Adequate staffing
On this occasion, it is time to talk about the third element that we have considered important to take into account when implementing a SOC: "Adequate staffing".
Finding the right personnel, with the necessary training and experience, remains a challenge. Organizations are currently facing one of the main struggles that can occur when starting a new workgroup of any kind to achieve optimal staffing, and in this case, to gather the technical elements, that demonstrate the necessary attitudes and aptitudes that would allow them to execute the required operations correctly.
Knowing where to start is a key point in establishing an effective organizational structure.
There are ways to create a solid foundation with just a few security experts and minimal nominal monetary investment, but it is critical that companies invest in planning and prioritizing what is appropriate to their needs and resources, right from the start. Even large companies can miss their target by beginning the implementation of this monitoring system without having the necessary structure in place.
To get the security operations center staff equipped, at a minimum, organizations can start by investing in hiring three important key roles for operations, among them are:
Security Analyst (Triage Specialist): Also called level one analyst, this is responsible for reviewing alerts to determine relevance and urgency, may also be responsible for running vulnerability scans as well as reviewing the results, managing and configuring, correlation rules on security tools such as IDS, AV (anti-virus), etc.
These collaborators can also be in charge of threat intelligence tasks, analyzing and detecting cyber threats and malware that may affect the organization. They investigate the level of threat posed by an attack and consequently enable cybersecurity-based decisions to be made.
Such professionals are aware of the cybersecurity risks that concern different industry verticals and, help protect critical assets in need of protection by prioritizing threats and focusing on the most serious ones.
Senior Security Analyst (Incident Response): This role is responsible for reviewing cases created by the level 1 analyst, uses threat intelligence (IOC, updated rules, etc.) to identify affected systems and the scope of the attack.
Also, reviews and collects asset data (configurations, running processes, etc.) on these systems for further investigation. In addition, determines and directs remediation and recovery efforts.
Security Analyst (Threat Hunter): Reviews asset discovery reports, explores ways to identify stealthy threats that have not yet been identified and may be found on the network. This one executes a detection operation, using threat intelligence, then performs penetration tests on production systems to validate resilience and identify weaknesses that need to be corrected, and finally recommends how to optimize security tools based on these findings.
SOC Manager, apart from the three roles mentioned above, we should also consider this role, as it oversees the activity of the SOC team. This role is in charge of recruiting, hiring, training, and evaluating personnel, as well as managing the escalation process and reviewing incident reports.
It is also empowered to develop and report the crisis communication plan to the CISO and other stakeholders. Runs compliance reports and supports the audit process. In addition, measures SOC performance and communicates the value of security operations to business leaders.
As we have seen and noted, staffing security professionals with the right skills is a critical first step in developing a successful SOC. SOC personnel must be trained; a lack of knowledge and experience is closely related to a shortage of skills.
ven those skilled in the use of control system management tools can fail if they know little about the environment being protected. Knowing little or nothing results in a lack of recognition of problems and a greater likelihood of inappropriate responses to those problems. Given this, the SOC team may experience time disposition to a greater number of cases that correspond to false positives; consequently, personnel will be unable to respond to actual attacks.
All this does not mean that staff new to cybersecurity cannot belong to a SOC, if they have the right potential, after training, experiences, openness to learning and study, they can become the next experts in the field.
Hi! I am Kendra Mazara
Senior Information Security Specialist | MBA | Cofounder MujeresTICs RD | Speaker | LinkedIn Learning Instructor
