How to Set Up a Successful SOC Program

February 18, 2021 | By IANS Faculty

A 90-Day Guide for InfoSec Teams

Taking over a security operations center (SOC) is a major operation, with a variety of organizational, managerial and technical challenges. This piece provides a roadmap designed to help ensure a new SOC manager’s first three months on the job set them up for long-term success.

First 30 Days: Understand Relationships and Roles

We suggest taking the first 30 days to try and learn as much as possible about the SOC and its team. As a part of this effort, consider:

Meeting with individual SOC team members: Try to get feedback from each of them on the current state of the SOC. Understanding what they think they are good at and where the opportunities for improvement lie will give you action items to work on. Identifying low-hanging fruit that ideally will improve the happiness or efficiency of your team can help you build rapport quickly.

Identifying and meeting with external stakeholders: SOCs typically interface with other groups inside of IT as well. The first month is a great time to interview key external stakeholders to get their feedback on their interactions with the SOC and their input on opportunities for improvement. Often, external stakeholders benefit from having more access to and awareness of the SIEM and what the SOC is doing, so this can be an opportunity to build external champions.

Clearly defining SOC roles/responsibilities: Work to confirm (or write for the first time) clear definitions of the roles within your SOC (e.g., Tier 1, 2, 3, etc.) so roles and responsibilities are clearly understood. It is possible you may uncover gaps in responsibilities simply by trying to map out these roles. The process also helps you get an understanding of any “fringe” SOC responsibilities, such as those that are sometimes managed by the SOC and sometimes managed independently (e.g., threat intel, hunting and vulnerability management). Take this time to understand and document the SOC’s key inputs and outputs so that it is clear where your responsibility boundaries lie.

First 60 Days: Build Rapport and Focus on Tooling

Within your first two months, new SOC managers should try to:

Continue to build further rapport with the team. Consider spending time to shadow staff, go out of your way to be hands-on during incidents and participate in events, even when not required, to demonstrate your dedication. Find opportunities to back your team and prove to them you are a champion for them.

Start reviewing your tools and systems. Assuming a SIEM swap is not imminent, this process should start with reviewing and understanding all your log sources. Consider doing a full review of all the log sources and signals you are pulling into your SIEM. Speak with staff to understand any issues with keeping logs flowing, as well as any known gaps. Often, something as simple as sending Dynamic Host Configuration Protocol (DHCP) or Domain Name System (DNS) logs, while not providing much security value, can help enrich your security alerts enough that your SOC team can avoid spending time researching with whom or where an affected device is. These are time-savers and quick wins that SOC agents typically just assume they can’t get and will live without. Ask your team for their “wish list” for log data as well.

Re-evaluate your SIEM. The SIEM is generally considered the centerpiece technology of any SOC program, so it is important to evaluate its efficacy. This can often be done by the SOC vendor itself or by trusted third parties. Both approaches have merit, and can often be useful done in tandem – the vendor will typically make sure you’re on the latest versions and healthy, whereas third parties can often provide feedback that will enhance workflows, as well as provide perspective on whether your technology solution is still providing adequate capabilities. Ensure key rulesets and alerts are turned on, firing and operating effectively. Analyze threat intelligence feeds and how they integrate into your detections. If possible, include supplemental technologies in the review, such as incident response (IR) management platforms that ingest the alerts and allow your team to document their response activities. If you don’t have an IR management platform, note that and track it as a potential opportunity for improvement.

Examine your IR workflows. Look for documented, actionable and well-formulated plans for how to handle common incidents. Any time incidents happen more than once, your team should be taking a note to develop standardized IR workflows. These templated responses help improve standardization, as well as move more response capabilities further down toward your less expensive Tier 1 resources. This should be an ongoing effort.

First 90 Days: Focus on KPIs and Improvement

After two months, you should hopefully have built a rapport with your team and started to assess the relative health of your SOC technology and response capabilities. Next, new SOC managers should try to:

Establish and monitor key performance indicators (KPIs): After reviewing your IR workflows, monitoring your overall performance can generate metrics to help better understand trends within the team. Establish KPIs around items like mean time to resolve, workloads per analyst, incidents per week, false positive rates, etc.

Conduct purple team testing: A mechanism to further stress-test the real-world capabilities of your SOC is to perform purple team testing. Purple team testing is collaborative red and blue testing activities, where each individual test is done as an atomic, open book exercise. This helps identify gaps in your logging, alerting and rules, and helps prioritize your improvements and understand how you might stand up to current threats.

Perform tabletop exercises. These simulated events should be focused on practicing your IR and crisis plans, including communications, interplay between teams and response techniques. Start small with your security team, and then expand these tabletop exercises to overall IT and eventually business leadership. Examine situations “left of boom” and “right of boom” (before and after a bad event, respectively).

Tips for a Successful SOC Program

Taking on a new SOC management role is a great opportunity, and one that brings many challenges. Running a SOC successfully is all about balance of your current capabilities and processes with projects to enhance those capabilities.

Knowing where you stand, proving where you stand through metrics and being able to demonstrate improvement on your capabilities are keys to success, both in the first few months and over time.

Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.

Access time-saving tools and helpful guides from our Faculty.

IANS + Artico Search

Our 2024-2025 CISO Compensation and Budget Benchmark Survey is Live!

Get New IANS Blog Content
Delivered to Your Inbox

Please provide a business email.