How to optimise and continually improve your SOC

by Pavlo Poliakov

Keeping your business secure can be a complex operation, with a multitude of tools and solutions constantly running across your vast digital environment. That’s why having a reliable and well-organised Security Operations Centre (SOC) is so important to maintaining a robust cybersecurity posture.

A good SOC will be the base for your cybersecurity team, and should contain everything they need to monitor, detect, analyse, and respond to security incidents. This can include technologies like Security Information and Event Management (SIEM) systems, Intrusion Detection and Prevention systems (IDS/IPS), firewalls, threat intelligence platforms, and Endpoint Detection and Response (EDR) solutions.

Recently, we published a whitepaper on how to build an effective SOC within your business. But the work doesn’t stop once your SOC is up and running. To make sure your organisation is fully protected from cyber threats, you should be constantly optimising and continuously improving your SOC.

Let’s take a look at why your SOC needs regular maintenance, and how to keep it performing at the highest level.

The importance of keeping your SOC optimised

Cybersecurity threats are growing more sophisticated every day. As risks evolve, new opportunities emerge for cybercriminals to slip past (or smash through) your defences. To make sure your organisation stays as secure as possible, your cybersecurity posture needs to continually evolve too.

If you’re not actively working to continuously improve your SOC, it can become outdated fast, leaving it ineffective in detecting and responding to new threats. A SOC that’s behind the times is at far higher risk of falling foul of a cyberattack, leading to data breaches, financial losses, reputational damage, compliance failures, and legal and financial penalties.

A well-optimised SOC is your best defence, allowing you to detect and respond to these developing threats quickly and effectively, therefore reducing the risk of a successful, and potentially damaging, cyberattack.

How to continuously improve your SOC

Keeping your SOC at the top of its game requires regular upkeep, evaluation, and fine-tuning. Here are some essential actions to take to make sure you’re getting maximum protection from your SOC.

Regular assessments of your SOC’s effectiveness

The first step to improving any aspect of your operations is to assess its current performance. Is it the most exciting part of levelling up your SOC? No. But at the rate that cyber threats are growing more advanced and wide-ranging, you can’t afford not to size up your SOC’s effectiveness on a regular basis.

Consistent and frequent assessments of your SOC’s capabilities, including its tools, processes, and personnel, will help you identify any new vulnerabilities, knowledge gaps, and parts of your posture that need to be shored up.

Don’t forget to include these core areas when carrying out these assessments:

  • Threat detection and response: Evaluate your SOC’s ability to detect and respond to security incidents quickly, including how well your triaging and incident response processes work in practice. How long does it take for the team to respond to a potential security issue? Is there any delay in notification or alert delivery?
  • Technology and tools: Assess the efficiency of your SOC’s security technology stack, including SIEM systems, intrusion detection systems, and threat intelligence platforms. Make sure that each tool not only works well in itself, but also integrates and communicates effectively with other tools to facilitate proper cohesion within your SOC.
  • Internal skills: Watch out for skills gaps in your team. Evaluate the expertise, training, and skill sets of SOC personnel to ensure they have the knowledge and capabilities they need to effectively respond to emerging security threats.
  • Process and procedures: Walk through your SOC’s standard operating procedures, incident response plans, and escalation processes and verify that they’re well-defined, up-to-date, and effectively implemented across the entire team. Check that these processes are properly resourced and are consistently executed as expected.
  • Reporting: Assess any metrics and reporting mechanisms your team uses to measure SOC performance, especially any KPIs that focus on incident response times, false positive rates, and overall security posture.
  • Compliance: Ensure that the SOC’s operations align with relevant industry standards, regulatory requirements, and best practices. These kinds of rules and governance guidelines change often, so don’t let your SOC fall behind.

Keep an ear to the ground

Stay up-to-date with the newest cybersecurity threats and trends to understand the ever-evolving landscape, and make sure you’re aware of any emerging risks or vulnerabilities.

There are a lot of great cybersecurity information sources out there that you and your team can use to stay up-to-date on the latest news, including:

  • Cybersecurity vendors and service providers: Many cybersecurity vendors and service providers have their own threat intelligence feeds, often found on social media, which provide real-time information on emerging threats and vulnerabilities.
  • Government agencies: There are many government agencies dedicated to cybersecurity today, and these can be a great source of reliable data on rising threats. Agencies like the National Institute of Standards and Technology (NIST), the Department of Homeland Security (DHS), and the Federal Bureau of Investigation (FBI), for example, all provide alerts on the latest cybersecurity threats, as well as advice on how to protect your organisation against them.
  • Industry associations: Independent industry associations like the Information Systems Security Association (ISSA) and the International Association of Computer Science and Information Technology (IACSIT) provide information on the latest cybersecurity trends, as well as best practices to implement in your SOC.
  • Security research firms: Leading security research firms such as Gartner, Forrester, and IDC regularly publish useful reports and analysis on emerging cybersecurity threats and trends.
  • Online communities: Online communities where cybersecurity professionals get together, such as Reddit’s cybersecurity subreddit and the SANS Internet Storm Center, provide a valuable platform to pick up information and hear about what other businesses are doing to combat emerging threats.

Deliver consistent training

The people who operate the technologies within your SOC are just as critical as the tools themselves. Without the right knowledge and skills in place, useful solutions may be underutilised and vulnerabilities may be missed.

Delivering regular, high-quality training to SOC staff will help ensure they have the necessary skills and knowledge to spot emerging threats, make the most of the tools at their disposal, and respond to security incidents successfully.

The best way to keep your team’s skills up-to-date is to develop a comprehensive, proactive training programme that covers a wide range of technical and non-technical skills, with learning opportunities delivered consistently. You can’t prepare your team for every possibility, but regular training, informed by cybersecurity trends, will help you get ahead of the curve. This will help minimise the chance of having to close the barn door after the horse has bolted—and only educating your team on a security risk after they’ve already fallen victim to it.

Some key training areas to cover in your cybersecurity training strategy include:

  • Incident response best practices, including how to best detect, analyse, and respond to security incidents
  • Threat intelligence, including how to gather, investigate, and apply it to proactively identify and respond to emerging threats
  • Security technology including the effective use and ongoing management of tools like SIEM, intrusion detection systems, endpoint security solutions, and threat hunting platforms
  • Digital forensics and investigative techniques to help teams analyse security incidents, gather evidence, and understand the scope and impact of security breaches
  • Compliance with any relevant industry standards, compliance requirements, and legal considerations that apply to your business model or industry, including GDPR, HIPAA, and PCI DSS
  • Communication to facilitate teamwork and seamless collaboration with other departments within the organisation involved in cybersecurity matters
  • Continuous learning to help encourage and support ongoing professional development—this could include industry certifications, workshops, or conferences
  • Other soft skills such as problem-solving, critical thinking, and adaptability to equip teams to respond to dynamic and evolving cybersecurity threats more effectively

Implement the latest technologies

For any SOC to be effective, it needs to take advantage of the best available cybersecurity technology. The good news is that, while cyber threats are advancing at breakneck speed, the cybersecurity tech industry is working hard to keep up.

Obviously, there are many factors involved in building a robust cybersecurity tech stack—very few businesses have the kind of bottomless purses or cutting-edge skill sets needed to harness every new cybersecurity platform that promises to revolutionise your SOC.

But wherever possible, businesses should be keeping an eye out for updates to the solutions in their stack, and considering other options if any tools aren’t delivering the performance you need. This will help your SOC get access to the technologies it needs to keep pace with new threats.

Cybersecurity solutions that any good SOC should have at its disposal include:

  • Security Information and Event Management (SIEM): SIEM platforms such as Splunk Enterprise Security, IBM QRadar, LogRhythm, and ArcSight are essential because they allow teams to aggregate and analyse security event data from various sources, enabling real-time monitoring, threat detection, and incident response.
  • Intrusion Detection and Prevention Systems (IDS/IPS): IDS/IPS solutions like Snort, Suricata, Cisco Firepower, and Palo Alto Networks’ Threat Prevention help detect and prevent network-based attacks and anomalies.
  • Endpoint Detection and Response (EDR): EDR tools such as CrowdStrike Falcon, Carbon Black, and SentinelOne provide visibility into endpoint activities, enabling the detection and response to advanced threats and malware.
  • Threat Intelligence Platforms: Threat intelligence platforms like Anomali, Recorded Future, and ThreatConnect provide actionable data around emerging threats, helping SOC analysts stay ahead of any new vulnerabilities.
  • Vulnerability Management Tools: Vulnerability scanners such as Qualys, Tenable and Rapid7 Nexpose help identify and prioritise security vulnerabilities across an organisation’s IT infrastructure.
  • Security Orchestration, Automation, and Response (SOAR): SOAR solutions like Demisto, Swimlane, and Splunk SOAR enable SOC teams to automate their incident response processes and orchestrate security tools for faster response times and better overall efficiency.
  • Network Security Monitoring (NSM): NSM solutions like Security Onion, Zeek, and Moloch are used to monitor and analyse network traffic for signs of malicious activity and unauthorised intrusions.
  • Forensic tools: Digital forensics tools such as EnCase, FTK, and Autopsy help teams collect and analyse digital evidence in the event of a security incident, so that causes can be identified and measures taken to prevent reoccurrence.
  • Incident Response Management Platforms: Incident response management platforms like Resilient (IBM Security) and ServiceNow Security Incident Response help SOC teams better facilitate the coordination and management of security incidents, from detection through to resolution.

Test your responses

You don’t have to wait for a security incident to occur to test your incident response processes. Regularly carrying out simulated cyberattacks will help your SOC team proactively identify areas for improvement so that responses can be enhanced before they’re needed.

You can test how well your SOC deals with a variety of potential cyber-attack scenarios by running regular simulations. This is known as Incident Response Testing, and can be conducted using a number of different methods and exercises.

Here are a few approaches to consider:

  • Tabletop exercises: No, we’re not talking World of Warcraft here; tabletop exercises involve simulating a security incident scenario in a discussion-based format. These exercises typically involve key stakeholders and members of the SOC team sitting around a table and talking through incident response plans as if they were really being executed.Tabletop exercises help identify gaps in incident response plans, communication protocols, and decision-making processes that might hinder the effectiveness of your IRP.
  • Red team vs. blue team exercises: These exercises involve simulating real-world attacks on the organisation’s systems and networks to test the effectiveness of the SOC’s detection and response capabilities.The red team is typically made up of offensive security professionals who will attempt to attack an organisation by breaching its cybersecurity defences. The blue team’s  job to respond to and defend against the red team’s attack.

    This active exercise can throw up unexpected turns and force the blue team to think on their feet—this can be invaluable in helping you uncover weaknesses in security controls and incident response procedures that may not come up in tabletop exercises.

  • Simulation drills: Simulation drills help you assess the effectiveness of tailored incident response procedures developed to address specific types of threats, like a ransomware attack, data breach, or DDoS attack.These drills help validate the effectiveness of individual response processes and highlight areas for improvement. They’re particularly useful if your organisation is vulnerable to, or has been targeted by, a particular type of attack.
  • Threat hunting exercises: Threat hunting exercises usually involve your SOC team proactively searching for any signs of compromise within the organisation’s systems. By combing through networks to identify potential threats that may have evaded automated detection, your team brushes up on their ability to detect advanced threats, and may learn about new types of risk in the process.
  • Post-incident reviews: Prevention is no doubt better than cure, but if your organisation has suffered a cyberattack or breach of any kind, don’t waste the opportunity to learn from it.Hold a post-mortem after any genuine security incident, and carry out a thorough post-incident review to enable the SOC team to assess the effectiveness of their response. Identify and document any lessons learned, and create actions to improve incident response processes and procedures.
  • External penetration testing: This popular method of testing involves hiring an external security firm (or several) to carry out a ‘pen test’: an authorised, simulated attack on your computer systems that helps your SOC team evaluate its overall security.Pen tests are effective ways to identify potential vulnerabilities and weaknesses that could be exploited by attackers, allowing the SOC to proactively address these issues before they’re misused by real malicious actors.

Track performance with metrics and reporting

You can’t improve what you don’t measure. That’s why it’s critical to have defined metrics and reporting processes in place to help track your SOC performance and scope out areas for improvement.

Here are a few KPIs you can use to ensure your SOC is effectively protecting your organisation’s assets:

  • Mean time to detect (MTTD): MTTD measures the average time it takes for your SOC to discover security incidents once they have occurred. The lower your MTTD is, the more effective your SOC is at identifying and responding to threats in a timely manner.
  • Mean time to respond (MTTR): MTTR measures the average time it takes for your SOC to respond to and mitigate security incidents once they’ve been detected. Again, a lower number indicates that your SOC is able to contain and remediate security incidents quickly.
  • False positive rate: This metric measures the percentage of security alerts generated by tools within your SOC that are determined to be false positives. A high rate of false positives can overwhelm your SOC analysts, reduce the efficiency of the team, and lead to incidents being missed.
  • Percentage of incidents resolved: This KPI shows what percentage of security incidents are successfully resolved by your SOC, proving insight into the SOC’s effectiveness in managing and mitigating security events.
  • Incident escalation rate: Your incident escalation rate shows you how often security incidents are escalated to higher levels of the SOC, or to other senior teams within the organisation. If your IER is high, it may mean that detection and response capabilities need to be improved so that your SOC team can deal with more incidents themselves.
  • Time to patch: This metric tracks the average time it takes to apply security patches and updates to vulnerable systems and applications, helping to assess the SOC’s ability to address known vulnerabilities.
  • Threat intelligence utilisation: A vital metric for gathering insight into the effectiveness of threat intelligence integration, this metric measures how well the SOC leverages threat intelligence to enhance its detection and response capabilities.
  • Training and skill development: Tracking the learning progress of your SOC personnel is an important part of your cybersecurity skills development strategy, allowing you to see what’s working, where more training is needed, and make sure your team is ready to handle emerging threats.
  • SOC efficiency ratio: The SOC efficiency ratio helps you work out how effective your SOC currently is by comparing operational costs to the number of security incidents detected and resolved.

You want a good return on investment from your SOC, meaning the costs of running it should be lower than the potential costs of letting security incidents go unchecked.

When crunching these numbers, it’s helpful to know what exactly a security incident typically costs. You can get a rough idea by totalling up the direct expenses (time and resources required for detection and response, including team salaries, software licencing, and infrastructure overheads) and the indirect expenses (loss of revenue, customer turnover, regulatory penalties, reputational damage etc.)

Automate, automate, automate

Automating and orchestrating tools wherever possible will streamline your SOC processes, improve response times and free up your cybersecurity team to do more valuable work, like examining incidents or learning new skills.

Many of the routine tasks involved in detecting, investigating, and responding to security incidents can be automated. These are just a few you can get started with:

  • Alert triage and prioritisation: Automation tools can be used to triage and prioritise security alerts without the need for manual intervention. Prioritisation is based on pre-defined indicators of severity, allowing your SOC team to tailor the triaging process according to the needs of the business, and helping analysts focus on the most critical incidents.
  • Incident investigation and response: Orchestration tools allow teams to automate the investigation of and response to security incidents. This means SOC analysts can quickly get to the bottom of potential threats and issue a response without manual intervention, vastly increasing the number of events that can be addressed and improving overall security.
  • Threat intelligence integration: Modern businesses have huge numbers of data streams at their disposal, but integrating all of these with your SOC can be challenging. Automation can be used to incorporate threat intelligence feeds into the SOC’s detection and response processes, allowing analysts to identify and respond to emerging threats more quickly across a much broader section of your environment.
  • Vulnerability management: Automation tools can be used to automatically scan and identify vulnerabilities within the organisation’s systems and applications, removing the potential for human error and massively increasing the footprint you can cover. Businesses can also take this process a step further by using orchestration tools to automate the patching and remediation of any vulnerabilities that are detected.
  • Compliance monitoring: Compliance is complex, but SOC teams can make sure nothing is out of order by automating compliance monitoring. Autonomous tools can monitor the environment with the latest regulatory requirements and security policies in mind, alerting SOC analysts to any violations or non-compliant behaviours before they become a larger, more legally challenging issue.
  • Reporting: Often a recurring, repetitive, and manual task, reporting is the perfect candidate for automation. Using automation tools, SOC teams can generate consistent reports and compare metrics on SOC performance, providing valuable insights into the effectiveness of operations.

ABI: Always be integrating

Knowledge is power when it comes to cybersecurity, and the more data your SOC can take in, the better it can protect your digital assets. Think about whether there are any new threat intelligence feeds or platforms you can integrate with your SOC’s tech stack.

Feeding relevant data into your cybersecurity solutions will enhance your SOC’s ability to proactively identify and respond to threats. These intelligence feeds can come from all manner of places—both from within your organisation’s digital environment and from outside sources.

Some threat intelligence feeds that businesses should consider integrating with their SOC include:

Open source threat intelligence feeds: These publicly available threat intelligence feeds provide information on indicators of compromise (IOCs), malicious IP addresses, domains, and URLs, and malware signatures that are being or have been used by cyber criminals.

Examples: Open Source Intelligence (OSINT),, Proofpoint’s Emerging Threats feed

Commercial threat intelligence feeds: Commercial threat intelligence providers offer paid services that deliver comprehensive and curated threat intelligence data, including information on advanced persistent threats (APTs), threat actor profiles, and industry-specific threat trends for high-risk sectors like finance and healthcare.

Examples: FireEye iSIGHT, Recorded Future, Anomali

Information Sharing and Analysis Centres (ISACs): ISACs are industry-specific, members-only groups that facilitate the sharing of threat intelligence and best practices among their members. These are usually focused on a particular sector, allowing them to be more targeted with their intelligence sharing.

Examples: Financial Services Information Sharing and Analysis Centre (FS-ISAC), Health Information Sharing and Analysis Centre (H-ISAC).

Governmental and law enforcement sources: With so many government agencies and law enforcement groups dedicated to fighting against cyber criminals, a lot of valuable intelligence is generated every day. Businesses can leverage this threat intelligence to inform their own strategies, and get ahead of any major trends.

Examples: Department of Homeland Security (DHS) in the United States, National Cyber Security Centre (NCSC) in the UK, Europol’s European Cybercrime Centre (EC3)

Threat Intelligence Platforms (TIPs): These software solutions aggregate and analyse threat intelligence data from various sources, providing SOC teams with actionable insights and a centralised platform from which to manage threat intelligence.

Examples: ThreatConnect, Anomali ThreatStream, IBM X-Force Exchange, ThreatQ

There is no shortage of steps that businesses can take to optimise their security operations centres—the real key to success is taking these steps regularly and consistently.

Fostering a mindset of continuous improvement around your SOC is the best way to ensure your environment and your assets are as secure as possible in a threat landscape that’s constantly throwing up new ways to damage and exploit your business.

Upgrade your SOC with RiverSafe

Cyberattacks are constantly evolving. To protect your organisation from innovative threats, you need innovative security solutions.

RiverSafe provides perspective and insight on the status of your security infrastructure, creating a unified solution that puts you in control. Supported by advanced technology, a robust implementation model and team training, RiverSafe ensures your business is secure, informed and future-proofed.

Secure your business now

By Pavlo Poliakov