Part One of this article covered some of the challenges of the traditional SOC approach – overly technology-focused with budgets taken up with hardware costs and licence fees desperately chasing log capture.
In this second edition, we cover what we’ve learnt over the past few years in building and operating what we would call a ‘Modern SOC’.
A SOC team takes years to build
The modern SOC business, one which understands how to embrace the different mindsets and skillsets and combine them with assisting technology will be the most successful.
This requires diversity in skills (technology covered by a modern SOC is wide, from 10-year-old Solaris servers, through to the latest SaaS APIs and applications). Importantly, the modern SOC understands the value of diversity in staff and mindsets and that those critical, valuable human assets need to be using technology designed to assist them and make their job easier.
A key focus needs to be removing distractions from the core team. The more diverse the team, the more creative and innovative it will be. Given the opportunity and time to train and experiment, analysts will become more motivated and satisfied in their role, capable of resolving the puzzles thrown at them – literally.
A SOC team needs to be large and dedicated, with few distractions
Traditional SOCs have teams that are way too small. A 24/7 SOC providing services to enterprise customers should have a large SOC analyst team of trained, specialised and dedicated analysts.
Under resourcing teams is a fatal flaw and distracting analysts by having them on board new customers, write parsers and maintain the underlying SOC technology is a crucial mistake.
A SOC needs dedicated, specialist teams
Examples of the sorts of core SOC Teams include the following:
- Onboarding and Design Team. A team dedicated to the on-boarding of new customers so the core SOC team is not distracted. The Team fully manages new customer deployments and changes end to end. They also work on design and deployment of the in house SOC technology.
- Experts/Consulting Team. A team dedicated to driving the best cyber outcomes for the customer. Experts at tuning, training SOC automation, running threat hunting programmes and always there to assist the SOC with incident analysis.
- Support Team. Operates 24/7 with the SOC Analyst Team to keep all the technology working/patched. This Team ‘keeps the lights on’, so the SOC analysts are dedicated to Security Operations.
- Technology/Development/Devops Team. This team’s role will depend on the type of technology used, but they focus on listening to analyst requirements. From this, they focus on developing more efficient workflows, and implementing automation and other technology improvements. Their number one goal is to support and augment the analysts.
Final Thoughts
A modern SOC business should reflect the nature of the problem it was designed to address. To do this it needs to be flexible, agile, diverse, inclusive. Plus, it needs to be ready to evolve and innovate in line with the changing problem space. It needs the best people; the most innovative, diverse and enthusiastic. It needs to support this team with the best, ‘analyst aligned’ technology. Additionally, we glue this together with constantly evolving processes and playbooks.
