Welcome to the latest installment in our blog series detailing the case for change and best practices for creating and maintaining Security Operations Centers (SOCs). Catch up by reading last week’s post on the missteps and false starts to avoid when building a SOC.
Highly visible breaches and attacks have brought an intense focus on organizations’ incident detection, investigation, and mitigation capabilities. Just increasing security spending, however, does not guarantee more protection. Achieving the goal of better security depends on how that budget is allocated; what people, procedures and infrastructure are put into place; and how the security program is managed and optimized over the long term.
For organizations without a formalized incident-handling capability, the creation from scratch of a SOC enabling centralized visibility, alerting, and investigation can be a daunting task. The good news? Companies don’t need a room full of security experts and an investment of millions of dollars in security systems to make progress in this regard.
There are four steps you must take to build a word-class SOC:
- Build a roadmap and define your requirements
- Determine whether to hire or outsource key SOC positions
- Establish a process for identification, triage, and investigation
- Implement the right technology to empower your SOC
We’ll look at each of these steps in greater detail in the coming weeks. Today, let’s focus on the first step: Building a roadmap and defining your requirements.
A world-class SOC cannot be built overnight. Think of a SOC as a marathon better broken down into smaller mile markers than an all-out sprint. It’s vital to create a plan for incremental phases of implementation to create a successful SOC.
First, companies should conduct a gap analysis to find out where they are strong, just average, and weak with regard to cybersecurity. From there, companies can define requirements for what a SOC should look like, such as:
- Unique needs for the SOC tailored to each company’s business realities
- Specific tasks assigned to the SOC, such as detecting external attacks, compliance monitoring, checking for insider abuse, and incident management
- Identifying who will use data collected and analyzed by the SOC
- Establishing the owner of managing the SOC
- Describing which security events would be fed into the SOC for analysis and review
Once these basics are identified, it’s time to a build a roadmap to create, test, and launch the SOC. The goal of planning a roadmap at this phase is to ensure companies execute regular, incremental improvements based on their completed gap analysis and establish milestones to lead it toward better cybersecurity.
Given the budgetary, personnel, and cultural considerations that go into any new SOC, it’s important to establish a roadmap to bring this in stages, so as not to overwhelm business and IT leaders alike within the company. Why? Building a SOC requires collaboration and communication among multiple people, disparate security software products, and varying processes and procedures.
Come back next week as we look at the key considerations for either creating a SOC in-house or partnering with a third-party managed security services provider (MSSP). Can’t wait until then? Visit our website to learn how US Cyber Vault’s managed security services deliver security operations center, analyst, intelligence and incident response capabilities rapidly, enabling companies to save up to 90 percent on traditional cybersecurity costs.