A CISO’s guide to setting up a SOC

As organizations mature, they are exposed to ever-increasing internal and external risks. Internally, from the danger of executing projects with the same entrenched and unsecured processes. Externally, from the threat of cyberattacks that take advantage of any chink in the security armor. Few initiatives sit at the intersection of these concerns as the creation of a Security Operations Center (SOC).

Building a SOC requires new tools and technology, diligent work with partners and vendors, as well as successful recruitment and retention. The prepared leader in charge of such an operation stands to substantially reduce the danger of unmitigated cyberattacks. The downside risk, however, is fearsome: failure to build a successful SOC can leave an organization unprotected from cyber criminality while driving significant cost and organizational disarray.

Creating a functional SOC reduces the challenge to a company’s core components, talent, technologies, and intelligence by strengthening its ability to identify and remediate threats. Here’s how we recommend building out your SOC.

1.   Context Matters; Tailor your Plan

All organizations come with legacies, and those legacies — of decision or indecision, infrastructure, technology in place, product offerings, and sales tactics, among many others — influence the nature of an organization’s cybersecurity program long before such a program coalesces into a managed reality.

As such, it’s rare that any CISO, much less a newly-minted CISO, encounters an opportunity to build a program truly from scratch. Before embarking on this journey then, one must acknowledge the most crucial element of any successful program: the careful consideration of context.

For example, you may be charged with the construction of a novel cybersecurity initiative at your organization – a Security Operations Center (SOC). This might be the first time your organization has a SOC function, and you may even be the first hire dedicated to “Security” in the enterprise. Assuredly, however, there are legacies whose history stretches well beyond your tenure in this role, and those legacies will shape the kind of program you must build.

Failure to acknowledge this context obviates the need for almost any other planning effort, as there is no single “canned strategy” that works at every organization. There are strategic fixtures, tools, best practices, and frameworks which can be useful, but none of them are fully functional without adaptation.

With that in mind, as a newly-minted CISO, how do you muster the talent, technology, and feeds to accomplish the task of building out a SOC?

Let’s take each concept individually.

2.   Consider Talent

Talent comes first and remains the top priority even after a SOC is operational. There’s no tool that can replace a strong talent pool, and those tools that promise to affect such a reduction in the need for talent will, paradoxically, remain inaccessible to organizations that don’t have the appropriate talent in the first place. Tools, after all, require talent (a skilled user) to operate them.

As you plan out the strategy for your SOC, define your intended organizational structure and Concept of Operations. There are numerous example frameworks available, but none of these were written for your organization, so it’s important to read several and cherry-pick those that reflect your ability to attract and retain talent.

Your planning should also account for any limitations and potential advantages.

If you don’t have much budget for headcount, consider eschewing a deep escalation tree, and hire more-senior staff instead.

If you work at a company that already has a strong technology help desk, then perhaps you can broker a deal with the leadership of the help desk department to be your initial (Level 1) triage.

Is the DevOps team over-scale and facing a reduction in force? Transfer experienced talent into your organization to secure legacy knowledge and build a cross-functional pool of experience that wouldn’t traditionally be in your candidate pool if you were searching specifically for a “Senior SOC Analyst”.

You might find that the act of defining the SOC organization you’d like to build illuminates your most critical hires but consider this: senior talent looks expensive only until you understand the true cost of inexperience. Initially, you require talent who are builders, not rule-followers, and you aren’t going to have the time you’ll have later in the SOC lifecycle to manage team members dependent on your guidance.

So for the initial stages of an organization, juniors should be considered expensive to the company. Hire at the mid to senior individual contributor tier first and save hiring juniors for a later phase of maturity, when you require a pipeline to support promoting from within.

Another reason to hire in the middle hierarchy of your organizational plan will be clear as you begin to select technologies and feeds, as these are augmentations of your capabilities, not absolute contributions to the process.

3.   Enhance Talent with Technology

Once initial hiring is secured, your attention should turn to the technologies necessary to augment and direct the efforts of your team. Remember that no technology, alone, is a productive entity — that is the sole domain of personnel, even in 2022. Technologies enhance the capabilities of your staff and may sequester the efforts of your staff in processes and services that further enhance your team’s abilities. Technologies do not, intrinsically, represent productivity.

This is also true, contrary to a lot of marketing you’ll face, when considering novel innovations and technological advances. No Artificial Intelligence, Machine Learning, Bayesian Algorithm, or Shell Script acts alone, not one. Sorry marketers, but what you have is still a hammer, and I advise all tech leadership to treat products at all levels of “sophistication” as merely tools which may, under the right circumstances, improve the effectiveness of work within the capabilities of their staff.

So, as you hire your staff, work with them to determine what technologies they are comfortable with. Then implement those technologies in the order that addresses otherwise insurmountable gaps in your organizational scale or effectiveness.

Is your organization reading logs manually? This doesn’t scale well – sounds like you need a SIEM.

Do you have a means of correlating user behavior, such as mass exfiltration of your organization’s cloud-drive contents? Do those means analyze user characteristics, such as “likely looking for another job”?

Was there a person who administers SharePoint or a similar tool to help HR find folks already performing these actions in their spare time? Perhaps you need a tool that allows you to sequester user characteristics and analyses for automated evaluation by an always-attentive algorithm.

Remember to implement what your team is comfortable with and employ those solutions that reflect the foundational activities of your organization. Don’t buy shiny software on the strength of its often-generic pitch.

Hint: the more often you hear a tool pitched on its construction rather than its functionality (we don’t want to call out ai/ml but…), the less likely it is you can accurately evaluate that tool’s applicability to your organization.

Longer term, once you have a functioning suite of technologies operated by your team, revisit those technologies, and evaluate them for redundancy or applicability. Consolidate or cull those that are no longer necessary and keep your operation’s platform to a practical, streamlined minimum.

4.   Add Intelligence

If you’re at the point of selecting feeds, you’ve done the heavy lifting in the previous two sections. Once you’ve hired a core team and selected technologies that complement your team’s competence, you can turn to the augmentation of knowledge, rather than merely production.

Feeds selection comes last among the three core components of a SOC build-out for a few reasons:

1. Without a staff (including yourself), you have no abilities that can be amplified by tools. Ideally, this means that without a staff, your organization has not invested in tools, though I realize that some organizations specialize in “bringing owls to Athens.”

2. You won’t have known what feeds you can use until you have tools in which to use those feeds. These tools may be modest, such as a script authored by your team to evaluate the external profile of a target domain against third-party intelligence. Until these exist, however, a feed alone is no more useful than a tool without an operator.

3. Without a staff and their supporting tools, you likely won’t have a sense of which pieces of intelligence are most useful to your analyses. Thus, feeds purchased for general use tend to be wastefully expensive; and, occasionally, suboptimal at many things, rather than competent at a few.

However, once you have a staff, and that staff is competent in their tool selections, you’ll be more able to accurately ascertain what points of data, or pieces of intelligence, aren’t bundled with your technologies or would support woefully inadequate parts of your analytical capabilities. These statistics, in order of their criticality to your enterprise, are eligible to be provided in a feed.

Build an inventory of these requisite data points and evaluate feeds on the marketplace for their ability to provide them. Whatever you do, don’t let this activity get in the way of talent development and retention or technology optimization, because both of those are far more important.

Longer term, once all your feeds are in place, as with the technologies before them, regularly revisit those feeds and evaluate them for redundancy or applicability. Consolidate or cull those which are no longer necessary, and keep your feed inventory to a practical, streamlined minimum.

Context, talent, technology, and intelligence are foundational to an effective SOC program. However, execution risk is considerable in an undertaking like creating a security operations center. And, of course, the best laid plans that don’t come to pass fail to benefit your organization.  

To mitigate execution risk, consider engaging partners who can bridge the gaps in talent, expertise, and strategy. A modern MSSP can be a transformative partner, offering a turn-key solution to these challenges.

To learn more, contact us at SolCyber.