How To Build a Powerful Security Operations Center, Part 1: Motivation Logistics

There’s a certain mystique and excitement surrounding the idea of a security operations center.

It puts your in mind of a mission control style room, possibly in an underground bunker, where people in uniforms shout orders and spend all their time responding to imminent threats.

And in a world where cyber attacks have become a daily reality, and even midsize organizations are forced to designate substantial budgets for cyber security, the idea of implementing a SOC has become far more realistic.

For that reason, this will be the first in a series of posts explaining how smaller or midsize organizations can realistically go about building and maintaining their own SOC. We’ll be covering everything from technological requirements and personnel to financial investment, infrastructure, and performance monitoring.

But first… 

Many organizations train users to report suspected phishing emails, but then fail to promptly analyze and act on them. To find out how to use reported phishing emails to detect and stop incoming attacks, register for our free on-demand webinar.

What’s Your Mission?

The fastest way to ensure your SOC achieves very little beyond a huge hole in your security budget is to fail at the first hurdle: Agreeing on your mission.

Without a designated mission, you’ll find that over time your SOC’s unofficial mission becomes “all things security”. For obvious reasons, that just isn't going to work in the long term.

For a start, your SOC almost certainly doesn’t need to be responsible for ‘business as usual’ security processes such as developing and delivering training. They’re also unlikely to take routine service calls from individual users, which are more commonly handled by a designated IT help desk.

While precise missions will be dependent on your organization’s needs, the following should hopefully provide an idea of what a SOC’s mission might look like:

“The Security Operations Center is responsible for defending the organization's most sensitive and confidential assets. To that end, responsibilities include monitoring network activity, identifying and responding to incoming threats, and managing the organization’s technological assets (e.g. security controls, network devices). The SOC will provide 24/7/365 coverage.”

In the pursuit of this (or similar) mission, your SOC is likely to cover some of the following functions:

• Real-time monitoring of incoming and outgoing network traffic
• Incident detection, triage, and analysis
• Malware, indicator of compromise (IOC), and network artifact analysis
• Incident response
• Vulnerability management, penetration testing, and internal hunting
• Maintenance of network and security assets

Your SOC might also be responsible for identifying and passing on relevant intelligence to other teams. For instance, our own SOC at PhishLabs routinely passes on intelligence to our Research, Analysis, and Intelligence Division (R.A.I.D.), which is then used to inform our employee defense training (EDT) services.

It’s vital that the roles and responsibilities of your SOC are determined before any time or resources go into further planning. Without a clear mission, it’s easy to be sidetracked by other security functions that need to be filled, or poorly invest your resources in a way that doesn’t accurately reflect the needs of your organization.

But once you’ve agreed upon a mission for your SOC, you can move right along to…

Real World Problems

When planning a SOC, most organization first think about the people they’ll need to successfully achieve their mission.

But that’s a mistake.

Before you reach that stage, you’ll need to determine where your SOC will be located. Because the thing is, when your duties are as sensitive as those of the average SOC, you can’t simply house them in a corner office on the ground floor, where anybody could wander past and peer through a window.

In fact, depending on the nature of the work they’ll be doing, you may need to put some serious time, effort, and resources into identifying and equipping a designated SOC location. Typically, your SOC will be housed in the most protected and private room your organization has at its disposal, whether onsite or in a separate building.

Covering external windows is something you might consider, but if possible it’s better to house your SOC in an interior room, where this isn't necessary. If that’s not possible, another option is to use an office on an upper floor where being overlooked isn't a problem.

Beyond this, you’ll want to consider physical access to the location. Many SOCs make use of multi-factor authentication techniques (including biometrics) to ensure unauthorized personnel don’t gain access.

And physical security is just the first of many logistical concerns. Most SOCs provide 24/7/365 coverage, and they may be the only members of your organization who do so. Heating, lighting, building lockup schedules, and all sorts of other basic functions will need to be planned to ensure your SOC analyst have the access and conditions they need to conduct their vital work.

People: Getting it Right

Of course, ultimately, every SOC lives and dies on the quality of its personnel. But this poses yet another problem.

The cyber security industry is facing a cataclysmic talent shortage, which doesn’t look as though it’s going to go way any time soon. As a result, the war for talent is well and truly on.

To address this, we strongly suggest that you put in the time and resources necessary to nurture a strong pipeline of good, young talent. As a starting point, you may need to hire more experienced (and thus more expensive) professionals, as the younger and less experienced analysts will need guidance as they develop.

Beyond this, though, your plan should be to identify and hire young, talented personnel, and train them up internally. As they progress, they can be given additional responsibilities, and compensated fairly for their hard work and loyalty.

Of course, there are downsides to this approach, the most obvious being that the personnel you invest in will naturally accumulate a great deal of market value, and some will move on to work elsewhere. This is a natural (even if frustrating) cycle, but it’s one you’ll have to deal with if you intend to maintain your SOC in the years to come.

Managing Operations

Once you have your mission, location, and personnel in place, you might think you’re home free. Unfortunately, the logistics of managing a 24/7/365 SOC are surprisingly complicated.

For a start, you’ll naturally want to ensure you’re hiring the right number of people to do the job. And just to provide 24/7/365 coverage, when you consider sick and holiday leave, you’ll likely need at least six people.

This is where employment law comes into play.

The typical 40-hour work week doesn’t fit well into the 168-hour week. If you’re hoping your analysts will work more than 40 hours per week, though, you’ll need to find out precisely what is and isn’t legal in your state or country.

Your most obvious scheduling options are for each analyst to work either five eight-hour shifts per week, or to take on a rolling three days on/three days off approach with 12-hour shifts. Either way, you’ll have to pay close attention to scheduling to ensure each analyst is kept happy - Most people don’t like to work exclusively at night, and almost nobody likes working on the weekend.

Of course, there is a silver lining here. Chances are you aren’t the person who will need to deal with all this scheduling on a weekly basis.

As with any team, management plays a huge part in ensuring daily security operations go off without a hitch. And to that end, we’d strongly recommend you ensure the vast majority of shift management takes place locally.

Remote management is an option, if absolutely necessary, but by making sure an experienced SOC manager is on site for every shift you’ll dramatically reduce the chances of anything going wrong. Whether they need to step in and take an urgent call, guide less experienced staff, or provide leadership during incident response, high quality managers are an essential element of a top-performing SOC.

In addition to their operational role, managers are there to ensure all of your analysts (who, don’t forget, you’re investing heavily in) are looked after, and receive the training, feedback, and development opportunities they need. They’ll also be able to identify ‘lieutenants’, who can help shoulder the burden of shift management, and may develop into future managers with time.

First Things First

Perhaps the single greatest mistake you can make when planning and setting up a new SOC is to get carried away with technological requirements before you’ve considered logistics. Ultimately, no matter how well equipped your SOC is, it won’t achieve the desired impact unless you have the right location, the right people, and the right management in place.

The trouble is, all that can require a lot of planning and investment. From overnight and public holiday coverage to ensuring each shift has heating, lighting, and an experienced manager, you’ll quickly find that implementing and maintaining a SOC is less glamorous than you might have imagined.

With all that said, a well-constructed, equipped, and managed SOC with a clear mission can be a tremendous asset for a security conscious organization.

In the next post, we’ll be looking at some other vital aspects of SOC implementation: Hardware, software, and infrastructure requirements, reporting metrics, and (the all-important) financial investment.

In the meantime, if you’d like find out more about how our threat intelligence offering can help your security professionals tighten technical controls and enhance your security awareness training, click here.