You have come to the realization that you need a Security Operations Center (SOC). Now comes the time where you have to decide how you want to implement your SOC. There are all kinds of choices that need to be made: Is it going to be in house, a managed service, or a hybrid of those? What technologies are you going to use? How big does it need to be? How large is the budget? One of the first things that you need to do is to figure out what you are going to look for in your SOC. What behaviors or characteristics do you want your SOC to have? Some of the most important things to look for or develop are training, quality, and relevance.
SOC Characteristics and Behavior
- Training is listed first for a reason. Just like your software and hardware needs to be kept up to date, you need to keep your people sharp too. Your Security Operations Center needs to be a top notch training environment that encourages its members to constantly improve and stay up with current technologies and trends. Threats and threat sources are constantly adapting and a well-trained SOC staff will be able to adapt with them. A path for security industry certifications (CEH, CISSP, SEC+ for example) is one available approach. Also learning new SIEM systems, or retraining on current ones, will ensure you are getting the most out of your tools.
- Quality speaks to many different things. It says that the company that is running the SOC, whether in house or a managed solution, cares about what they do. If the company that is running the SOC does not care enough to keep their hardware, software, people, and buildings up to date then how can you expect them to care about your data. If there is little or no effort to make sure they can support the most current technologies and security methods then how can they be trusted with what is most important to you. Quality also speaks to people, if they hire less then qualified people or if they do not have systems and processes in place, then it would be very difficult to provide a service that will actually work.
- Relevance ties back into the other two and adds its own dimension. The company that you want is the one that is able to support what you need in monitoring, testing, remediation, and compliance requirements. They should also be able to grow with you and even anticipate where you will go in the future. They should not try and get you involved in systems that do not support, or barely support, your security mission. They should be getting you the systems and support that align the closest to what you want to accomplish, not just hand you an off the shelf product that is one size fits all. Your Security Operations Center needs to be able to protect you so it should know about you and how you use and protect your data.
With security it is important that the people, systems, and facilities are cared for and kept up to date. The big thing these days is not if but when you will have an intrusion on your network. The best way to combat that is to have good people with the best training working on the systems that will best protect your network with an established protocol in place. People that not only know how to recognize when something bad is happening, but also know how to contain the intruder and the damage done.
- May 18, 2017 When patching isn’t possible: How to ward off future threats even if you’re living in yesterday’s infrastructure By David Switzer and Ian Moorhouse, ReliaQuest Threat Management team members As we’ve seen over the past week, the importance of staying up-to-date with critical updates or patches is an unglamorous, albeit vital part of any […]
- July 24, 2017 A day in the life of a Security Operations Center analyst Angler.Exploit.Kit, Bruteforce Attack, and Cryptowall are just a few exploits that are seen almost on a daily basis in a Security Operations Center (SOC). For a security analyst, this means he or she is focused squarely on security […]