Mastering Cyber Defence: Building Your Security Operations Centre (SOC)

by Riversafe

Technical support concept. Maintenance sign wrench and srewdriver tools. Tech issues fix service.

In today’s world where everything is connected digitally, businesses face more and more cyber threats. Setting up a security operations center (SOC) is necessary to find, analyse, and deal with these threats effectively. People, processes, and technology all work together in this facility to protect an organisation’s digital assets. To build a SOC, you need to carefully plan and carry out a number of key steps.

  For a detailed guide on how to design and build your SOC, download the full white paper here:

Understanding the Need for a SOC

The first step in building a SOC is to understand why your organisation needs one. Some of the key reasons an organisation may need a SOC include managing cybersecurity risk more effectively, improving incident response capabilities, centralising security monitoring and operations, and gaining better visibility into the evolving threat landscape.

A SOC enables organisations to manage cybersecurity risks by implementing monitoring and response capabilities. It also enhances an organisation’s incident response by ensuring timely detection, investigation, containment, eradication, and recovery from security incidents.

Additionally, a SOC provides a unified view of an organisation’s security posture by centralising security monitoring and operations. Finally, a SOC delivers real-time visibility into the evolving threat landscape for an organisation.

Defining the SOC Scope and Requirements

Once you have established the need for a SOC, the next step is to clearly define its scope and requirements.

This involves determining the monitoring coverage, such as whether the SOC will provide 24/7 monitoring or operate on an 8/5 schedule.

You need to identify the various technologies and data sources that your SOC will monitor to gain visibility. The staffing requirements also need to be determined, including the number of security analysts needed per shift.

The skills and experience required for SOC analysts should also be specified, including any necessary certifications to ensure they possess the abilities to handle incidents. It is important to define the types of incidents that your SOC will handle internally and those that will be escalated to other teams or external entities.

Identifying the necessary reports and their frequency helps to clearly define the scope of the SOC. Reports are needed to identify incidents, measure response times, and provide overall visibility into security operations.

Determining these details of monitoring coverage, data sources, staffing, skills, incident handling, and reporting requirements when establishing the SOC scope clarifies its purpose and parameters.

Selecting a SOC Model

Once the scope and requirements of your SOC are defined, the next step is to select a suitable SOC model. There are three primary options to consider:

  • In-house SOC: A centralised unit fully owned and managed by the organisation. Provides full control, but has potential for higher costs
  • Co-managed SOC: A hybrid model where the organisation shares responsibility for managing the SOC with a third-party provider. Allows for shared responsibility and balance of control and cost
  • Fully managed SOC: The organisation outsources the management of the SOC to a third-party provider. May provide less flexibility, but outsources management and offers potential cost savings

When selecting a SOC model, factors such as cost, control over operations, flexibility to make changes, and the ability to hire experienced talent should be considered. Specifically, an in-house SOC provides full control but may have higher costs, while a fully managed SOC outsources management but has less flexibility. Therefore, determining the suitable SOC model involves weighing these considerations to meet the needs of the defined scope and requirements.

Designing SOC Procedures

Establishing policies and procedures is also critical for the success of the SOC. This includes incident response, threat hunting, and other SOC activities. Policies and procedures should be well-documented and communicated to all relevant stakeholders.

  • Incident Response: Outlines the steps the SOC will take when responding to a security incident. Should cover triage, containment, eradication, recovery and lessons learned
  • Threat Hunting: Defines the SOC’s threat hunting strategy including hunting objectives, tools/data sources, frequency/scheduling, reporting and more
  • Alert Triage: Provides guidance on evaluating and prioritising incoming security alerts. May include severity categorisation, enrichment, escalation procedures etc
  • Vulnerability Management: Covers the process for identifying, prioritising, scanning for and remediating vulnerabilities within the environment
  • Access Management: Specifies how access will be provisioned, reviewed and revoked for systems and data within the SOC’s scope
  • Third Party Management: Defines how third party risk will be assessed and managed including due diligence, monitoring and audit
  • Incident Documentation: Outlines required documentation for security incidents including summary, timeline, impact, etc
  • SOC Reporting: Describes key performance and risk metrics the SOC will report on regularly to stakeholders

Having comprehensive policies and procedures in place ensures SOC activities are conducted in a standardised and effective manner, promoting consistency in areas like incident response, access management, and reporting. This aids in maturing the SOC’s capabilities over time.

Building the SOC Team

A key factor in the success of a SOC is the team responsible for its operations. Staff the SOC with the following roles and skill sets:

  • SOC Manager: Manage SOC staff, budget, technologies; liaise with leadership
  • Security Analyst: Monitor security tools and systems; triage and escalate incidents
  • Incident Responder: Lead investigation and remediation of incidents; develop mitigation strategies
  • Threat Hunter: Proactively search for IOCs; identify advanced threats through data analysis
  • Security Engineer: Implement and maintain security tools and systems; support architectural designs
  • Security Architect: Design security infrastructure and solutions; create security policies and standards
  • Forensics Investigator: Perform malware analysis and reverse engineering; gather evidence for investigations
  • Malware Analyst: Analyse malware samples; extract IOCs and TTPs; maintain threat intelligence

Having the right mix of roles and expertise is crucial for building an effective SOC team. The team should possess the appropriate skills to manage security operations, analyse threats, respond to incidents, conduct investigations, and more. Investing in continuous training and professional development will further enhance the capabilities of the SOC team over time.

Selecting and Implementing Technology

The success of a SOC relies on the effective use of technology. Several critical technologies are essential for a SOC’s operations:

  • Firewall: A network security device that filters network traffic and protects against unauthorised access and malicious activities
  • IDS (Intrusion Detection System): Monitors network or system activities to detect potential security breaches and triggers response procedures
  • SIEM (Security Information and Event Management): Collects and analyses security event logs to identify patterns, trends, and security incidents, supporting incident response and forensics
  • Endpoint Protection: Security measures to detect and prevent malware, enforce device and data protection policies, and facilitate device management

Carefully selecting and integrating the right mix of security technologies provides the foundation for effective threat detection, monitoring, analysis, and incident response capabilities within the SOC. As threats evolve, the technology stack will need to be continually assessed and upgraded to ensure comprehensive visibility and protection across the environment.

Developing Metrics and Reporting

To measure and communicate the performance of your SOC, it is crucial to define quantifiable metrics and key performance indicators (KPIs).

  • Types of Incidents Detected: A breakdown of the types of security incidents detected
  • Mean Time to Detect (MTTD): The average time it takes to detect a security incident
  • Mean Time to Respond (MTTR): The average time it takes to respond to a security incident
  • Number of Incidents Handled: The total number of security incidents handled by the SOC
  • Mean Time to Acknowledge (MTTA): The average time taken for your SOC team to acknowledge the detection of a threat
  • Dwell Time: Refers to the duration a threat remains undetected within your network

Tracking and reporting on metrics provides visibility into the effectiveness of the SOC’s operations. This helps identify opportunities for improvement, demonstrate progress to stakeholders, and guide strategic decisions on resourcing, technologies, and processes.

Integrating the SOC

To ensure effective security operations, the SOC should integrate with other teams and processes. This collaboration allows for a comprehensive view of the organisation’s security posture and enhances threat detection and response.

  • Vulnerability Management: Collaborate closely with the vulnerability management team to prioritise and remediate vulnerabilities promptly
  • Identity and Access Management (IAM): Work closely with the IAM team to configure and monitor access controls effectively
  • Incident Response: Develp a well-defined incident response plan, prioritise incidents based on severity, and communicate with other teams during the response process
  • Threat Intelligence: Integrate threat intelligence into the SOC’s workflow to stay up-to-date on the latest threats and improve detection and response capabilities

Fostering strong partnerships between the SOC and other internal teams is key for maximising effectiveness. Cross-team collaboration, information sharing, and coordination of priorities and activities drives a unified approach to managing security risk across the organisation.

Take Your Next Steps With RiverSafe

Building a SOC is not a one-time task; it requires continuous enhancement to keep pace with the evolving threat landscape.

This article is based on our comprehensive whitepaper titled “How to Build a SOC: A Guide for Effective Security Operations.”

If you’re looking for an in-depth exploration of the intricacies and details involved in building a SOC, we invite you to sign up and follow along with our guide. 

It provides valuable insights into the process, helping you establish a SOC that is tailored to your organisation’s needs, resources, and risk tolerance.

Or for more advice, contact us to book a consultation.


By Riversafe

Experts in DevOps, Cyber Security and Data Operations