How to build a security operations centre that defeats hackers

Nine in ten large organisations reported suffering a breach in the 12 months preceding the Department of Business, Innovation & Skills’ 2015 information security survey. The cyber attacks that make national headlines are just the tip of the iceberg – and the perpetrators are getting ever more persistent and sophisticated.

Every organisation is at risk and every board knows that battening down the virtual hatches is essential. CxOs are committed to investing in IT security but quite rightly want to know that they will get value from this investment. Adopting the right security operations centre (SOC) strategy is key.

Not all SOCs are created equal. Here are six tips for organisations looking to adopt or adapt a SOC strategy.

1. Decide which model is best

Start by weighing up the pros and cons of outsourcing your SOC to a managed security service provider (MSSP), building it in-house, or adopting a hybrid model.

A typical MSSP’s approach allows organisations to outsource the establishment and maintenance of certain specialist skills sets and processes.

While this model can be cost-effective, the downsides are a lack of organisational context and personalisation.

Because these SOCs are based on shared resources, they are designed to operate most effectively using standardised interfaces to accomplish economies of scale.

Installing your own SOC avoids many of these problems, but represents a major investment. And costs can increase rapidly.

The in-house team might also end up being consumed by compliance-based tasks and other low-value work usually deemed as appropriate for an operations team.

A hybrid approach addresses many of the customisation and skill-set challenges. It typically involves a MSSP supplying staff and providing process and service management capabilities, with the actual SOC based on the customer’s premises and using its systems – or at least dedicated to the customer if off-site.

2. Build a SOC that works for your business

Take time at the outset to ensure that the SOC interface is right for your organisation. Detail and approach your specific requirements carefully because integrating with a SOC that will not adapt its customer interfaces or task-tracking approaches to meet your needs will result in a SOC that lacks business commitment and engagement. Glossing over this important step could cost you dear in the run phase.

3. Treat compliance as a subset of threat management

An organisation’s information security policy/scheme or regulatory requirements should therefore clearly document the control objectives of your organisation.

Compliance alone will not provide the SOC with the capabilities needed to prevent threat agents, which will attempt to work around the general controls that you put in place.

A robust SOC will regularly assess threats to the organisation and adapt or augment controls appropriately to ensure that it retains a relevant capability as threats, and the parent organisation, evolve. Control requirements should be fulfilled – but only as a subset of threat management.

4. Ensure your sourcing model effectively addresses your requirements

Choosing a sourcing model involves consideration of different staffing and location options. Each element of a SOC could potentially be sourced separately, resulting in different costs and benefits.

For example, a service could be provided using permanent staff, contract staff, service provider staff or a blend of all three. A service could be located on your premises, the service provider’s premises, on-shore, off-shore or near-shore – or a blend of all of these.

Each of these has consequences: what does this mean for my data; what does this mean to the IP that the SOC establishes (your tuning should be considered part of your IP); and what does this mean to my long-term costs and service?

It is important to consider each of these individually and apply the test of how this would survive a transition from one model to another.

Whatever model is chosen, it should specifically address your problem and not be limited to the point of failure by constraints in the sourcing approach.

5. Standardise on processes where possible

To a point, it is possible to fire-fight emerging threats using the latest tools and a few cyber-security experts, but good process and service management will always win out.

It is far better to create a sustainable service that will earn the respect of the business and establish the SOC as a core part of the organisation’s risk controls.

Focus initially on creating strong processes that embrace agility and consistency. By standardising these processes, more of this activity can be automated. This will ultimately free up your teams to manage emerging threats in a more dependable and robust fashion.

6. Ahead of the enemy

As Andy Grove, former CEO of Intel, famously said, “There are only two types of organisations: the quick and the dead.” A good SOC must be built with people, processes and technologies that are flexible and can adapt quickly to change.

>See also: Should we be afraid of big bad botnets?

Open technologies can help considerably. But more important than any technology is having the right process and approach – this will ensure that the correct focus is in the correct place with the correct mission at all times.

By taking this approach with your SOC, your firm will be able to stay one step ahead of potential perpetrators.

The reality is that organisations today are in a constant state of compromise and the deck is stacked against them.

By adopting a tailored strategy that balances technology, people and process issues, organisations can ensure their SOC is fit for purpose and maximise the value of their SOC staff and technology investments.


Sourced from David Calder, MD, security practice, ECS

Avatar photo

Ben Rossi

Ben was Vitesse Media's editorial director, leading content creation and editorial strategy across all Vitesse products, including its market-leading B2B and consumer magazines, websites, research and...

Related Topics