I was asked recently to answer some questions about building and running an effective Security Operations Centre (SOC) for a forthcoming article in Infosecurity Magazine. Thinking about the answers certainly helped pass the time on a work trip back from Denmark! Here’s what I came up with:

How important is it for companies to have an effective SOC and why?

Barely a day goes by without the news recording another high profile cyber breach. Such events are expensive, both financially and in terms of reputation. It is a common misconception that cyber-attacks are highly targeted. A few are, but most are not, so organisations of every scale and across all sectors can be vulnerable. No solution provides guaranteed protection, but a holistic approach to cyber defence can radically reduce risk. A SOC is a critical component of any organisation’s cyber defences. When done well it offers 24/7 vigilance and the ability to respond immediately when the worst happens.

What are the biggest challenges to overcome when running a SOC?

There are several, especially when starting from scratch! However I would say the biggest challenge is finding the right people. Security is fundamentally a people business; the right tools help too of course, but having the right blend of skills and experience in SOC analysts and engineers is the most important aspect to get right. Recruiting such talent isn’t easy – the skills gap in this industry is widely publicised – but by using dedicated recruiters who seek out talent, and by developing talent through an apprenticeship scheme, it is possible to build the right team.

What are the key elements of an effective SOC?

I think of a SOC comprising four fundamental and interlinked elements:

People: It is critical to build a team of analysts and engineers who have the skills (and passion) to run an effective SOC.

Tools: Using a blend of industry leading tools and bespoke detection capabilities across the Kill Chain ensures maximum coverage at all stages of an attack.

Processes: The SOC is fundamentally an operations room, and for it to work effectively under pressure and at pace there must be established processes for analysts to follow. Crucially however, these must not be so prescriptive that analysts don’t have freedom to bring their analytical skills to bear.

Threat Intelligence: Intelligence is essential for getting on the front foot. A mature and current understanding of the threat landscape makes the difference between operating reactively and proactively.

If implemented effectively, what impact can a SOC have on an organisation’s security posture and health? 

SOC impact is notoriously difficult to measure, however one approach is to track coverage before and after implementation by employing a recognised industry standard. Using the MITRE ATT&CK framework, I have seen organisations grow from 15% coverage to more than 90% following the implementation of a well scoped SOC. There is a financial impact too. Given the extremely high cost of breaches, it is not overstating the case to suggest a mature SOC can defend against millions of pounds worth of damage.