What a successful SOC should look like

This could easily be the subject of a book. And as a matter of fact, there are quite a number of books out there about how to run a SOC for optimal resource usage and business alignment.
In this post however, I want to give you just a high-level overview of the big picture of what a SOC should look like. Throughout my career I had engagements with many organizations from all kinds of industry verticals, with different sizes and wildly different challenges. The smallest “SOC” was a one-man show (one person dedicated to security 😊, among other daily tasks) while the biggest I’ve seen was almost 40 security professionals.

Before we look into what would make a SOC efficient I will give you a few hints about what will not work. First is the perception that a big budget can solve anything. A SOC is not the kind of problem at which you can just throw money and expect results to grow linearly with the amount of money invested. I worked with organizations that had no official limit to the security budget, you read that correctly, no limit, yet still had major challenges in their daily operations and security stance.

The same can be said about the number of people working in SOC; just because you have an “army” of security professionals this doesn’t make your SOC better…
A few times I even heard the question “how many security professionals should my organization have since we have n thousands employees?”… Your security profile *is not* a direct function of how many employees that organization has.

And third is technology. I saw a lot of security managers who were trying to overcompensate for lack of skills from the technology angle. When really all technology can do is to enable you to go as far as *your own skills* can take you. Buying the latest/greatest EDR or whatever security solution is now “trendy” will not make your team more security savvy.

[Let’s make the SOC great again!]
So here we go, there are two big perspectives we can use when looking at a SOC.

First (and mandatory) is to look at the SOC as any other business function with clear objectives aligned with the business mission. Generally speaking, regardless of the organization nature, the main objectives of a SOC (either owned or externalized) are to:

  1. Prepare – reduce/eliminate risks associated with cyber attacks
    These tasks are more strategic in nature with a special focus on prevention (of incidents) and mitigation (of negative impact). Of course not all incident types can be prevented or mitigated so having a (IR) readiness strategy will go a long way. Normally the projects/tasks from this area will be things like:
    a. Team’s readiness (e.g. training, skill assessments).
    b. Projects focused on improving detection & response (e.g. enhancing the quality of evidence available for DFIR investigations, faster live response data collection, automating parts of the analysis process, etc.)
    c. Projects related to system & services hardening.

  2. Detect – close the gap between initial compromise and response
    The detective actions are a critical part of the daily operations. There is no amount of security best practices that will stop incidents from happening and despite the amount of freely available sources of Threat Intelligence a good detection capability cannot be achieved without an intimate understanding and visibility of the environment the security team should defend.
    The key success factor for detection is to combine security skills with business processes awareness.

  3. Respond – remove threats as soon as possible with minimal business disruption/damage
    Alright, so the alert kicked in, you triage it and if the threat is real you officially launch the incident response process. Being able to respond (to take action/s) to threats detected is not only vital but also a very challenging component of the security function.
    Key factors for a successful incident response process are having access to experienced security professionals, the right tools to optimize and automate the investigation as much as possible, and great communication for visibility. Yes communication is an essential part of response, because a lot of times, especially when critical services/systems are involved, the *big* decisions (e.g. observe and learn vs immediate containment) will have to be made by business (i.e. senior management).

Second is looking at the SOC as a capability, meaning a function that has all required ingredients to achieve its objectives.
From this perspective we can look at a SOC in terms of:

  1. People (teams & skills)
    For a full blown set of capabilities mapped to the objectives discussed above your SOC should have the following skills/teams:
    – Threat Intelligence
    – Threat Hunting
    – Incident Response
    – Digital Forensics
    – Malware Reverse Engineering (REM)
    NOTE: I will go in another post in details about what each team should do. This is just an enumeration of the teams/skills needed in a SOC to cover all major objectives.
    NOTE: notice that I left out Vulnerability Management – this should be owned by Operations and the security team will only act as advisory to ensure either out-of-band (asap) patch deployments or look into ways to mitigate the impact of not having this or that vulnerability patched.

  2. Technology
    Technology is meant to be an accurate reflection of the skills available in the team. Tools are meant to *enable* the security team to achieve their objectives faster, more consistently and as accurate as possible. Buying a security tool/solution that has a number of “interesting” features should be done if the following two factors are met: an internal (business) need for those features *and* skills to make the best out of those features.
    Ask yourself how much more efficient/effective you will be because you own that tool/solution; whenever in doubt go for a pilot and make sure you use relevant (performance) metrics to understand the benefits.
    I will leave for a future blog post the list of which features should be present in the tool set of each team.

  3. Processes
    The value of having sound process is very high in large teams where you need coordination between a number of individuals from different teams which may also be in different geographical locations.
    The main objectives of the processes are to ensure:
    – the right person with the right skills owns the right actions/tasks.
    – enough resources are allocated (this may be a direct result of the severity or complexity of the incident).
    – visibility (to the right levels of management).

Mapping the teams/skills to the initial objectives we have a table like below:

Prepare Detect Respond
Threat Intelligence
Threat Hunting
Incident Response Incident Response
Digital Forensics
REM

A few comments about the relation between Skills (People), Technology and Processes is that there is no replacement for great skills. Senior security professionals can cope with a lot of technical challenges or/and absence of processes; they will know to do the right thing at the right time.
Next is Technology, I said earlier that senior/experience security professionals can deal with a lot of technical challenges but don’t expect them to do wonders against all odds. Ultimately without the right functionalities in the technology available the quality of the service delivered will suffer.
Processes are very important especially for (relatively) large teams where the skills range can vary a lot. Above everything, processes are about delivering reliable service quality at a given standard/level.

In a future blog post I will go into more details regarding the tools and processes needed for each team; stay tuned.

[Conclusions]
It may seem a little overwhelming at first glance setting up a SOC or even optimizing its operations for maximum efficiency. The key is to never lose from focus the fact that ultimately the security function is expected to protect the business’ mission.
Failing to understand this fundamental part can lead to waste of resources, lots of frustration and in the in the unfortunate case of an incident major/irreparable losses.

AlexSta CyberSecurity delivers a wide range of engagements that are focused around enhancing the SOC on all levels, from DFIR training, table top exercises all the way to building a full capability from scratch, you name it we got it. Whatever the challenge, contact us and we will make it happen!