received

• How many events are being handled (per time period per analyst)

• Is the number increasing or decreasing

• How many false positives are being received

As well as assessing the cost and risk associated with them. It is also important to make sure your SOC provides the latest tools and technologies for your team of experts to use to be successful in the right way providing significant value. If you can not provide this, analysts will likely be jumping between many different tools and screens, and be overwhelmed with so much threat data that they will struggle to identify the real threat intelligence to find the answers they need. If this is the case, prepare to face more failures than successful situations due to a lack of efficiency. Also, don’t forget that monitoring the success or more importantly identifying where further improvements need to be made is critical when reviewing existing tools or implementing new tools into the SOC infrastructure.

Check whether you have the right people and procedures, as well as tools in place that enable you to detect and respond to a threat in the shortest time frame possible. For this to happen, your company needs to invest in modern SOC technology and methods.

2. Hire the right experts

A well-rounded SOC team should consist of several experts that come with different skill sets and focuses, including:

• An alert analyst to monitor the alerts and the condition of security sensors

• A subject matter expert who will operate as a threat hunter

• An incident responder for deep incident analysis

These positions require advanced training in their position-relevant areas, which may include intrusion detection and malware reverse-engineering for example. But keep in mind that not every organization will have these skills on-staff or within their employment reach.

Hiring highly skilled experts for your SOC team is of utmost importance. Spend time searching for those candidates that possess the right skill set that will fit your company’s profile and goals. Aside from their expertise, your team members need to possess soft skills as well.

One approach you can take is to try and hire people from within the company, if possible. Start with the people from IT who have Active Directory skills by enlisting them to one of your projects. Also, consider hiring people from local schools and universities that have cybersecurity programs. You can hire undergraduates as interns and recruit them after getting their degrees. Having a good relationship with local schools can prove as an excellent source of help.

With today’s current shortage of skilled cybersecurity professionals and with their increasing turnover, it is important for companies to utilize tools and technologies that assist with knowledge transfer, for example between different levels of analysts. Keeping tribal knowledge within the organization is also key, as valuable knowledge and insights into different threats will be gained over longer periods of time. If a highly skilled and longer-term analyst is to leave, their knowledge is likely to be lost with them, so this needs to be factored into existing SOC processes.

3. Stay on top of emerging threats

Stay up to date with the latest technology trends. This is often an ongoing uphill struggle that might require your attention to many details, such as the following:

• Make all your assets visible. Prepare to answer the following questions: Who’s using your assets? Where are they? What’s the current state of your network landscape? Can you name some common usage patterns?

• Stay up to date with emerging trends in your business and industry. This often means staying involved in continuous research of new systems and technologies the organization should be considering investing in.

• Be equipped with the right knowledge and skills for all actors in the industry and business, especially the bad actors. Moreover, keep track of all of the changes within the relevant ecosystem and be proactive whenever you spot a potential security risk that should be addressed.

Ongoing training and professional development for team members at all levels are critically important to ensure that the SOC team remains an effective tool within the organization. Attacker tools and tactics are constantly evolving. Detection and defense techniques which were effective years ago may no longer be relevant to current threats. SOC teams must be aware of the most current threats, industry best practices, and remain proficient in all the technologies in use in the enterprise.

Although traditional classes can be very effective for training and professional development, they are often the most expensive option. There are many other training and professional development options which are less expensive and can be used to supplement traditional classes. Some of these options include remote training, hosting an in-house training (which often results in discounted or free seats, lunch and learn, or other short trainings) conducted by in-house staff, or live exercises such as CTF or team challenges.

4. Set up close communication channels on all levels

Your SOC team will need help from the IT department (and possibly other organization departments). Both teams should have proficient conduct of asset management, system patching, and configuration management. The prime focus of these should be to closely monitor the exploits and problems that allow threat actors to succeed in their intentions.

Consider how you can put your SOC into focus within the company. A good starting point to do this is to consult the sales team, which will often prove to be an invaluable source of quality ideas. This is especially true considering the fact they get many questions about the security of products and services they sell, and even more so now when things are moving to the cloud. The overall goal should be for everyone within the organization to get an idea of the importance and relevance the SOC team has within it.

5. Know what to focus on

There’s no team out there in any type of industry that has limitless resources. Quite the contrary, many security teams are often chronically understaffed and find it impossible to catch up with the ever-growing workload. Add to this the overwhelming number of alerts, a huge amount of which are false positives, and you have what’s known as alert fatigue. To avoid analysts suffering from this, the focus should be on those threats that could cause issues with the company’s major assets, and tools should be put in place to easily identify those which are true security incidents versus those which are false positives.

Moreover, make sure your teams know what they’re protecting and why. Not knowing the real risk, the team members will treat all alerts with the same attention and priority. Lastly, establishing transparency and good communication will go a long way to providing your team the knowledge and skills to make decisions and prioritize in critical situations.

6. Provide the right infrastructure to support your SOC

The things you dedicate your time and focus on are your priorities. If SOC team members spend valuable time searching for assets, waiting for data, and jumping between screens, there won’t be many positive outcomes. You may have brought together the most skilled experts, but without the correct tools, they’ll be somewhat helpless. Make sure your company provides them with the latest, most sophisticated technologies that can be fused together for more intelligent use, including:

• Data Collection Tools

• Endpoint Protection Solutions

• Security Information and Event Management (SIEM) Solutions

• Security Probes

• Security Orchestration and Automation Tools

SOC teams often lack the context of incoming alerts and don’t have enough data to make conclusive decisions right away. Once analysts are alerted of suspicious activities, they should immediately focus on threat mitigation. Common threats should be added to playbooks, with full or partial automation, saving valuable analyst time on repetitive and mundane tasks.

Among the numerous sophisticated cyber solutions available on the market today, you may want to consider those that have:

• Threat hunting tools to help your team members analyze unusual events (beyond traditional alerting mechanisms) to determine risk almost in real-time.

• Automated playbooks to mitigate threats as they’re exposed, so that analysts can focus on what matters, without burning out.

• The ability to incorporate threat intelligence in a manner that makes it relevant and actionable, not just another threat feed.

• An open platform or ecosystem which allows them to easily share data or communicate with other solutions in the enterprise.

Final thoughts

These steps make a good starting point, but there are so many more details to keep an eye on, it’s virtually impossible to mention every single one there might be out there. After all, each organization has a unique structure and therefore, unique challenges and goals that come with it. Building a SOC is merely the beginning: the next would be how to properly set this team up to fit the needs of the company. In order to keep pace with the evolving cybersecurity landscape, companies and organizations need to embrace new technologies and strategies in every segment and take a proactive security approach if they want to be successful and relevant.

Stay tuned to our blog content to find the answers to common cybersecurity questions, specifically focused on transforming your security operations to be more effective and efficient.