6 elements to consider when implementing a SOC
As everyone knows, cyber threats are constantly evolving, which has forced companies to implement an expert team capable of detecting, analyzing, responding, reporting, and preventing cybersecurity incidents. The cybersecurity operations center (SOC) is that body called upon to fulfill this important task.
When we are in the process of creating and formalizing this professional group, we must consider the following six key elements:
1. Mission, vision, and scope.
2. Policies and procedures
3. Adequate staffing
4. Infrastructure environment
5. Necessary security control tools
6. Monitoring systems
Each one of these points will be developed in this blog through weekly publications, so that, in a deep and simple way, we can distribute this information for the benefit of all of us.
In this week's post, we are going to look at the first of the established elements: "Mission, vision, and scope".
The primary mission of the SOC is cybersecurity monitoring and alerting, this includes the collection and analysis of data, identifying suspicious activities, and thus having greater control of the security of the organization. Data on these activities and potential threats are collected from firewalls, web application firewalls (WAF), intrusion prevention and detection systems, endpoint protection and response (EDR) systems, security information and event management (SIEM) systems, threat intelligence sources, Email Gateway systems, as well as from application events, database, and server operating systems in your infrastructure. When discrepancies, abnormal trends or other precursors or indicators of compromise are detected, alerts are sent to SOC team members for triage, analysis, and response.
The vision of the SOC should be focused on the protection of the organization's resources and data from possible attacks, thus avoiding the interruption of operations and the loss of information, that is, to have a vision that helps the correct development of the company's work with the firm purpose of providing efficient and effective security for the different types of customers, whether internal or external.
To define the scope of the SOC, let's assume that the security operations center implemented by your company offers services internally and externally. In this sense, a strategic decision must be made to delimit and establish its scope, whether it will be dedicated to the company's internal services, to external customers or will be used by both, all this considering that threats are becoming increasingly sophisticated, with disastrous consequences for companies, in terms of their finances, image, among others. Consequently, countering these threats requires the use of proven processes, effective security solutions, and high-level skills.
For both cases mentioned, the magnitude of their scope must be determined.
For example, in the case of a SOC that provides security services, i.e., offers services to external parties, the scope may extend to perimeter or endpoint monitoring, as well as covering intrusion detection and prevention systems, anti-malware, and firewalls, in each case obtaining event logs. At the same time, the communication channels must be defined. In the case of the internal service, the responsibilities, or functions of each member of the team must be defined; if threat intelligence and vulnerability management are included in the SOC, the methods for sharing this data (MISP, TAXII, etc.) must also be chosen. Ultimately, depending on the service on offer, it is important to specify the scope accordingly.
Considering that the SOC strategy must be clearly defined and specific to the business, this strategy will depend strictly on the support and sponsorship of the executive levels, otherwise, the SOC itself will not be able to function properly and will not be perceived as a critical asset by the rest of the organization.
Hi! I am Kendra Mazara
Senior Information Security Specialist | MBA | Cofounder MujeresTICs RD | Speaker | LinkedIn Learning Instructor
