Security Operations Best Practices

Security Operations Best Practices
From SANS 2019 Best Practices

• The most frequently cited
barriers to excellence: lack of
skilled staff (58%) followed
by absence of effective
orchestration and automation
• Highest-performing CSF
technology: access control/
VPNs (87%) in the protection
category; lowest (of popular
use): artificial intelligence (AI)/
machine learning (ML) (53%) in
the detection category
• For continued improvement:

  • Articulate services to the
  • Build use cases.
  • Retain staff through training
    and growth.
  • Use external managed
    security service providers
    (MSSPs) strategically to
    bolster weakness.
  • Closely coordinate with

Clearly define what the SOC is and the
measurable benefits (Ask us about metrics) it provides to your organization.
Use this list as a basis to articulate
the services offered and how they’re
For example: Detection is outsourced,
triage from MSSP detection is internal;
security architecture, vulnerability
remediation, compliance verification
and some pen testing are internal;
incident handling is initially handled
internally, with an outsourced contract
for surge support; forensics isn’t done
unless the outsourced incident handling
team does it. Other items not listed
aren’t done, such as threat intelligence,
unless done in the course of staff duties.

Define an outsourcing strategy
if you don’t have one, and
compare the capabilities you
intend to outsource with what
your peers are doing. Pay
careful attention to articulating
needs to providers if you
intend to outsource, and keep
reinforcing those expectations
and assessing performance.
If you haven’t figured out the
details of what you need from
the service provider, anticipate
6–12 months of on-ramp time
to achieve a normal steady
state of operations.

Do a tabletop walk-though of a common incident
scenario and one that is more unusual. Use
that walk-through to demonstrate that the IR
strategy you have in place is the optimal one for
your organization. If it is not optimal, build an
improvement plan to get better.

Develop your system for capturing tribal lore
into documented internal guidance for new
and seasoned staff. Capture the pain points
from onboarding new SOC staff so the next
iteration has a smoother transition into effective
performance within the SOC. Document the
necessary and optional training for staff.
Document details of high-profile incidents that
have occurred in the past so new SOC members
understand the organization’s past negative
experiences and can try to avoid them.

Determine whether becoming a service provider
for your organization is the right way to offer
your SOC service. Such a model is tenable only
when the SOC is somewhat mature and the
organization has a good security culture. The
“internal MSSP” approach will drive maturity,
efficiency, performance and customer orientation.
If you launch this strategy too soon, you risk
losing the funding needed to achieve maturity as
constituents move to external providers.

Leverage native capability or add external monitoring software
to all new cloud, IoT and mobile projects for coverage. Vendors
have solutions ready to help you. Play catch-up, if necessary,
to monitor devices that are already deployed. Continue
to expand coverage of all standard IT systems, and more
closely align with IT operations to keep pace with changing
organizational demands. If your organization says it can’t
do this, look to other institutions that have accomplished
closer integration for examples of how to accomplish this
effort. There is usually a managed operational capability
and consensus on inclusion of security in place before
technological solutions can be deployed effectively.

Identify potential funding vehicles that are currently unutilized
or underutilized. Make use of metrics to demonstrate value
provided by the SOC. Look for ways to share your newly
acquired assets with NOC and governance, risk management
and compliance (GRC) teams to drive closer coordination and
unify efforts.

If you need to add staff, reach out to
existing employees looking for a career development path
into security to retain institutional knowledge and provide an
incentive for everyone to do their job well.

If you don’t have a defined architecture for your SOC, start the
process today! Develop a clear picture of what architecture
you are authorized to deploy. Address regional data protection
laws. Plan for optimized architecture to gain efficiency and
increase alignment with system needs.

How to setup an effective SOC?

Creating an effective SOC requires a comprehension of the organization’s needs and limitations. When you grasp the requirements and weaknesses, you will start applying the following best practises.

Set up the right team –

A strong SOC needs a formidable squad. You need people with different skill sets, including specialists for:

  • Monitoring the system and managing alerts;
  • Incident management to evaluate and recommend measures for each incident;
  • A threat hunter to identify possible incidents internally.

All of these skills require a lot of training and experience in things such as intrusion detection, reverse engineering, malware anatomy, etc. Make sure you have a budget not only to recruit this team but also to ensure that they are well educated.

Since we’re talking about a recruiting a Security Operation Center team, don’t forget you’re going to need a dedicated SOC Manager. Often SOCs can be very chaotic and require continuous contact between multiple teams. Crisis management is an ability that is important for someone who will be leading this team.

Raising Visibility –

Visibility is crucial to an effective safeguarding of a network. To secure the data and infrastructure, the SOC team needs to be aware of where they are. They need to know the data and systems priorities, and who should be given access.

The ability to prioritise your assets efficiently helps your SOC to effectively manage the limited time and resources. Getting good visibility makes it easy for your SOC to spot attackers and restrict places where the attackers can hide. Your SOC must be able to track your network and conduct 24/7 vulnerability scans to be maximally successful.

Use Devices Wisely –

Inefficient or insufficient devices will seriously hinder the effectiveness of your SOC. To prevent this, pick the devices that match your application needs and infrastructure carefully. The more complicated the world becomes, the greater is the need for centralised devices. The team does not need to evaluate piecemeal details or use various tools to handle each system.

The more discrete devices the SOC uses, the more likely it is to overlook or ignore the details. If security members need to view multiple dashboards, or pull logs from multiple sources, it is more difficult to sort and correlate information.

When choosing devices, ensure that each device is evaluated and researched prior to selection. The security systems can be incredibly costly and hard to configure. Spending time or money on a product or service that doesn’t integrate well with your system doesn’t make any sense.

You need to consider endpoint defence, firewalls, automated application security, and monitoring solutions when determining which tools to implement. Many SOCs use Solutions for System Information and Event Management (SIEM). Such tools can provide log management and improve visibility of the security. SIEM can also help to correlate the data between events and to automate alerts.

Create an Incident Response System –

An incident response team is extremely necessary to create an effective Security Operations Center. A good incident response team within the SOC will decide the best way to delegate and handle the identified incidents and execute a specified plan of action. We can also assist in developing a repeatable workflow based on observed incidents. These often constitute an integral element of coordination between the company, legal and PR teams in the event of an accident that needs org-wide redress.

 The incident response must be as proactive as possible. We need to obey a predefined rulebook to answer strictly or help construct the same on experience basis.

Consider introducing Managed Service Providers (MSPs) –

As part of their SOC policy, many companies use managed service providers (MSPs). Managed services will provide the experience that the team would otherwise lack. These services can also ensure continuous monitoring of your systems, and that all events have an immediate response. Unless you have multiple shifts covering your SOC, continuous coverage is something you’re impossible to do on your own.

Managed SOC systems are the most widely used for penetration testing or threat analysis. Those are time-consuming activities which can require significant skills and expensive equipment. Instead of devoting minimal time and money to performing these activities, the SOC will benefit from outsourcing or cooperation with teams from outside parties.

Secure your organization with Russell Nomer Consulting

A SOC is far more complex to design than hiring a team and buying some tools. It has a great deal to do with investing in the right things at the right time, looking forward to identifying potential threats in the near future, and aligning security strategy with business needs.

Your Security Operations Center (SOC) is the business organization’s first line of defence. The better they are equipped, the better they are able to protect the organisation.

Our Virtual CISO Services provides insights for selecting highly qualified information security personnel with 24/7 reporting and monitoring. Real-time tracking of various sources of events and logs, the application of information on threats and guidance on remediation. A standardized incident management approach that ensures that processes are back up and running as soon as possible.

The only way to protect what you’ve worked hard to build is to be vigilant when it comes to cybersecurity. If you’d like to know more about how your business can benefit from managed services, just give us a call, we are here to help you make the right choices.

The goal is to capture common and best practices, provide defendable metrics that can be used to justify SOC resources to management.

About Post Author

Tarek Marji

Leave Comments

This site uses Akismet to reduce spam. Learn how your comment data is processed.