Architecting your Security Operations Centre
A security operations centre (SOC) is a dedicated team, usually operating 24x365, to detect and respond to cybersecurity incidents within your organisation that potentially affect your people and systems. Architecting your SOC properly in terms of technology, processes, people and a close coupling with the organisation is critical if you are to achieve value from implementing a SOC within your organisation.
Architecting and implementing a Security Operations Centre (or SOC for short) for today’s threat environment is not easy. Modern businesses need their SOCs to be proactive about protecting networks, disparate systems (many outside of the traditional corporate network perimeter) and the sensitive data contained within them; but increasingly SOCs and their staff are expected to be predictive, stopping threats before they become an issue, as well as “threat hunting” to find dormant problems within the organisation.
This is then coupled with the demand to provide 24x365 protection, often being the only 24x365 operation within the organisation and thus expecting to cover all manner of additional responsibilities; from basic network monitoring to full-blown (non-IT) crisis management and business continuity.
Without a SOC and the services it provides, cyber-criminal attacks can remain hidden indefinitely as organisations rarely have skills to detect, let alone respond to threats in a timely manner.
But for a SOC to be effective within an organisation, the design and planning are critical if the SOC (or multiple SOCs) are to be intimately coupled to both the organisation, it’s business processes, it’s critical data and systems, the IT infrastructure and the network itself.
Such an undertaking needs to take into consideration not only the physical construction of the environment, together with the specialised tools and technologies but also the understanding of the data sources and the skills needed to find that proverbial needle in a haystack.
Even then; when an issue is discovered the SOC will need a plethora of processes and procedures, tightly coupled to the business, to ensure a timely, efficient and appropriate response to the threat; from simply fixing the system and restoring from backup to activating and managing a full business-wide crisis plan involving the most senior members of the organisation.