Building your own SOC (center for monitoring and prompt response to information security incidents) is a large-scale project for any organization. Today, soc as a service is quite popular. The initial planning stage is the foundation on which the mechanism for identifying and responding to information security incidents will work.
Based on the general experience of building commercial SOC, we will talk about the first critical steps that need to be taken at the beginning of the SOC building process.
What are SOC on-premise and SOC outsource?
The first, albeit obvious, but important step is to determine which SOC will be in your organization: the so-called on-premise (built inside the organization), outsource (essentially cloud, located outside the organization), or hybrid (when depending on the needs, the company forms its own, unique SOC model, in which part of the roles and part of the functionality is assumed by the integrator partner – according to the MDRS subscription model, and part is implemented by its forces and means).
As a rule, organizations that have large IT and IS resources, strong competencies, and for several reasons are not ready to give this type of work to external providers, like UnderDefense.
Outsourcing of SOC services is chosen by companies that need results here and now and who do not need to leave this layer of work within their perimeter. The hybrid model allows you to combine outsourcing services with the functions of your departments in the most profitable way.
The model structure of SOC on-premise
There are various methodologies for assessing the required SOC option, and their results will greatly depend on the specifics and goals of each particular organization. In this article, SOC on-premises will be considered, since it is this model that is the most difficult to implement and traditionally raises many questions from our customers.
The next step is to define the organizational model of the monitoring center. Concerning internal SOCs, four types of models are usually distinguished, although in practice we often encounter a fifth, one might say “hybrid”.
There is no separate structural unit for detecting or responding to information security incidents. In the event of an information security incident, predetermined resources are gathered (often from various departments, including IT) to solve the problem, and restore systems to working order, after which the team stops its work.
Internal distributed SOC
The permanent SOC exists as a separate functional unit but mainly consists of employees organizationally located outside the SOC, whose main work is related to IT or information security, but not necessarily related directly to the protection of computer networks.
Internal centralized SOC
A dedicated structural unit is a permanent team of specialists in the field of IT and information security. Provides continuous protection of computer networks, performing tasks on an ongoing basis as the main type of its activity. The resources and authority necessary for the day-to-day functioning of the unit are allocated to a separate, officially approved structural unit, usually with its budget.
SOC acts as an intermediary and controls the interaction between several subordinate SOCs, as a rule, operates in large companies with geographically distributed networks and branches. The coordinating SOC most often does not have the whole picture up to the end device, and the powers to service consumers are limited. However, the coordinating SOC may offer incident analysis and investigation services at the request of subordinate SOCs.
The hybrid model
The hybrid model is always in one of the logical gaps between these four models. Regardless of the size and characteristics of the organization, our team is ready to help with the definition and complex formation of the SOC organizational model: from the joint creation and development of RASCI functional matrices, job descriptions, or role and authority cards, to the creation of relevant regulations and provisions.
Main tasks of the SOC
Once an organizational model has been chosen, the main objectives of the SOC must be defined. Again, depending on the size and characteristics of the organization, the goals of creating a monitoring center, and the tasks that it must solve will differ greatly, especially taking into account the different stages of maturity of organizations.
Sometimes the reason for creating a SOC is regulatory requirements, in which case the objectives of the SOC may simply cover a specific set of measures required by the regulator. For someone, taking into account the specifics of the business or organization as a whole, this will be enough, and this is normal.
Other companies (usually this applies to representatives of IT-dependent industries), having successfully passed the stages of goal-setting and determining the prerequisites for creating their own SOC, do not want to be limited to meeting regulatory requirements and developing SOC, increasing the maturity of both the team and all the processes and technologies used in the SOC.
The fourth step is to develop credentials. They determine the degree of freedom in the actions of the SOC about the protected objects of the information infrastructure. It means the need to coordinate the proposed decisions and actions with other departments.
Without going into details, there are three main levels of SOC authority, each of which speaks for itself:
1 . No authority (for example, any decisions of the SOC, or information security in general, are pre-approved by IT as the dominant organizational unit).
2. Shared powers (in terms of predetermined and agreed operations and procedures for a certain list of information infrastructure objects, SOC has the right to perform actions to respond or make changes without any approvals).
3. Full authority (any operation or procedure concerning any information infrastructure object that needs to be performed based on the results of the work of the SOC is performed without delay and approval).
In practice, as UnderDefense explains, we often observe hybrid types of SOC powers, which, even within the same monitoring center, differ depending on specific business processes, information systems, or territorial divisions.
Before making a final strategic decision on SOC, it is necessary to answer the question: is the organization ready to do something based on the signals from the SOC? SOC demonstrates the return on investment in the case of synchronous work with the organization. If, as a result of SOC messages and reports, other departments of the organization are not ready to respond to problems and incidents that have emerged, SOC may still be a premature story for a particular organization.