The Complete Guide to Building a Security Operations Centre

Building an effective Security Operations Centre (SOC) is, before all else, a collaborative endeavour. Whether you outsource, deliver internally or operate your SOC using a hybrid model, a tremendous amount of teamwork, shared insight and precise coordination is required before your SOC goes live – let alone reach maturity.
As nebulous as this may sound, scoping your Security Operations Centre approach to threat intelligence and response doesn’t need to be overwhelming. In our experience, segmenting your preparation work into five distinct stages helps to establish a robust SOC foundation that operates and scales effortlessly.
Contents
- Stage 1: Scoping your Solution
- Stage 2: Laying the Foundations
- Stage 3: Picking your Players
- Stage 4: Sorting your Priorities
- Stage 5: Defining the Specifics
Stage 1: Scoping your Solution
We guarantee that there’s a better version of what you’ve been doing. Now is your opportunity to look critically and constructively at your security posture and understand how it compares to a Security Operations Centre approach.
Gather those responsible for your organisation’s security defence and response, and talk over the following:
Business and Security Goals
One size fits no one. So, carefully consider your business goals and the role that a SOC plays in accomplishing them.
For example, you may wish to widen profit margins by increasing agility. That’ll call for accelerated hybrid working and SaaS adoption – two major cyberattack targets. How will you use SOC approach to ensure that agile technologies scale safely?
Or perhaps you’ve set ambitious customer acquisition goals and must fine-tune products for competitive appeal. To make these impactful decisions, you’ll need to connect, capture, process and analyse far more data. So how can a SOC make handling expanding data safe?
Aligning security with every aspect of business operations won’t just ensure your SOC solution protects you against adversaries and unlocks potential. It’ll also determine your order of approach, budget, timelines, and operating model.
Current Capabilities
Honesty is the best policy here. Most organisations will have some components of a SOC in their security teams – internal or third-party – but it’s unlikely every skill will be present. So note down your team’s skills, experience, and availability, and use this inventory as a reference in Stage 3.
It’s important to note that a SOC is an intentional, tightly constructed workgroup. Even if you’ve got the “big five” SOC job roles seemingly covered, they will have manifested organically. To be a true, responsive SOC – and be capable of monitoring, detecting, analysing and responding to advanced threats your solution must fit a set framework.
Budgets and Timelines
Establishing a SOC is an investment in your company’s future, and we encourage cybersecurity budgets to reflect the scale of the issue and threat of systems compromise, downtime, financial theft and data loss.
After assessing goals and capabilities, commit to a feasible budget and map a preliminary timeline for implementation.
Before you read on, we’ve just a few words on budget.
Cybercriminals put 100% of their effort and resources into their nefarious craft – an effort that businesses must counter with full force. In fact, one reason why a SOC is so effective is that it delivers 100% security visibility and 24/7 response from experts that live and breathe cybersecurity.
That said, we appreciate that budgets aren’t infinite. But the fantastic thing about a SOC is that it gives you performance with streamlined expenses.
First, it’s inherently scalable and will function exceptionally well with the five core functions covered. Essentially, the foundations are straightforward to build on if you need to power up as you grow.
Secondly, when you use a third-party specialist, you get access to concentrated SOC skills and all their benefits under one umbrella cost. This approach can be far more efficient than employing a crack team of high-salaried experts and implementing advanced technologies in-house.
In summary, if you’re worried a SOC is out of scope, keep an open mind. Cost-effective, high-performing SOCs can be readily established with the right operating model.
Operating Models
When establishing a Security Operations Centre, you can go it alone, use a Managed Service Provider, or combine forces. Each approach has pros and cons, which you can read about in detail here.
MSPs are often preferable because they’ll likely have the requisite skills, experience, resources and technology to establish a SOC quickly and cost-efficiently.
Stage 2: Laying the Foundations
As mentioned, a SOC has a solid and scalable foundation capable of unearthing new risks and acting threats in real-time
A SOC foundation comprises five key functions which have fixed hierarchies and job roles attached to them. Whether you outsource, develop a SOC in-house or combine two approaches, your SOC will have the same core functions. These are:
- Discovery: SIEM, behavioural analytics, anomaly analytics and deception technologies
- Initial investigation: Score and merge threats against a risk assessment matrix before triage.
- Triage: Threat events are categorised by criticality, and responses are triggered.
- Advanced investigation: Develop understanding, build context and coordinate resources.
- Response: SOC incident responders work to contain and diffuse the threat and recover data if necessary.
These core functions work together to consolidate threat visibility, coordinate security skill and prioritise responses based on business impact. For more about how a SOC works to monitor, safeguard and manage in real-time, click here.
Stage 3: Picking your Players
With your objectives scoped, budget ringfenced and core functions understood, it’s time to pick the people who will design, implement and ultimately staff your SOC. People power is one of the key differences between a SOC and other security posture approaches, so you must choose wisely.
Highly-trained analysts, responders, and investigators coordinate their knowledge and elite skills to discover and diffuse attacks. They use technology as a strategic tool – automating tasks where helpful – not as a replacement for their ability.
And another great benefit of a SOC: each SOC role takes full ownership of their function. Simply put, you don’t get close to this level of strategic control and accountability with a “managed solutions only” security stack approach.
These are the five foundational roles that form a SOC, each taking on chronological responsibilities critical to developing threat intelligence and galvanising security posture:
- SOC Manager
- Security Engineer
- Security Analyst
- Incident Responder
- Security Investigator
Our guide to Security Operations Centre Roles covers the hierarchy and responsibilities for each role in a SOC, and why this structure is extra-beneficial to businesses controlling a budget.
Stage 4: Sorting out your Priorities
The unrivalled effectiveness of a SOC lies in its shrewd, lean prioritisation capability. By aggregating threat alerts and prioritising response speed and force according to business impact, your security defences come into action exactly when you need them to – a blend of human intervention and sniper-like automation.
This is in stark contrast to more labourious approaches – for man and machine alike – that involve analysing mountains of threat data, much of which bears relevance to the particular vulnerabilities, security concerns or operational criticalities of your organisation.
But a SOC is only as good as its fed data and directives. So, your next step in building a SOC is to decide the core principles of threat intelligence and incident response.
Key Security Concerns
Start with what you know for certain. Your work at Stage 1 will have laid out key security concerns faced by your organisation.
You’ll have determined common cyber threats likely to cross your path. In addition, you’ll have identified business-specific cyberthreats, for example, ransomware hitting your ERP or IoT attacks targeting factory sensors. You’ll also have noted operational risks with known or unknown causes, such as eCommerce downtime or customer data loss.
Feed this information into your SOC so it can respond as quickly as possible should a known scenario materialise or access a solid blueprint to build on when an unknown threat presents itself.
Triage Priorities
Using insights from your key security concerns paired with cybersecurity expert input (from experience and Open Source Threat Intelligence), decide what your worst-case scenario looks like and work backwards.
This hierarchy will form the basis of your SOC triage system – when security events are ranked by criticality and trigger specific responses from the SOC team. Triage is a key SOC differentiator and a crucial aspect of how business security needs are identified, defined and accommodated.
Resource Cut and Distribution
Although a SOC response will rightly prioritise incidents that pose the biggest risk to your business, as defined by scope, the team should never leave you vulnerable to additional threats while an incident is countered and diffused.
Work with a specialist consultancy or SOC advisory to understand the proportion of resources that’ll be assigned to incidents per their triage status and those that will be held back for Business as Usual (BAU) or secondary response.
Stage 5: Defining the Specifics
Now it’s time to prepare for handing over your SOC project to the implementation team. Here, you’ll define the specifics and undertake extensive specification and selection work to build out the technologies, processes and skills required to launch your strategy and bring your SOC to maturity as rapidly as possible.
What you must think about includes but is not limited to the following:
SOC Security Technologies
- Security Information and Event Logging (SIEM)
- Advanced Threat Protection (ATP)
- Next-Generation Firewall (NGFW)
- Threat detection and response
- Content filtering
- Identity protection
- Endpoint management
- Integrations
SOC Processes and Automation
- Log Management
- Detection and Response
- Incident Management
- Investigation Management
- Regulatory Management
SOC People and Skills
- Job roles and responsibilities
- Intelligence sources
- Training, learning and development
- Internal or third-party
Building the Foundations of an Effective SOC
With your five stages of preparation work complete, you’re in a great position to accelerate your SOC strategy and begin defending your business from the smartest, most insidious threat actors around – potentially without employing a Chief Information Security Officer.
Do you need help building the foundations of a SOC, or have a question about your current project? Arrange a no-obligation discovery session with a Sentis SOC expert today.
Click here to schedule a time that suits you, or to read more about our SOC approach, check out our guide: What is a Security Operations Centre and why is it important.