Building A SOC, from A to Z.

Protecting and defending against digital attacks requires visibility and control of the digital infrastructure within your organization and of all the events taking place within this. An increasingly common way to achieve this is to implement a Security Operations Centre (SOC).

A SOC is an effective facility for monitoring business information security and digital threats. In this article, we will walk you through the bits and pieces of building a SOC.

What are the challenges???

1. Requires cooperation with many parts of the organization.
2. Costly and time-consuming.

What is a SOC???

SOCs are most commonly tasked with security monitoring. This involves the centralized collection and correlation of log data from relevant applications and devices in the network, in order to identify any deviations that may have taken place.?

A Security Information & Event Management (SIEM) system is a tool that forms an indispensable part of a SOC. SIEM systems are software products that are able to interpret log data from various sources and correlate it with cyber-attacks and other security incidents taking place in and around the network.??

Simple monitoring as the starting point.

Start small and then build on this:

1. Begin by having the IT administration team monitor log data from a select number of key infrastructure or middleware components, such as your firewall, a web server or your antivirus program. Target the monitoring on technical aspects initially, in order to confine the necessary interactions to the IT administration team.
2. Build up experience with the monitoring, detection, registration, and mitigation of incidents.
3. Do not increase the number of systems to be monitored too soon. GAIN EXPERIENCE FIRST!
4. Ensure you have the right tools for registering incidents.

What is needed to be able to monitor security incidents??

In order to achieve adequate monitoring of information security, there are a number of measures that the organization must put in place first.

• Information security policy:

A key measure when building a SOC is having an information security policy that has been approved by the management. The objectives set out in the information security policy can help to establish the areas that the SOC will focus on.

• Overview of the application landscape:

An overview of the application landscape provides insight into the information the organization possesses and the manner in which the information is processed.

• Results of recent risk assessments :?

The risk management department is ideally positioned to answer the question of what the SOC should monitor. This does not necessarily cover office automation only. Any system or information processing is eligible for monitoring by the SOC if the risk assigned by the risk management department is sufficiently severe.??

• IT administration team :?

Proposals for preventing attacks or enhancing security should not be taken up by the SOC itself, but are instead a matter for the IT administration team. Key aspects in this regard are a well-developed incident management procedure, a well equipped IT service desk, adequate arrangements with the IT administration team on the priority of notifications made by the SOC and an appropriate mandate for the SOC.?

• Ownership of information systems :?

Each information system must have a manager as system owner to make such decisions. This concerns decisions that must be taken when a contingency plan is put into action, such as deciding whether to take an information system offline or on measures required to successfully cope with any offline time.?

Development into a SOC.

Putting processes at the center of discussions makes it much easier to establish links with the various departments and the staff who work there. In order to succeed in establishing these links, it is necessary to ensure an appropriate development strategy for the SOC.??

• Knowledge and skills for SOC staff :?

SOCs are a relatively new development, as a result of which skilled and above all experienced SOC staff are difficult to find. Therefore, start a new SOC with employees who have the right motivation and mindset, and invest sufficiently in training.?

• Choosing whether to do it yourself or outsource :?

When implementing a SOC, an important decision early on is whether to outsource it. Each option must be assessed in terms of flexibility, costs, available knowledge and personnel, etc. These specific needs and demands can only be met if the right decision is made between doing it yourself, outsourcing or perhaps a combination of both. ? If the information that is processed by a SOC is sent outside the organization, ensure compliance with the applicable legislation.

• Processes :?

1. Define types of incidents by distinguishing between levels of impact and establish which steps SOC staff should follow.?
2. Establish which staff members should be approached if an incident arises.
3. Establish the required options for scaling up or escalating matters and arrange this with the relevant responsible staff members.
4. Make arrangements for normal monitoring tasks within the SOC to be continued during an incident.
5. Develop a communication plan and design processes so that the deployment and added value of the SOC can be measured.

• Engaging with the business :

A SOC must:

1. Engage with the business in order to understand what is important to it.
2. Liaise with the appropriate managers and system owners.?
3. Involve the risk management department in such discussions.

The information security policy and the outcomes of risk assessment can help:

1. Provide insight into threats and prioritize these appropriately.
2. ?Come to clear agreements with the business regarding the manner and format in which the information for the SIEM system is to be provided.?

• Selecting a SIEM system? :?

A sensible approach, once all the organization’s needs have been established, is therefore to approach suppliers, visit trade fairs and, if possible, visit organizations that have already implemented a SIEM system. Ensure you consider this decision carefully. Once you have chosen a solution, it will be costly and labor-intensive to migrate to another solution at a later time. In addition to the capabilities of the SIEM system, also consider the installation and maintenance requirements and the knowledge the SOC staff will need to have.?

• Threat intelligence? :?

Invest in the acquisition of threat intelligence that will be used to feed the SIEM system and ensure SOC staff have sufficient time to keep up-to-date with developments in the area of digital threats.?

• Impact on privacy? :?

Together with your privacy officer, conduct a Privacy Impact Assessment (PIA) for all data collection activities that could include privacy-sensitive information. Investigate the options that the available SIEM systems offer in the area of privacy protection.??

• More responsibilities for a SOC? :

The performance of penetration tests and forensic IT investigations are some of the other tasks that a SOC can perform. But it is recommended to let them focus on their main task which is monitoring. After all, Cyber criminals are continually on the lookout for new ways in which to carry out their attacks. Allow SOC staff to continually dedicate attention to this.

This article was based on the National Cyber Security Center's Factsheet about building a security operation center.