How to build a security operations center from the ground up
Building a security operations center (SOC) is a tall feat. With the global technology talent shortage estimated at 85 million workers by 2030, it is clear that talent is, and will continue to be, hard to find.
Organizations must learn to create a SOC in an adaptable way that makes scaling to meet varying demands of clients simple while addressing the cybersecurity talent shortage. Special considerations should be made regarding tool selection, proper staffing, organizational needs and performing a gap/risk analysis utilizing outside consultation when applicable. Let’s explore a few best practices.
Building a Solid Foundation
Knowing what you are protecting and why is a crucial first step in building a SOC. Since most business units won’t know exactly what they want out of the SOC, security architects and engineers should align with them before building begins to understand how they interact with IT and what systems are under their care. The SOC structure must be aligned with overall organizational needs and business goals in order for it to perform properly and successfully. Once this alignment is complete, security teams can work backward by acknowledging the desired outcomes, user experience goals, response actions and notification trees, ultimately deciding how they want to interact and communicate with the security operations teams.
Prioritizing incident response and the associated remediation activities is critical for the SOC’s success. An external maturity assessment of the Incident Response and Remediation program should be conducted and prioritized versus simply focusing on where signals are coming from. This allows the inputs and outputs to be carefully normalized and mapped to playbooks when implemented, spending less time deciding what to do based on researching where to send the traffic.
Companies should also consider taxonomy and ontology, decide on a Common Data Model to use, and provide a framework that expedites the integration of tools and simplifies the mapping of information. The data model should be top-of-mind, and all associated pipelines, workflows and data feeds ingested into the SOC should be automatically normalized and enriched, such as systems and endpoints, mobile devices, network (IDS/IPS/WAF/VPN/API Audit Trails), servers and applications (SaaS + on-prem), cloud and physical infrastructure (workload and posture/compliance), vulnerabilities, identity and access management, and audit trails.
Lastly, it is important that organizations leverage tools that support analyst workflow within the SOC. These include vulnerability management, endpoint detection and response (EDR), user and entity behavior analytics (UEBA), security automation, log collection and management, security information and event management (SIEM), and overall threat intelligence.
Prioritizing Talent, Technology and Data Feeds
Smaller organizations should also consider partnerships to aid in the many challenges of right-sizing their SOC and relieve the need to "completely staff up" during the build phase. One of the many partnerships to explore is a strong relationship with an MDR/MSSP that provides coverage while building out the internal SOC. This relationship can later be layered on top of or discontinued depending on the organization’s needs after the SOC is operational.
Modern security automation tools platforms can assist organizations in tying together the SOC by outsourcing certain workloads, even while having a fully-staffed SOC or an MSSP for additional coverage. Companies should look for a solution that can help them tend to the volume of alerts and incidents a security team is serving, as well as facilitate a process where mundane ticket management, queries, lookups, enrichments and actions are automated, and conducted at machine speed. Some organizations turn specifically to full-code, low-code and no-code security automation offerings that grant security teams a standardized way to consume information from various sources to limit context switching. Since most organizations are not equipped to staff a 24/7 SOC, security teams of all sizes will benefit from scalable, adaptable solutions that enable and enhance their SOC workloads. Once built, continuous testing, monitoring, tuning and maintenance are crucial to validating that the SOC is performing correctly.
Developing a robust SOC strategy, properly preparing your environment, deploying end-to-end use cases and consistently maintaining and evolving your solution are critical to a successful security operations center. Continuously measuring performance to evolve and improve, expanding overall functionality outside of the SOC, while clearly communicating with your security team on requirements will ensure that your program is trusted and well equipped to prevent, detect, investigate and respond to any threats that present themselves.
Michael Lyborg is Senior Vice President of Global Security and Enterprise IT at Swimlane.