How to Build a Security Operations Center (SOC): Peoples, Processes, and Technologies
18 security pros reveal the people, processes, and technologies required for building out a Security Operations Center (SOC).
Building out a security operations center is a major undertaking, but one that's well worth it when configured properly to provide adequate security for your enterprise. Building out a SOC requires careful planning and coordination of people, processes, and technologies. A fully-operational SOC will have the capabilities necessary to help secure your organization in the midst of the modern threat landscape.
So what does it take to build out a security operations center? To find out, we reached out to a panel of leading security experts and asked them to weigh in on this question:
"What people, processes and technologies are required for building out a security operations center (SOC)?"
Meet Our Panel of Security Professionals:
Find out what our experts had to say about the people, processes, and technologies required to build out a security operations center by reading their responses below.
Jose Hernandez is the SVP Technology and Engineer at Zenedge Inc. He started his professional career at Prolexic Technologies (now Akamai) in DDOS, fighting attacks for Fortune 100 companies. While working at Splunk Inc. as a Security Architect, he built and released an auto-mitigation framework that has been used to automatically fight attacks in large organizations. In the past, he has helped build security operation centers as well as run a public threat intelligence service.
"Without a SOC there is often a siloed, incomplete visibility which leads to a weaker security posture..."
By consolidating all the security experts and relevant data into a central location, threats can be spotted faster and more efficiently. A SOC leverages people, processes, and technology to reduce security risks via improved security across an organization.
A SOC team needs a varied set of skilled security experts which are commonly broken down into 3 main tiers. The first tier is SOC I Engineers. They are responsible for detecting, identifying, and troubleshooting security events that come in. Often this is the tier in communication with the affected party. I consider them the eyes and ears of operations as their main functions are detection, classification, and escalation of attacks. They are also responsible for finding the most effective ways to mitigate the attacks. The second tier is SOC II, their responsibility is to mitigate attacks that are detected by SOC I. The third and final tier is a SOC III. These engineers hold the most experienced technical security roles in a SOC. In order to reduce and optimize how a SOC I and SOC II operate, a SOC III engineer is not only an expert mitigator but also builds tools and processes to improve threat hunting and/or threat intelligence in an operation center.
The most crucial and first process one must embark upon in building a SOC is threat modeling. Threat modeling entails answering the following questions:
- What threats does my organization care about?
- What does a threat look like?
- How does the SOC block/detect the threat?
Once these questions are answered for the threats the SOC is intended to mitigate, playbooks are built in order to document how to respond, set severity, and how to escalate these specific threat types. Other important processes to consider are, shift time and models (i.e. follow the sun or rotational). Follow the Sun refers to the shifts the security engineers are operating according to their specific time zone, and it is usually selected when a company operates with multiple offices or engineers working remotely. Rotational refers to when a company is operating out of one location and shifts are rotated. Operational Continuity focuses on shift handover, shift reports, and escalation to external teams like networks, or infrastructure.
The final aspect of building a SOC is the most commonly discussed topic. This technology can be broken down into three parts. The first step is to identify the data sources to use. Usually, these are driven by the playbooks on the detection portion. Common data sources are network activity/security events (firewalls, IDS/IPS, netflow, vulnerability scanners), threat intelligence (internal and external feeds), Endpoint activity (ETDR, DNS, DHCP, AV, OS logs), and finally authorization (LDAP, Active directory, VPN, SSO). The second part is a security intelligence platform (includes a SIEM). A Security Intelligence platform is not only responsible for bringing in the data from all the data sources listed above but also correlates, identifies and alerts a SOC engineer when a threat is detected. The third and final part is a case management or ticketing system which is used to track events throughout its history as well as a communication point between the affected part and the SOC.
There are many moving parts to building a Security Operations Center, but thinking of them in sections and tackling each through a threat model exercise makes the challenge achievable.
Mr. Schneider, CPP is board certified in security management by ASIS International and possess 25 years experience in military, security, and law enforcement operations garnered from service in Israel and the United States. Greg frequently lecturers and writes while not managing his Silicon Valley based firm, Battle Tested Solutions LLC.
"Building out a security operations center (SOC) is no easy task..."
Much benchmarking, planning, and negotiating with stakeholders and vendors go into the whole SOC undertaking. There is definitely not a one size fits all approach when it comes to establishing, equipping, and staffing a SOC.
First off, a SOC should be scaled to either the global footprint of the company or to the span of control for the particular business sector that operates the SOC. Many Fortune 100 companies have a main SOC, called a Global Security Operations Center (GSOC), which could be supported by smaller SOCs in key parts around the globe that hold strategic value for the company.
Some large organizations are managed in a centralized manner where alerts, video surveillance, and intelligence maps are fed into a GSOC from satellite offices, vendor applications, and open news sources. Other organizations may be managed in a decentralized manner where regional SOCs are more self contained and the decision making process is kept within particular business units who share just the critical information to the home office as well help coordinate the travel of executives and employees. There is always some redundancy built into SOCs, so if one is offline there is another one that can carry manage the load and sustain operations.
Security in general is the combination of people, technology, and procedures. The security technology space is advancing so rapidly that by the time it takes to benchmark, invite bids, install, troubleshoot, and get buy ins from the legal, finance, IT, and global compliance departments, the new technology is now obsolete.
Standard equipment at SOCs include video monitors, access control systems – tied to ID and badging, intrusion detection systems, interactive mapping technology, several consoles, and the necessary number of people to manage the center. To staff just one 24/7 position, about 4.5 people are needed if you take into account 8 hour shifts, weekends, vacations, etc.
A key element for managing a SOC is to ensure that the technology and platforms used sync well with the information systems of other countries, and are easily serviceable abroad. There have been occasions where integrated access control and video systems that were deployed globally were overly engineered and had narrow parameters for compatibility with other systems. If a malfunction happened, let's say in Turkey, the only tech available to fix it would have to fly in from Texas. All of what I described above is relevant to physical security, add to the mix security elements that just focus on IT security and a GSOC becomes even more complex. For several companies, IT security operations are kept separate from physical security operations but it is now becoming increasingly common for the physical security SOCs to be integrated with the IT side of the house.
Gregory Morawietz founded Single Point of Contact in 1999 and has helped hundreds of firms with their IT challenges. He is the VP of Operations.
"Creating a successful SOC involves..."
You need highly trained and certified staff who are familiar with security based alerts and scenarios. Since security threats and problems are constantly changing, you need people who can adapt and think outside the box when it comes to solving problems. Attacks can come in a variety of different forms and types, so having people who can learn on the fly is important. You may need to have people who have security clearances as well so you will need to screen your techs extremely well.
Security relies on sets of requirements that are widely accepted by the industry. In order to have a successful SOC you need to align yourself with all of the different types of security requirements such as NIST, PCI, HIPAA, and many more. There is an incredible amount of security controls that are associated with all of these requirements. Not only do you want to be familiar with what the controls are, but you want to be familiar with how to remediate them as well. Just as much care needs to be going into the proper remediation of security issues as detecting them.
You want to build a tool chest of software that can perform security audits, penetration tests and port scans. There are many commercial based systems that can provide Intrusion Prevention, Intrusion Detection, and analyses. You should have a good ticketing system, documentation system and inventory system. You should also stay on top of all the security trends as well by connecting to websites and security feeds that will update you on current events.
Sam Bocetta is a retired engineer who has spent the last thirty years working for US defense companies. He now teaches part-time.
"To build out a SOC, you need..."
You may already have people ready to help fill the roles of incident responders and SOC analysts, or you may need to evaluate other options, such as outsourcing (via managed security service providers, known as MSSPs) or even hiring specialists to provide surge incident response (IR) support. I believe a hybrid mix of these options functions quite effectively.
In a SANS Incident Response report, 61% of respondents called upon their own surge staff to manage serious incidents and 58% had a specialized response team. The takeaway point is that quality organizations can rarely fully meet demands using solely in-house teams or totally outsourced work. SOC staff must be able to deal with the constantly changing pressure and receive frequent training. This is what makes it quite a challenging job regardless of whether we're talking about incident investigators, subject matter experts, or SOC managers.
Quality SOC centers and processes are all about flow. Processes require extreme standardization of actions to make sure nothing is omitted or fabricated. In my experience, creating repeatable incident management workflows and processes ensure that team members will function effectively as a cohesive unit when escalating an alert from Tier 1 to Tier 3. Based on the standardization of these workflows, resources can then be allocated very effectively.
As data aggregation methods improve, so does the effectiveness of any quality SOC. With the advent of portable DAQ devices, security monitoring systems can take multiple data points and build them into a continuous log of events, both current and in the past.
With the benefit of network, log, and endpoint data gathered prior to and during the incident, SOC analysts can immediately pivot from using the security monitoring system as a detective tool to using it as an investigative tool, reviewing suspicious activities that make up the present incident, and even as a tool to manage the response to an incident or breach.
Compatibility of these systems is still an issue with a lot of organizations who want to develop their own propriety systems to ensure total security.
Zak Cole is a Los Angeles-based network engineer.
"The security operations center often provides..."
Remote support from a dedicated site which oversees, assesses, and defends the information systems of an organization. Since these highly complex facilities are responsible for protecting the integrity of mission critical networks and their assets, availability is one of the most important aspects of their function. When building out a security operations center, it's imperative that network performance is thoroughly tested and validated prior to going live. The most cost-effective and reliable way to do so is through the use of a network emulator. By replicating a test network which mirrors the real-world network, application performance can be evaluated and optimized pre-deployment within a lab setting. This will help avoid any potential problems and ensure the network functions and performs as intended once it's live.
"The establishment of a SOC requires careful planning..."
Its physical security must be taken into consideration, and the layout of the operations center should be carefully designed to be both comfortable and functional. Building an efficient security operations center (SOC) requires organizing internal resources in a way that improves communication and increases efficiencies.
A SOC is expected to contain several areas, including an operational room, a "war room," and the supervisors’ offices. Comfort, visibility, efficiency, and control are key terms in this scenario, and every single area must be designed accordingly.
A SOC requires a team, and all policies must be followed correctly. Leaders will be needed, while engineering roles, analyst roles, and operations functions are all vital to the team.
Mihai Corbuleac is the Senior IT Consultant at ComputerSupport.com LLC - an IT support company providing professional IT support, cloud, and information security services to businesses across the United States since 2006.
"Choosing the right people, processes, and technologies for a fully equipped security operations center is a real challenge, because..."
Talented, cybersecurity educated staff is required and it's not always easy to find the right people for continuous monitoring and comprehensive data analysis. The ability to prioritize and manage time effectively is a must for a cybersecurity expert. Also, it is imperative to get the latest tools to keep up to date with threats and to get customizable tools that simplify the monitoring process depending on environment – on-premise, cloud, or hybrid. A SOC must have standard procedures in place to find, catch, and separate complex threats from easy threats, and protect data from and respond to targeted threats. SOC technology should be able to monitor network traffic, endpoints, logs, security events, etc., so that analysts can use this information to identify vulnerabilities and prevent breaches. When a suspicious activity is detected, your platform should create an alert, indicating further investigation is required. Multi-level escalation is also recommended.
Swapnil Deshmukh is a Sr. Director at Visa. He leads a team responsible for testing security for emerging technologies. He is a coauthor of the Hacking Exposed series and is a member of OWASP. In his prior work, he helped Fortune 500 companies build secure operation centers.
"When it comes to keeping an organization safe and secure..."
A security operation center's core ability must be to avoid security failures that have a direct impact on the brand and/or disrupt the overall growth of the company. This demands that people, processes, and technology grow organically to protect core technologies, adapt to changing business conditions, and prepare for and respond to global threats without impacting operational resiliency. In order to achieve coherence on people, process, and technology, those designing the SOC must consider the following:
- Cyber Protection: Protect critical assets and interests by context and content-driven defense.
- Attack Surface Management: Provide tools which provide various lines of defense to ensure prevention of malicious code from reaching its target.
- Identity & Access Management: Ensure authorized access and prevent unauthorized access to systems and data.
- Incident Response: Pre-emptively identify and disrupt attacks. Have cognitive tools to learn such attack trees and design a kill chain.
- Business Resiliency: Have IT disaster recovery management, business continuity plans, and effective crisis management command and control in place.
Along with these controls, the SOC needs to be self-aware and should constantly recalibrate processes or technologies to manage cybersecurity and help all stakeholders be ready.
Mike Baker is Founder and Managing Partner at Mosaic451, a managed cybersecurity service provider (MSSP) with expertise in building, operating, and defending some of the most highly-secure networks in North America. Baker has decades of security monitoring and operations experience within the US government, utilities, and critical infrastructure.
"Modern information systems are highly complex and growing more so by the day..."
Even small organizations must monitor and protect multiple systems from breaches and ransomware 24 hours a day, 365 days a year, while simultaneously maintaining compliance with regulatory and industry standards such as HIPAA, PCI, SOX, FISMA, and CIP.
Remote Monitoring, On-Site Dedicated SOC, or Both - Some managed security providers offer a static "menu" of services that may not fit your organization’s needs. Today’s complex data environments require security solutions that are individually tailored to each client’s environment. Choose from remote monitoring and analysis, a dedicated SOC center operated on your premises, or, for maximum security and cost effectiveness, a hybrid solution, which combines both.
More than Just Monitoring - Traditional SOCs provide remote monitoring of clients’ systems, and that’s it. The best practice is to perform remote monitoring and act as a full-on operations team, handling resource-intensive operational tasks such as:
- Managed defense
- Security management and monitoring
- Log management
- Vulnerability management
- Key controls and compliance reporting for regulations such as PCI, HIPAA, SOX, FISMA, and CIP
- SCADA security and monitoring for critical infrastructure
The best approach to a SOC is to be proactive, not reactive. It is better to prevent attacks from happening than to react to a breach after it occurs. The most effective SOC team will secure and monitor the network’s perimeter, data, customers, and remote users so that the SOC can detect, analyze, and immediately respond to threats 24/7/365.
Dennis Chow is the CISO at SCIS Security, a Houston based Cyber Security Consulting Firm. He has led a nation-wide threat information-sharing architecture and has a design grant with the health and human services department. Dennis is an active practitioner that focuses on penetration testing and network forensics.
"Here's a concise answer for the requirements of a SOC build out..."
It's important to remember while these components from a high level are simple to design and perhaps to draft a program outline for, the implementation and revisions to the SOC program are keys to its success.
People - You need certified junior and senior analysts on board to be the eyes, the incident handlers, and other specialists. Among them you'll need malware analysts with reverse engineering skills, threat hunting analysts, and deep forensics investigation analysts. In addition, SOCs also need a threat intelligence analyst to help tie indicators of compromise together. Your junior to mid level analysts will be focused around automated monitoring, triage, and basic response. In addition, supporting staff including engineering teams need to be ready to build, tune, and deploy content for active response and monitoring tools. A SOC Manager and shift leads also need to perform KPI monitoring.
Processes - The SOC is mostly about DFIR. You'll want workflows and processes around monitoring with best practices, incident response handling requirements, and remediation. One of the most overlooked processes outside of DFIR for a SOC is the content management and feedback piece. Analysts need to be able to request content and provide tool effectiveness feedback to their management and the security engineering team for continuous improvement.
Technologies - Every SOC has 2 primary pieces of software. An incident management system, and a SIEM for correlation. Sometimes these technologies are built all-in-one. More mature SOCs also have orchestration software that ties SIEMs, IMS, and security tools together to initiate 'active response' where alerts and incidents can sometimes have automated remediation and triage to further increase SOC efficiency. Other auxiliary pieces that support the SOC's mission would be reporting, threat intel platforms, potentially ticketing/content request systems, and secure virtual communication channels.
"A Security Operations Center (SOC) is..."
The nucleus of an organization’s capability and business critical to prevent, detect, and respond to attacks. Building out a SOC requires strong senior management sponsorship, well-defined measurable objectives, and a targeted SOC capability maturity level. A roadmap must establish a phased-approach to build out capabilities across a range of areas (monitoring, malware analysis, threat identification, etc.) that will handle a wide spectrum of threats from cyber to physical.
The types of skillsets (intrusion detection, cloud security, etc.), staffing model, and training programs needed are among the people considerations. The right blend of contingent vs employee talent is important to keep overhead cost down while also retaining intellectual capital in-house. Communication skills are as essential as technical skills. SOC personnel must communicate effectively with business stakeholders and senior management to escalate and convey threatening risks and issues during business-as-usual and state of emergencies to produce the right business decisions.
Selecting the right mix of technologies is important. There is no single silver bullet. Companies need a suite of tools to address their risks and those technologies must integrate and have interoperability. Technologies vary significantly, from the ability to aggregate forensic data from multiple systems, to the ability to perform analytics to detect an attack. A critical tool is real-time alerting and reporting, as timely detection is paramount to responding quickly during an attack. Selection of technologies must balance achieving objectives, ROI and minimizing risks.
Process standards and documentation are important to prevent costly operational errors that occur because of the “fog of war” during emergency situations. Processes should be consistent with industry standards (i.e. ISO ISO27001:2013) but adapted to the organization’s needs. Standard Operating Procedures, Incident Response Plans, etc. should address, at minimum, medium to high risk and severity scenarios.
Jason McNew previously worked for the White House Communications Agency / Camp David for 12 years where he held one of highest security clearances. He is now based in the private sector as founder and CEO of Stronghold Cyber Security. He is a veteran, holding four degrees including a Master's in cybersecurity from Penn State.
"We need to have the right people, with the right training, in the right security roles..."
A three tiered system is a good start. The three tiered system can be modeled, for example, upon the Department of Defense Instruction 8570 (known simply as DoD 8570), widely recognized in the cybersecurity community as an excellent framework for identifying what certifications are necessary to fulfill a particular security role. 8570 is vendor agnostic, and is a simple three tiered chart that maps various certifications to particular security roles. These roles could be, for example, Security Analyst, Security Engineer, and Security Manager.
Next is policies. Formal policies have to be written, and these policies must have the backing of the business owners/executives, etc., so that they can be enforced effectively by the SOC folks. This isn’t as hard as it sounds however, because every security policy a SOC could ever want has already been written and is readily available through NIST, ISO, SANS, etc. Usually these policies will need to be tailored for a particular organization, but they definitely do not need to be written from the ground up. Another excellent resource (that just isn’t used enough in the commercial world) are the DoD's STIGs (Security Technical Implementation Guides).
Last (but not least) of the 3P is "products" or technology. We have to have the right technology, such as a CRM (customer relationship management), trouble ticketing system, KMS (knowledge management system), and of course various vendor tools which are needed to maintain the technology that we are securing.
Brian Berger is the executive vice president of commercial cybersecurity for Cytellix, responsible for 24/7 system management and business operations, as well as marketing, development, sales and engineering support of the cyber team and its solutions.
"There are SOCs run by very skilled resources that..."
Analyze events and provide solutions based upon privileges granted to them by the end-customer. In other cases, some SOCs are highly automated using tools that can measure and alert based upon severity, so that a skilled subject matter expert can act upon the threat or behavior in question.
A SOC can be delivered in many forms within the security industry. In some cases it's event monitoring of systems, networks, databases applications and end-points to identify, assess, and remediate security concerns. In other cases it's infrastructure-related for facilities relating to access control. In still other cases a SOC can be provided to identify proactive events, based upon device behaviors. The tools needed vary by what a SOC is according to the particular industry. Everything from access control technology, to SIEM, to behavioral analytics can be technologies used in a SOC.
Jay is a Security Consultant for CHA Consulting, Inc.
"Don't forget the operators when designing a SOC..."
It is gratifying to step into a SOC and feel that you are on the bridge of a battleship; however, the workflow and comfort requirements of the crew should be appreciated. The layout of a security operations center should be designed with the operator in mind, and not solely for the convenience of the manager who is paying for the project. Too many SOCs appear to be designed primarily for the executive who steps into the room twice a day and wants to see a wall full of screens, various security metrics dashboards, KPIs and status updates. Design the SOC with thoughtful consideration given to the ergonomic requirements of the operators who will be staffing the SOC 24/7.
Jim is the President for Aegis FinServ Corp. AegisFS is a USG Financial Partner and provides Secure Financial Services dealing with DebitCards, Travel & ID Badges.
"Key requirements for building out a security operations center include..."
- Interior premises must be located where T-1 direct wire internet services or satellite dishes can be erected and operated.
- Jamming services must extend to the parking lot and you should not allow any visitors to bring inside your premises: cell phones, iPads, laptops, or other devices. Presentations should be forwarded for inspection and reviews prior to meetings.
- No photographing should be allowed.
- No on-the-spot visitors. Visitors should have an invitation and preapproval up to 24 hours in advance.
- Visitors should sign an NDA and there should be no social media postings before or after meetings.
- All visitors should be put through several detectors prior to entrance: metal objects found on their body must be reviewed via electronic scanning. Any failures might result in expulsion from the facility.
It is not easy to have and maintain a SOC. It cost our firm an extra $130.00 per square foot for countermeasures to ensure that our facilities are 100% impervious to outside eavesdropping, illegal activities, and other nefarious actions.
Lindsey Havens works at PhishLabs.
"The first step towards creating the right security operations center is..."
To conduct a gap analysis to find out the organization's strengths and weaknesses with regard to cybersecurity. Once they understand their weak spots, they can work on four basic principles:
- Define all SOC requirements and then develop a roadmap.
- Determine whether to create an in-house SOC or outsource.
- Create a process for identifying and stopping threats.
- Implement technology that aids and empowers SOC efforts.
Tyler Riddell is a Vice President for eSUB Construction Software with a proven track record for successful go to market and corporate communication programs in multiple vertical tech markets.
"When looking to build a security operations center..."
The first step is to conduct a gap analysis to see where your weaknesses and strengths lie regarding to cybersecurity. Afterwards, your company will have an idea of the requirements needed for a SOC.
- Create a SOC tailored to fit your businesses realities.
- Assign tasks to the SOC such as checking for insider abuses, incident management, detecting external attacks, and compliance monitoring.
- Regulate and decide who will be in charge of identifying data collected and analyzed by the SOC.
- Establish the person in charge of managing the SOC.
- Outline exactly what type of security events will be fed into the SOC for analysis and review.
Trave Harmon is the Chief Executive Officer for Triton Technologies.
"The requirements for building out a SOC include..."
- You need to have a secure facility. Video data, logs and so forth should be backed up offsite.
- Your people need to be background checked. Every one of our employees is extremely well-vetted before they are employed.
- Have more than one system for your people to access security monitoring in case one fails.
- Have backup Internet access available. We have coaxial, DSL, satellite, and cellular Internet access all running through multiple firewalls in the event that an outage occurs.
- Have multiple means of power. In our facilities we have grid power, battery backups with solar arrays on the roof and generators.
- Have multiple means of communication.
- Train your people. Many breaches occur because of social engineering. Employees should learn how to recognize these attacks.
- Utilize clean desk and personal use policies. Absolutely no personal cell phones in the work area and no paper left on your desk after use.
Take Your Next Step Towards Building an SOC
Explore the following guides developed by the security experts at Fortra.
How to build your incident response team and craft an Incident Response Plan.
How security teams can redirect their resources to focus on proactive data protection.
Cybersecurity experts discuss the foundations of layered offensive security strategies.