12 Things to Know Before Building an In-House SOC
Creating a SOC: What to know before you get started.
Creating a Security Operations Center (SOC) can be extremely challenging, but the benefits almost always outweigh those challenges. Before you get started, there are a few things to understand and even figure out ahead of time with your stakeholders that will make the entire process much smoother. In working directly with customers through this process, we’ve seen patterns of things that organizations underemphasize or completely overlook. Often it is easier to hire help from an external agency for SOCaaS solutions, but if you want to go ahead and get started on your own, here are some things you should consider.
1. A SOC is only as good as the network.
Do you have a single firewall or a DMZ with redundancies in place? Do you have an IDS, EDR, and SIEM? Where are the sensors? Do you have standard devices across your network or not? The fact of the matter is that the choices you have already made in developing your network establish the challenges your SOC will face. If you have developed this network from the ground up with the intent to one day build and manage a 24/7 SOC, then that’s great! You will likely have an easier time than most. Unfortunately, this is not often the case. The reality is your company must make tough decisions on where to focus precious resources. While this can burgeon the company’s revenue, it can cause trouble for the ones trying to secure it from an ever-growing list of threats and vulnerabilities. Whatever state you’re in, a SOC can help with a path forward. You just need to be sure to tailor your expectations to how high the mountain is they need to climb.
2. Documentation is power.
Things happen fast in a SOC. An Analyst’s time is a precious resource that can be spent fumbling through known issues or running down conflicting guidance if your overarching policies, priorities, or controls are not clearly communicated in writing. Every second that they spend on any of these is a second they’re not investigating suspicious events that were completely avoidable.
3. You’re going to have turnover.
A SOC can be a demanding environment. Shift work can greatly impact sleep cycles and social lives. Things can come to Analysts at a blistering pace and from all kinds of avenues. On top of all that, a SOC Analyst could be an entry-level position for individuals looking to forge a much different career, and the experience individuals gain in this kind of environment can be invaluable to recruiters. Luckily, there are several things you can do to reduce SOC turnover and even use it to your advantage.
4. You can do it wrong.
A SOC is generally a reasonably large investment in technology and people. As such, there are thousands of things that can go wrong in a SOC. Poor shift selection, personnel shortages, bad training, no reference material, and no support from the necessary system or service owners — just to name a few. Don’t pass up the hard-won lessons of experience and seek out several perspectives from across different industries. You might get the chance to do something truly innovative.
5. Every Analyst is not equal.
You’ll have a rockstar employee that seems to always know everything and is always prepared with a full and reasoned report. Don’t let that skew your view of the silent contributors in the group. SOC work requires hyper-awareness and solid reporting, but it also requires deep thought and strategy. Having someone who can take that extra second to think about a common problem or event differently will win in the long-term game of security. You need all types of people to run an effective team.
6. You don’t need 30 SMEs.
It might seem like a good idea to hire all the top talent you can get your hands on and really stack your roster. It’s not. Aside from exacerbating the risks of turnover, you must consider that a SOC is as much about effective communication and teamwork as it is about technical skills. Yes, you need solid SME’s that will be able to direct the traffic, put rock-solid procedures in place, and mentor more junior resources. However, you will also need people that are hungry to learn and develop their cybersecurity skills to do the heavy lifting.
7. A SOC won’t solve all your problems.
Your SOC can and will increase your ability to identify incidents and greatly increase your response time to those incidents, but all resources are finite while the data coming across your network devices is practically infinite. SOC’s are a prime target for over-tasking. While it is true the SOC is an operations center and can be that swiss army knife in a pinch, leaders need to be careful that they are not “going to the well” too often. The planned workflow for a SOC is so unpredictable that adding another workstream is seldom something to do off-hand. Are you sure that you have the best resource for the job? Do you know what efforts are being delayed? The answer can go either way, but the question is absolutely necessary.
8. ..But, a SOC can also be your greatest resource.
You are about to put some brilliant people squarely between you and problems you might know nothing about. They will see any cut corners and every inconsistency. They are your best resource when they are empowered to bring these to the attention of your organization. Plan out how you want to receive this type of information and have a mechanism in place to affect change should they find anything that needs attention.
9. What do you care about most?
Don’t get me wrong, you can throw a group of pros in a room with access to your network, and they might make something happen. However, if you don’t know what you (or your company) cares most about, you will do a poor job providing your SOC the direction they need to serve you best. Should we focus on a list of HVA’s? Should we prioritize the host logs or do you care more about web services? What does success look like for your organization? A SOC needs metrics just like any business section, and if these aren’t directly in line with what you care about, you (and your boss) will be unhappy.
10. A good SOC needs your continued support.
A SOC is just an extension of your organization. They are in constant struggle with your network and the threats that are looking to take advantage of its vulnerabilities. Unfortunately, securing devices means reducing functionality, and there may be things that are common around your company or a business section that opens a nasty vulnerability. If the SOC does not have the ability to affect change where it needs to, then it needs a champion to help push the needle.
11. A Security Operations Center not just a CISO/CIO effort.
Do portions of your business have to abide by separate directives, policies, or laws? Likely, the answer is yes. As part of standing up your SOC, it is a good time to revisit what your company really needs and is responsible for. Not only will it help to have a SOC representative have points of contact in these business sections, but it is a force multiplier to have the governance, regulation, and compliance picture refreshed before training your operations center on proper escalation chains and incident identification.
12. Know that you need a SOC.
Last but not least, a SOC is a big investment that pays off when done at the right time. SOCs can be scaled. They can grow alongside an organization, be stood up mid-flight, or outsourced, but all require reasoned intention and a commitment to achieve success.
How to get started.
A successful SOC requires thoughtful planning and consideration for all aspects of security and operations. Hopefully, this can help steer you in the right direction or at least give you something to think about. MindPoint Group also has extensive experience in helping some of the most secure organizations in the world build out the SOCaaS capabilities. Schedule a free discovery session to learn more.