Save time with unbiased, independent feedback on vendor solutions.
Watch weekly bite-sized webinars hosted by IANS Faculty.
Taking over a security operations center (SOC) is a major operation, with a variety of organizational, managerial and technical challenges. This piece provides a roadmap designed to help ensure a new SOC manager’s first three months on the job set
them up for long-term success.
We suggest taking the first 30 days to try and learn as much as possible about the SOC and its team. As a part of this effort, consider:
Meeting with individual SOC team members: Try to get feedback from each of them on the current state of the SOC. Understanding what they think they are good at and where the opportunities for improvement lie will give you action items to work on. Identifying
low-hanging fruit that ideally will improve the happiness or efficiency of your team can help you build rapport quickly.
Identifying and meeting with external stakeholders: SOCs typically interface with other groups inside of IT as well. The first month is a great time to interview key external stakeholders to get their feedback on their interactions with the SOC and their
input on opportunities for improvement. Often, external stakeholders benefit from having more access to and awareness of the SIEM and what the SOC is doing, so this can be an opportunity to build external champions.
Clearly defining SOC roles/responsibilities: Work to confirm (or write for the first time) clear definitions of the roles within your SOC (e.g., Tier 1, 2, 3, etc.) so roles and responsibilities are clearly understood. It is possible you may uncover gaps
in responsibilities simply by trying to map out these roles. The process also helps you get an understanding of any “fringe” SOC responsibilities, such as those that are sometimes managed by the SOC and sometimes managed independently
(e.g., threat intel, hunting and vulnerability management). Take this time to understand and document the SOC’s key inputs and outputs so that it is clear where your responsibility boundaries lie.
Within your first two months, new SOC managers should try to:
Continue to build further rapport with the team. Consider spending time to shadow staff, go out of your way to be hands-on during incidents and participate in events, even when not required, to demonstrate your dedication. Find opportunities
to back your team and prove to them you are a champion for them.
Start reviewing your tools and systems. Assuming a SIEM swap is not imminent, this process should start with reviewing and understanding all your log sources. Consider doing a full review of all the log sources and signals you are pulling
into your SIEM. Speak with staff to understand any issues with keeping logs flowing, as well as any known gaps. Often, something as simple as sending Dynamic Host Configuration Protocol (DHCP) or Domain Name System (DNS) logs, while not providing
much security value, can help enrich your security alerts enough that your SOC team can avoid spending time researching with whom or where an affected device is. These are time-savers and quick wins that SOC agents typically just assume they can’t
get and will live without. Ask your team for their “wish list” for log data as well.
Re-evaluate your SIEM. The SIEM is generally considered the centerpiece technology of any SOC program, so it is important to evaluate its efficacy. This can often be done by the SOC vendor itself or by trusted third parties. Both approaches
have merit, and can often be useful done in tandem – the vendor will typically make sure you’re on the latest versions and healthy, whereas third parties can often provide feedback that will enhance workflows, as well as provide perspective
on whether your technology solution is still providing adequate capabilities. Ensure key rulesets and alerts are turned on, firing and operating effectively. Analyze threat intelligence feeds and how they integrate into your detections. If possible,
include supplemental technologies in the review, such as incident response (IR) management platforms that ingest the alerts and allow your team to document their response activities. If you don’t have an IR management platform, note that and
track it as a potential opportunity for improvement.
Examine your IR workflows. Look for documented, actionable and well-formulated plans for how to handle common incidents. Any time incidents happen more than once, your team should be taking a note to develop standardized IR workflows.
These templated responses help improve standardization, as well as move more response capabilities further down toward your less expensive Tier 1 resources. This should be an ongoing effort.
After two months, you should hopefully have built a rapport with your team and started to assess the relative health of your SOC technology and response capabilities. Next, new SOC managers should try to:
Establish and monitor key performance indicators (KPIs): After reviewing your IR workflows, monitoring your overall performance can generate metrics to help better understand trends within the team. Establish KPIs around items like mean time to resolve,
workloads per analyst, incidents per week, false positive rates, etc.
Conduct purple team testing: A mechanism to further stress-test the real-world capabilities of your SOC is to perform purple team testing. Purple team testing is collaborative red and blue testing activities, where each individual test is done as an atomic,
open book exercise. This helps identify gaps in your logging, alerting and rules, and helps prioritize your improvements and understand how you might stand up to current threats.
Perform tabletop exercises. These simulated events should be focused on practicing your IR and crisis plans, including communications, interplay between teams and response techniques. Start small with your security team, and then expand these tabletop
exercises to overall IT and eventually business leadership. Examine situations “left of boom” and “right of boom” (before and after a bad event, respectively).
Taking on a new SOC management role is a great opportunity, and one that brings many challenges. Running a SOC successfully is all about balance of your current capabilities and processes with projects to enhance those capabilities.
Knowing where you stand, proving where you stand through metrics and being able to demonstrate improvement on your capabilities are keys to success, both in the first few months and over time.
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.
September 21, 2023
By IANS Faculty
Learn why CISOs Need D&O Liability Insurance Coverage now more than ever along with guidance to help minimize potential cyber liability risk.
September 19, 2023
Discover the diversity of IANS Faculty's real-world expertise. Learn how our faculty members can help you solve your most challenging security issues.
September 14, 2023
Learn how to use a three-step approach to defending and managing public and private APIs while avoiding common mistakes.