5 Best Practices for Setting Up a Security Operations Center ( SOC )

Managing security is not solely about products and technologies. As a security leader in your company, it is important to consider numerous other factors when you decide to set up a Security Operations Center. A few of the things include - an understanding of the business plan and requirement, capability, and skill set of people who will be part of the Security Operations Center (SOC), individual and team responsibilities, budget, etc.

The Need for a Security Operations Center

The sad truth is that you cannot stop all hacks and attacks. The best and most advanced security systems deployed on every endpoint can still fail you at some point.

When such a situation arises, securing your enterprise's data and removal of the threat is the only thing important. Additionally, your objective is to ensure minimum dwell time for the threat in your servers and systems. This is possible only if you have a system in place that has constant monitoring. Moreover, you should know what to monitor.

Therefore, it is pretty obvious that many enterprises have established a Security Operations Center to precisely tackle this problem and be better prepared for a worst-case scenario.  A Security Operations Center is an important part of your cybersecurity team that evaluates, establishes and enforces security policies in your organization. They're also the ones who will respond in case of an incident.

Challenges Faced by Security Operations Centre

1. Skills shortage

Human ability to quickly identify, analyze, prioritize, and respond to security crisis defines the success of SOCs. While there are multiple tools available in the market, allowing firms to gather and manage huge volumes of data securely, human expertise is a must in many situations to remediate the threats.

SOCs are literally struggling with the skill shortage, with many complaining of the staff being poached by other rival companies. Tuning the correlation rules for threat detection and triaging the security alerts are two significant areas which demand human intervention as they struggle due to the increasing skill shortage.

2. Budget constraints

Despite the increasing prominence of SOCs, firms are struggling to obtain the funds needed to hire and maintain adequate capability. Lack of funds and reluctance to invest is one of their major roadblocks.

3. Inadequately documented processes

Many SOCs face trouble as they either lack documented processes or are letting the documented ones stagnate. Incident response solutions need constant documentation with well-defined response workflows. Adaptable, portable, and completely integrated procedure management systems are the key. 

Best Practices for Setting Up a Security Operations Center

Setting up an effective Security Operations Center can be daunting and difficult. Here are some best practices we've learned from some of the CIOs who've been able to do this well.

1. Understand what a Security Operations Center does

This might sound really basic but, trust me, many of us still make this mistake of not understanding what an SOC is supposed to do. A good Security Operations Center monitors all of your enterprise endpoints and the network, identifies potential security issues and incidents, and of course, handles them in a prompt and effective manner. Do not confuse them with the IT helpdesk. As a rule of thumb, the help desk is for employee-related IT issues while the Security Operations Center is more for the whole organization as a unit.

2. Set up the right infrastructure

A crucial part of a good Security Operations Center is the use of correct tools and products. Without these, your team will be literally helpless in case of a breach. In fact, they might not even know there was a breach. Make sure you evaluate and purchase the best tools and products based on what your organizational exposure and infrastructure looks like. Some populaly used products are:

• Endpoint Protection Systems
• Firewalls
Automated Application Security
• Security Information and Event Management (SIEM) Tools
• Asset Discovery Systems
• Data Monitoring Tools, and more.

 

3. Set up the right team

A good SOC needs a great team. You need individuals with different skill sets, including specialists for:

• Monitoring the system and managing alerts
• Incident manager to analyze each incident and propose action
• A threat hunter to discover possible incidents internally

All these skills require a lot of training and experience in things like intrusion detection, reverse engineering, the anatomy of a malware, etc. Ensure you have a budget not just to hire this team but also to ensure they continue to be well trained.

Oh, and since we are talking about hiring a team for a Security Operation Center, don't forget that you will need a dedicated manager for the SOC. SOCs can sometimes be very chaotic and require constant communication between numerous teams. Crisis management is a necessary skill for someone who will man this team.

4. Create an Incident Response System

An incident response team is extremely crucial to building a successful Security Operations Center. A good incident response team within the SOC can decide the best way to assign and manage the incidents detected and enact on a defined action plan. They can also help establish a repeatable workflow based on incidents detected. They are also an essential communication element between the business, legal and PR teams in case of an incident that requires an org-wide redressal.

The incident response team has to be as proactive as possible. They need to strictly follow a predefined response rulebook or help build the same based on experience.

5. Defend, defend, defend

Last, but definitely not the least, one of the primary objectives of a Security Operations Center is to be able to defend the perimeter. There have to be teams that focus on detection and teams that focus on prevention. The SOC team needs to gather as much information possible to help get better at this.

The more data and context the SOC collects, the more events per second and flows per interval analysts must manage. While this is true, the obvious observation is to keep false positives to a minimum so that analysts spend their time effectively.

 

Security Tools Used by SOC Teams

A modern SOC needs to be abreast with all the latest security tools to assure smooth functioning. Traditional tools used in SOC are:

  • Governance, risk and compliance (GRC) systems

  • Security information and event management (SIEM)

  • Vulnerability scanners and advanced penetration testing tools

  • Intrusion Detection Systems (IDS)

  • Wireless Intrusion Prevention

  • Intrusion Prevention Systems (IPS)

  • Firewalls and next-generation firewalls (NGFW) 

  • Log management systems

  • Cyber threat intelligence feed system

Advanced SOCs have advanced their stint with the next-generation tools, specifically SIEMs, which provide advanced behavioural analytics, machine learning, and threat hunting capabilities, with built-in automated incident response. Modern security tools and technologies allow the SOC teams to promptly and efficiently find and combat cyber threats.

SOC Process

Step1 - Identify and Triage Events

The primary step is to employ the best security technologies available in the SOC market, strengthening the SIEM capabilities. With technologies protecting the network, businesses can mitigate the threats to normalize and enrich their data.

If the team builds a robust SOC, relying on SIEM to normalize and enrich data, threat identification and damage control are simplified.

Step 2 - Prioritize and Analyze

If the enterprise’s Security Operations Center identifies the underlying threats, they will need a strong process to prioritize, plan, and immediately remediate the issue. Whenever an alarm fires, security experts need to qualify and triage them before planning the action effectively. Prioritizing alarms allows analysts to focus on cyber threats that seem riskiest and demand the most attention.

Step 3 - Remediate the Risk

The sooner the SOC procedures allow the team to respond to a cyber threat or security issue; the more efficient would be the damage control. For any cyber incident or attack that organizations face, the goal should be to reduce the meantime to detect (MTTD) and minimize the meantime to respond (MTTR) to the threat. Remember, with each second gone idle; the risks keep getting graver.

Every security incident is unique, and the teams should have various remediation strategies to solve such diverse incidents. Remediation includes several security operations tasks like updating or patching systems, running regular vulnerability scans, and restricting or updating network access, and many more.

Step 4 - Run Regular System Review

Whether the firm experiences a false alarm or an actual threat, running regular vulnerability scans is mandatory. This allows the security teams to identify technical vulnerabilities that might exist and issues that the organization needs to prioritize and address real-time.

Security operations centre should have all the advanced tools at their disposal to offer pre-configured compliance modules which automatically address all common regulations and frameworks to help achieve cybersecurity regulations.

 


Designing a SOC is way more complex than hiring a team and buying some tools. It has a lot to do with investing in the right things at the right time, look forward to identifying threats that might be in the near future, and align security strategy with the business needs.

Your Security Operations Center is the first line of defense for your enterprise organization. The better equipped they are, the better they can protect the organization.

 If you need some help planning your Security Operations Center.

                                                                     Contact Us

Published on Sep 17, 2019
Harshit Agarwal
Written by Harshit Agarwal
Harshit Agarwal is co-founder and CEO of Appknox, a mobile security suite that helps Enterprises and Financial institutions to automate mobile security. Over the last 6 years, Harshit has worked with over 300+ businesses ranging from top financial institutions to Fortune 500 companies to set up security practices helping organisations secure their mobile applications and speed up the time for security testing.

Questions?

Chat With Us

Using Other Product?

Switch to Appknox

2 Weeks Free Trial!

Get Started Now