Building a SOC is a great experience either for the people who will work on it or for the company that will adopt it. With the increase of network complexity and attack sophistication, getting hacked is becoming just a question of time. Preventing security breaches is not more the right cybersecurity strategy for companies.
Therefore, having a SOC is becoming a must for companies, and doing it the right way is even more important. So, how to build a security operation center?
Building a security operation center goes through five main steps:
In this article, I am going to explain in detail and step by step how we can build a Security operation center. We are going to see in detail the technologies used in this system and what are the most popular ones.
This article will be a base for a series of other blog posts, where each phase will get explained in detail in several more articles. So trust me if you are trying to build a SOC, just keep reading I was there once too.
Before starting to build your Security operation center, the first thing everyone should think of is the why and what we want to build. The SOC strategy and Capabilities are the first things to analyze and to discuss with superiors and decision-makers to know where you want to go with your SOC.
Assessing Security operations Capability is the first step in the process of building a SOC. Knowing what you have as capabilities (software, processes …) that can be used in a SOC is necessary to better identify the gaps and the requirement to meet your SOC goals. Therefore, the results of this step will be used as a base in the next steps.
The assessment of those capabilities must follow a good methodology to optimize the results. Therefore, Cisco has proposed a very good methodology to better perform this step:
Identify the SOC business and IT goal is an important step in the assessment methodology. I mean if you want to calculate the maturity of your SOC you will need to compare what was achieved till that moment with the SOC business and IT goals.
Identifying the SOC business and IT goals might not be easy to do and may need many interviews with managers and superiors. For example, you may ask some questions about people like Business executives, business managers, or even IT managers and IT users. The main idea is to get as clear as a possible idea about the goal of the SOC project.
After identifying the business and IT goals, the next step is to identify the IT process that helps accomplish those goals. An IT process is just a combination of processes, people, and technology that work in harmony to meet the IT goal.
I won’t discuss the 3, 4, and 5 steps in this blog post to not make it too long and boring. However, In the following blog posts, I will explain each step more in detail to better understand how we can TECHNICALLY perform each step.
Now that you know exactly what the Business and the IT goals, it is easy to create a strategy that leads to those goals. This step is typically based on the past one, which means a wrong capability assessment exercise will result in a totally wrong strategy. So be sure everything in the past step is correct before starting this one.
A SOC strategy is basically a document that contains at least the following elements:
As I said earlier, all those elements will be explained in detail with examples in the next blog posts. However, I would like to highlight and give an idea about what the SOC scope needs to contain.
Actually, the SOC Scope needs to have at least the following elements:
There is a very nice document developed by IBM that gives some good ideas to take into consideration will making a SOC strategy.
Designing the SOC infrastructure should take into consideration many aspects related to the way the data access security and the way devices would be monitored. During the SOC design, the SOC architect must work with many business units to take a better decision that supports the SOC strategy and roadmap.
For me, the first step is to take a look at the vendors who work with the company to get an idea about what technologies they offer. This way the SOC may benefit from already established contracts and support.
Working with the IT teams at this level is also necessary to make a good decision about how to monitor devices and where to put monitoring the monitoring tools. Here is a list of other very important things you should take into consideration will designing the SOC infrastructure:
All these elements will be discussed and explained in detail in the next blog posts.
At this level, you will need to start building the main services offered by your SOC. Therefore, I am going to give you some of the most important services that all Security operation centers at least need to offer.
Now that you know what your services would be, you will need to acquire the right tools to do that.
Gathering or collecting events from different supervised devices in the network is the most important task of the SOC. However, estimating the amount of logs data that your collection tool will receive per day is a necessary task. This task is called sizing and unfortunately, there is no exact way to perform it. In addition, oversizing your solution may result in you paying too much for it, while undersizing may result in the system crashing or you losing crucial event data.
As I said, to do the sizing of the collecting tool you are going to buy, you should calculate the number of events generated per second (EPS). Unfortunately, the only way to calculate the EPS is by putting a syslog server in your network, and keeping it connected for 24h. Then you should analyze the results to identify log trends during normal and peak times.
EPS = Number of System Events / Time Period in Seconds
In the building process, not only the tools are important, people that will use them are also very important and also very rare. Personally, I think finding people that will work in harmony, training them, and especially keeping them is the most difficult part of the SOC building process. This is not just my personal idea too, most security experts I have talked to, have the same idea.
I will not get into this as it was a whole debate between HR and security experts. However, I would like to give you some ideas about what kind of people or experts you will need in your SOC.
Here is a list of profiles you should look for and what they do in the SOC:
Managers or team leads provide the leadership of teams within the SOC, normally aligned with common sets of services.
Analysts are usually the heart of any SOC and may provide a variety of services within the SOC. Responsibilities can include security event monitoring, incident report investigation, incident handling, threat intelligence, vulnerability intelligence, and reporting
Security engineers are usually responsible for the testing, staging, and deploying of new technology platforms or major releases/updates to those platforms.
Whereas SOC engineers tend to focus on new projects, SOC operators spend their time maintaining and operating the currently deployed SOC platforms.
Even if it seems very easy, starting the SOC operations is not like pushing the red start button. In fact, there is a lot of challenges that you may face and that you will need to solve while doing this. In this part of the blog post I am going to talk about some of the key challenges, and how you can overcome them.
The first challenges that I would like to talk about are the ones related to people. Most of the time, the SOC building decision comes after either a big breach that was detected in the company or due to some big hack that happens near it. Therefore, when the event is still new, CEO and managers tend to take some courageous decisions and try to invest as much as possible because they understand and feel the importance of cybersecurity at that moment.
Unfortunately, after you finish designing and building the SOC, most of the time those decisions and those feelings change and the budget may get lower than the one defined at the beginning. Therefore, a good SOC manager needs to be prepared to adjust his requirements and his design to the new budget.
One more thing, the team you have just recruit is still fragile and they may feel some stress as starting the SOC will not be that easy. Due to some Human resource policies, the team might not be complete at the begging of the SOC or inexperienced.
More challenges will be faced related to processes and technologies. What you should know about this process’s challenges is that having a process in the SOC to do something, does not replace the user SOC analyst or manager experience. This gets much clearer when the team faces a blocking situation and needs the SOC leader’s intervention.
Technology solutions are not challenges free too. Deploying all the desired technologies before going live is not always possible. In addition, finding the expertise that will make deploy or maintain your technologies is not always possible either.
I am a Cyber Security Expert, I have worked with many companies around the globe to secure their applications and their networks. I am certified OSCP and OSCE which are the most recognized and hard technical certifications in the industry of cybersecurity. I am also a Certifed Ethical hacker (CEH). I hope you enjoy my articles :).
Python is one of the rising development technologies in the market. Many software development companies start using it for developing web applications. Like any software development technology, Python may also ...
Undoubtedly, ChatGPT stands out as one of the most remarkable inventions of 2021. Its wide-ranging capabilities and applications have opened up endless possibilities for human interaction and problem-solving. Furthermore, certain [...]
Post comments (0)