When it comes to setting up a security operations center (SOC), be it in-house, completely outsourced or a hybrid of the two, they should revolve around the three core pillars of people, process and technology. SOC is the nerve center that provides visibility to help an organization understand its risk and security posture. Setting up a 24×7 SOC is one element, but getting the right information is another. Without proper planning and applying the right strategy with a focus and making smart decisions, success is not easy; hence, achieving maturity is not easy.
In this blog, we’ll highlight the key challenges an organization can face after setting up a hybrid SOC. Each organization’s priority, thinking process and planning and execution are different, but achieving success and heading toward maturity are all common goals. We’ll focus on core areas that need to be considered after implementing a SOC to run SOC operation not just from a compliance perspective but also as an enabler of the business.
Here is an eight-step approach to creating and managing an effective security operations center.
A successful SOC is a strong foundation for operational excellence driven by strong governance. Key people from the client and the service provider must meet regularly and be involved in a consistent way. There must be regular monthly/quarterly meetings to understand if the operation is running as efficient as its documented in the statement of work (SoW).
Shared Technology Model
Cybersecurity is dynamic and businesses are under immense pressure to adopt new security technologies, which can put pressure on an SOC analyst. In addition to managing their current technology, they must learn the new technologies quickly.
Because of the changing nature of security technology and the time and effort necessary to incorporate new solutions into the SOC, conflict can arise, especially in a hybrid SOC. Is this solely a responsibility of the client or can a shared responsibility model can play a better role here? Has it been documented in the SoW who will pay for the training? Security training is a costly proposition. Articulating clearly in the SoW is required to avoid any issues regarding who will bear the cost and also the mode of training, which could be video conferencing on onsite.
Regular Site Visits
The primary purpose of the visit is to build trust and assure the remote team has all the necessary support from the client. It should not be simply signing the contract; there must be equal due diligence performed by both client and the service provider wherein key designated folks visit each other’s site at least twice a year. It also enables each side to see whether the working environment is conducive or not. Face-to-face meetings help develop trust and transparency most effectively. Or a remote SOC analyst to work from client’s premises for a week or two to get first-hand experience working closely with the in-house CIRT team.
Culture of Appreciation
Appreciating SOC analysts for their achievements/accomplishments must be handled appropriately both from the service provider and the client. Being in security from an analyst’s stance is a tough business and without appreciation, no one can feel valued. Satisfaction and productivity increase when someone is appreciated for their work.
To improve the SOC, consistent feedback is must-have from both sides. Without feedback, there is no growth. And if there is no growth, it defeats the whole purpose.
If the security analysts stay at the job for only about a year, then something is not right. Why are they leaving their jobs so quickly?? Are they not getting enough training? Are they dealing with alert fatigue? Are they not feeling appreciated? Are they finding difficult to maintain work-life balance? Whatever the reason, it must be identified and remedied it as soon as possible.
The main goal of business continuity is to deal with disruption; in an SOC, that means ensuring no interruption to the SOC operation. Is there a plan to move the SOC to a different location if necessary? How does the SOC deal with a natural calamity? Scenarios such as these must be well-thought-out and documented. It’s better to have few resources working from the client location to run the show. Working on these thoughts will help dealt with the crisis in a better way.
Imagine a situation where a breach happens at client end and remote SOC analysts spread the news to the entire floor. Can this situation be avoided? Privacy must be protected at all times and such kind of situation must be fully documented in an agreement and well-understood by both parties.