Building a SOC is a great experience either for the people who will work on it or for the company that will adopt it. With the increase of network complexity ...
If you are thinking about building a SOC then the first question you may get into your head is this, what are the components of a security operation center?
A security operation center has three main components:
If you are interested in knowing more about this component and how combined make a successful or unsuccessful SOC then just keep reading.
Building a SOC is not a one-day project or even one month project, it is really one of the hardest projects that a company may start working on it. This is due to the nature of the project that requires investing money, investing time, and dedicated people.
SOCs are built on three main components as I have already said and each one of them is very important and cannot be separated from the other. Even more, having a problem in just of the three-component will make the soc unsuccessful.
I guess one of the most difficult parts of the SOC is finding the right people and make them work in harmony. I mean you can get the best world-class security solutions to operate the security operation center, but if those solutions are not tuned or used by experimented or skilled people, then they will become useless. Moreover, creating a sophisticated and high-quality process to manage your SOC will never replace a well-experienced SOC manager or leader.
Therefore, the first component that I will talk about here is people.
To run your Security operation center you will need different people for different roles, therefore I will give you here a list of some profiles that are essential for the SOC:
Of course, a leader is always needed, I think the title of the role is already explaining himself. It the person that will lead and manage the whole security operation center.
Basically, this is the heart of the SOC, he is the one responsible for performing all the analysis, investigation, and reporting. In addition, this role could be divided into two or more categories depending on the structure and the budget of the SOC.
For example, you can create a SOC with two levels. When an incident occurs, the first-level analysts (which is in general junior analysts with very small experience in SOCs) perform the first basic analysis and investigation. However, when a rare or new incident happens and requires deeper analysis and investigations a level two analyst is needed (in general he can be a senior Analyst or even just someone with deep knowledge of the supervised network).
A SOC engineer is responsible for installing the tools used in the SOC. He is always working on new projects to enhance the capability of the SOC in terms of new technologies and tools.
SOC operator is a complementary job to the engineer. The SOC operator focuses on maintaining the SOC tools installed by the SOC engineer and nothing else. The difference between this role and the SOC engineer is that the last one works on new tools and tries to enhance the capabilities which is not the case of the operator.
Some of those roles, especially the ones that need a lot of experience are difficult to find. Therefore, a training plan needs to be put in place to grow your team’s capabilities and knowledge. Unfortunately, experience is not the only challenge you may find while building your team. Your team members may have experience working in other companies but never together. Therefore, creating harmony between the members of your team will take time and effort.
To find the right people to work with you, you need to first know what are the skills that you are looking for. In this part of the post, I am going to discuss the skills that a SOC analyst needs to have to be able to do the right job.
I will not talk about the SOC engineer or the SOC operator as those are mainly network security engineers that need to have a deep understanding of the tools they are installing and maintaining and in general that’s all. In addition, those profiles are more product-focused, so depending on the tools you are going to install for your SOC you will need people experts on those tools.
A SOC Analyst needs to have a good base of knowledge in the following 3 skills:
A more experienced and skilled analyst may have also good knowledge of the Reverse engineering concept and tools. To be honest this skill is very rare and not many people master it. However, in most cases, a junior SOC analyst will not need this skill anyway to do a good job.
When talking about processes and what should be done in which situation and how in the SOC environment, there is a lot of things that need to have a written process. Unfortunately, I won’t be able to talk about all of them in this blog post. However, I will discuss some of the most common ones that you need to have in your SOC.
Incident triage is the first step in the incident response plan. In this process, the responsible can be a simple network admin or anyone with the right privileges to see the incidents of the network, try to categories the incident, and set a risk level to it. After deciding if he needs to perform further investigation or not, the responsible assigns this incident to the right person (analyst level 1 or 2) depending on the criticality for further analysis.
Closing a computer security incident refers to the eradication phase in which the vulnerabilities that caused the event have been closed and all traces of the incident have been cleaned up.
The incident analysis process is the main work of the SOC team. This process defines the way to detect the root cause of the incident and how to contain it at the earliest stages.
The incident closure process is started when the vulnerability that was the reason behind the incident was fixed. In addition, this process includes testing and verifying that the vulnerability has been successfully fixed.
This process concerns the whole SOC team, it is a sort of lessons learned process where you try to gather as much information as to teach the rest of the team about this new case.
This process defines the way vulnerabilities are discovered in the IT network and how to evaluate their impact. In addition, this process may also describe the way to consume external vulnerabilities data sources, and how to verify them with the internally used solutions.
This process describes the way to communicate vulnerabilities to system owners and how to remediate and track them.
For this part of the SOC components, I really don’t want to go deeper into it, as this will make this blog post so big. Therefore, I am going to give you just an idea about the main tools and technologies you will need in your SOC:
Written by: Z. Oualid
I am a Cyber Security Expert, I have worked with many companies around the globe to secure their applications and their networks. I am certified OSCP and OSCE which are the most recognized and hard technical certifications in the industry of cybersecurity. I am also a Certifed Ethical hacker (CEH). I hope you enjoy my articles :).