Two of the key capabilities defenders must have include detection and response. Detection and response often take the form of a security operations center (SOC). A SOC is the holistic approach to the people, processes, and technology involved in detecting, analyzing, and engaging the first level response to a cybersecurity incident. SOCs start with this core mission and employ a variety of individuals from junior level analysts to senior malware analysts.

In many organizations, a SOC is built organically and inherits responsibilities that lead to additional processes to manage. Many factors contribute to SOCs, and it’s important to understand there is no one-size-fits-all approach to the SOC. The size of the SOC depends on the organization’s security maturity level and relies on the goals of the overall organization. It needs to be properly aligned to protect the fundamental risk scenarios that impact an organization, whether compliance related or leveled up to business risk.

SOCs are the first line of defense for businesses when addressing cyber threats. At the very least, they handle the beginning stages of containment actions during an incident. They actively monitor the environment, hunt for threats, and establish plans to escalate breaches or initiate incident response procedures.

When trying to address the question “Is my SOC as effective as possible?”, one of the most challenging components you will face is staffing. Some common, difficult to answer questions can include:

How do you find the right people?

How do you retain the right people?

Do you need to staff overnight or on weekends?

What responsibility do you want to directly manage?

What work can you outsource?

How do these decisions impact your overall mission to effectively stop a breach before damage occurs?

Staffing is a complex issue for any department that just compounds with highly intensive security roles.

We’re holding a security sessions and seasonals event in our office Friday — come meet up with me. I want to hear your thoughts on the state of the SOC.

How Do You Build an Effective SOC?

What type of SOC you want to build depends on the resources available to you and the experience of your team. It’s critical to consider the technologies and processes you want to use.

What skill level is needed to use these technologies? What experience is required to handle the processes you envision or have established?

These questions become more difficult to answer as you consider additional factors, such as the need for security 24/7, across geographies. If you have advanced resources and an existing team, you may be more inclined to have an in-house SOC. In contrast, with limited resources and a small team, you are more likely to have a fully outsourced SOC.

There are three common ways to build a SOC:

In-house: The security organization owns hiring and defines all processes.

The security organization owns hiring and defines all processes. Semi-outsourced: Some staff and processes are outsourced.

Some staff and processes are outsourced. Outsourced: All hiring and most processes are a third-party responsibility.

Building an In-house SOC

Building an in-house SOC gives you total control over the security process. This can be invaluable for organizations with existing, knowledgeable teams that use customized workflows and have a complete understanding of their environment. These teams are typically well-funded, have multiple junior and senior analysts, and may even have a dedicated threat hunting team.

The difficulty with an in-house SOC comes from resource requirements. In-house SOCs need to be managed and require funding and other resources from the larger organization. They need to be staffed with the right talent, and they need to have outlined metrics for success. In-house SOCs are most valuable for organizations that are ready to handle the responsibility and have the time to develop a critical department that has the resources to succeed.

Pros: Granular control of the security process and of the team.

Cons: Takes a long time to establish, to hire, and train the team.