A FRAMEWORK TO DESIGN, ESTABLISH AND ENHANCE A SOC - PHASE B | DEFINE REQUIREMENTS

Setting up a SOC begins by clearly outlining what's needed based on your organization's operations and primary goals for establishing the SOC. This initial step helps in prioritizing what's most important, avoiding unnecessary expansion of project scope, and ensuring the SOC is aligned with and supportive of business objectives.

B.1. Key Activities for Defining SOC Requirements:

1. Governance Framework: Establish a robust oversight structure to ensure the SOC meets its goals and aligns with business strategies. While operational aspects may be outsourced, governance should remain an internal function.
2. Risk and Compliance Alignment: Ensure that the SOC complies with legal and regulatory requirements and addresses specific business risks.
3. Functional and Non-Functional Requirements: Specify what the SOC should do and how it should operate, including scalability and integration capabilities.
4. Coverage Determination: Define the scope of the SOC’s monitoring capabilities across various domains of the business.
5. Reporting Requirements: Set up protocols for regular reporting that supports decision-making and aligns with the SOC's objectives.

Governance Framework Details:

Establish a formal framework with executive oversight, typically through a steering committee linked to the organization's information security governance.

A pro tip: The difference between operations and governance is widely misunderstood. Operations is about conducting SOC activities; governance is about making sure it gets done. You should not outsource governance.

Elements to consider in the framework include business alignment, executive sponsorship, accountability, budgeting, mission objectives, and service level management.

Regular updates and reports from the SOC to these governance bodies are crucial to maintain alignment and address emerging issues.

SOC mission and objectives:

Explicitly state what you aim to achieve with the SOC—whether it’s for monitoring, reporting, or proactive threat response. Make these objectives pragmatic and measurable to ensure they truly meet your business needs.

Clearly document the SOC’s mission, objectives, and strategies in a SOC Charter, which serves as a guiding document throughout the SOC's lifecycle.

The SOC Charter is a foundational document that outlines the mission, strategy, scope, and operational guidelines of a Security Operations Center. While the specifics can vary, the charter should at least guide the SOC's long-term approach and daily operations, making clear any underlying assumptions. It's crucial to involve business leaders across the organization in crafting this document. Their input not only helps define clear objectives but also ensures broader organizational support for the SOC.

Consider what type of SOC best fits your needs:

- A Compliance SOC focuses on reporting to meet regulatory demands.

- A Hygiene SOC supports IT operations to maintain system integrity.

- A Specialized SOC deals with specific threats like espionage.

The SOC's mission and operations should be endorsed by key stakeholders, including top executives, and reviewed regularly (at least annually) to stay aligned with the organization's goals and the evolving threat landscape.

To justify the establishment of a SOC, answer these critical questions:

• What specific problems will the SOC address?
• How does the SOC fit into the broader corporate strategy?

B.2. Aligning with Risk and Compliance Needs:

A SOC helps reduce business risks and ensures compliance with regulations, which are often primary reasons for its establishment. Effective SOCs leverage their monitoring capabilities to provide valuable insights into compliance status and risk exposure, enabling quicker detection of and response to potential threats.

Understanding Risks:

Engage with business leaders to fully understand the risks to the organization. This understanding will dictate the SOC's focus, helping to tailor its functions to the organization's risk appetite and compliance needs.

A pro tip: Comprehensively understand the risks to the organisation and its risk appetite. This will help to define the people, process, technologies and funding required for a SOC to mitigate risks based on priority.

Balance Between Business Objectives and Compliance:

A successful SOC strikes a balance between fulfilling business objectives and meeting compliance requirements, ensuring it adds value while adhering to legal and regulatory standards.

Threat Profile Analysis:

A Security Operations Center (SOC) plays a crucial role in maintaining cybersecurity by utilizing threat intelligence to conduct detailed threat analyses and map cyber attack paths. An effective SOC will also proactively search for potential threats based on its level of maturity. Even before establishing a SOC, organizations should have a solid understanding of the threat landscape as part of their regular risk assessment processes. This foundational knowledge helps in defining the SOC's requirements and ensures that the monitoring technologies and strategies are aligned with specific threat scenarios. For instance, the tools and processes chosen should be directly influenced by the known tactics, techniques, and procedures of potential adversaries.

A pro tip: If the initial threat assessment is flawed or incomplete, there is the danger that the premise of the SOC will similarly be flawed and incomplete, such that relevant threats may not be detected. Perversely, building a SOC will enable a stronger threat assessment to be formed, reinforcing the importance of continuous improvement.

B.3. Defining Functional and Non-functional Requirements:

To ensure the SOC operates effectively and delivers value, it is crucial to establish both functional and non-functional requirements with precision and granularity. Functional requirements detail the specific tasks the SOC must perform, such as real-time monitoring or log retention, while non-functional requirements outline the SOC's operational attributes like scalability, integration, and performance constraints. These requirements help frame the operational scope of the SOC and influence subsequent decisions, such as tool selection and security provider partnerships.

B.4. Determining SOC Coverage:

The scope of monitoring within a SOC should be clearly defined and might include various business areas, processes, geographic regions, and aspects of IT infrastructure. Achieving comprehensive coverage can be challenging—surveys show that confidence in SOC coverage varies significantly among organizations. As companies increasingly adopt cloud services, the SOC's focus may shift to include monitoring these new environments, despite the challenges posed by external control over infrastructure and applications.

A pro tip: Core infrastructure coupled with endpoint, network and cloud monitoring provides a very good level of coverage as a starting point and a high return on investment.

A recent survey of Security Operations Centers (SOCs) revealed significant visibility gaps, especially in monitoring cloud services and mobile devices. This highlights the need for SOCs to adapt their monitoring strategies to cover emerging technologies effectively.

B.5. Defining Reporting Requirements:

One of the primary functions of a SOC is to actively report on various security-related activities. These include detected threats, vulnerabilities, and security incidents. Effective reporting supports decision-making processes and justifies the investment in the SOC by demonstrating its value and impact. Regular, tailored reports should not only track the SOC's performance but also its progress towards maturity and continual improvement.

Designing the Reporting Framework:

The reporting framework of a SOC should be thoughtfully designed during the planning phase, taking into account the specific objectives of the SOC. This framework should ensure that reports are:

• Regular and Timely: Reports should be issued at intervals that keep all stakeholders well-informed.
• Concise and Customized: Tailor the content and format to the needs of various audiences, including executives, regulators, and IT staff.
• Actionable and Insightful: Use trend analysis and visualization tools, like dashboards, to make the data comprehensible and actionable.

A pro tip: Reporting to the CISO is preferable to ensure the issue gets to the board, otherwise it can get lost if reporting to someone with too broad a remit.

Strategic Reporting Objectives:

The purpose of SOC reporting can vary but generally includes:

• Identifying prevalent threats to prioritize security measures.
• Documenting long-term trends to understand evolving threats.
• Advising on the SOC’s readiness to handle new threats.
• Fulfilling compliance obligations and documenting security incidents for audits.
• Influencing the organization’s risk management strategy.
• Educating staff to enhance security awareness.
• Updating stakeholders on the organization’s overall security posture.
• Initiating change management and new capability development.