SOC Pre-Implementation Checklist: Technical and Operational Considerations
A security operations center (SOC) is a centralized security capability, established to monitor, analyze, mitigate, and prevent cybersecurity issues. Melding human expertise, scalable processes, and best-in-class technology such as SIEM/SOAR tools, SOC is rightfully viewed as the optimal pass to improving corporate security posture.
The wrinkle, however, is that not all businesses have the necessary levels of cybersecurity maturity to realize value from their SOC investment. To help you understand your readiness levels, we developed a 5-step SOC checklist to guide you through the assessment.
1. Determine Technological Readiness for SOC Formation
SOC acts as a “watch guard”, observing and investigating intrusions. Any guard’s efficacy drops if the premises are not fully secured. Think of it in this way: it hardly makes sense to invest in a state-of-the-art motion detection system for your home when your garage door is permanently open. That would be a waste on all ends.
Likewise, SOC establishment requires a certain degree of cybersecurity and ITIL Service Management maturity. At a minimum, you should have the following information security processes and practices in place:
- Identity and access management systems
- Protected remote access
- IT infrastructure security
- Network and wireless security
- Internet traffic protection systems
Without the above, SOC adoption would hardly drive the impact it could. Your team would struggle to gain the necessary levels of visibility into your infrastructure, establish comprehensive monitoring, and timely respond to security incidents.
Thus, first and foremost, you should rationalize whether you have sufficient SOC technology in place, specifically:
- Traditional perimeter protection capabilities such as access control, VPNs, web proxy, next-generation firewall, ingress filtering.
- Traffic filtering and application filtering capabilities such as SSL/TLS traffic inspection, application whitelisting, intrusion prevention, and/or intrusion detection systems.
- Security Information and Event Management (SIEM) tools for collecting security telemetry from apps, networks, and systems for analysis. Popular options are Azure Sentinel, Splunk, or ELK Stack.
2. Establish Key Business Drivers for Adoption
SOC capability lends to a better security posture and continuous protection among other benefits. These two factors, however, may not always be sufficient to justify the investment.
Based on our experience as a SOC as a service provider, we identified several use cases when SOC adoption is not just a fad, but also an operational necessity. These include:
- Business-critical dependence on high IT infrastructure availability
- Transition to digital operations and focus on digital-enabled growth
- Operational expenditure optimization
- Compliance requirements
Let us dwell a bit further on compliance. Globally, regulators are imposing higher levels of customer data and business systems protection in regulated industries such as finance, telecommunication, and education among others.
In particular, you may be encouraged to comply with some of the following security-related standards:
- NIST Cybersecurity Framework
- ISO 27001 — Information Security Management System
- PCI-DSS Security Policies and Procedures
- SOC 1 or 2 certification by the American Institute of CPAs
- GDPR (General Data Protection Regulation)
- HIPAA (Health Insurance Portability and Accountability Act)
- HITECH Omnibus Rule
Neither of the above directly mandates SOC establishment as a criterion for compliance. However, these certifications and regulations require organizations to strengthen their security posture when it comes to threat detection, handling security incidents, and the protection of sensitive data. SOC can deliver that.
Respectively, as you consider different SOC adoption scenarios, you should be taking into account both general business drivers, pertaining to operational risks and monetary gains, and regulation-related security requirements.
3. Conduct a Cybersecurity Risk Assessment
A SOC team is your sentinel. To be effective, the unit has to understand the exact perimeter they are in charge of protecting. To draw that line, it always makes sense to conduct a risk and security assessment first.
A cybersecurity risk assessment is a step-by-step inventory of your current practices and technical means for ensuring critical IT infrastructure protection, data safety and privacy, as well as timely identification and response to security incidents.
There are many cybersecurity risk assessments proposed both by vendors and regulating bodies such as the National Institute for Standards and Technology (NIST), e.g., the PRAM tool.
Overall, you can conduct a security risk assessment on three levels — organization level, mission/business process level, and information system level. That is the most comprehensive scenario, which helps define the necessary security and compliance requirements for information systems, data assets, business-critical applications and solutions.
At Tier 1, organizational level, determine:
- Which company-wide information security programs, policies, and procedures are missing and must be implemented?
- What types of appropriate responses should be introduced for different types of risks (e.g. risk acceptance, risk mitigation, risk avoidance, etc)?
- What are the minimum organization-wide security controls that must be in place?
- How would the optimal enterprise/security architectures look like?
- What types of security monitoring strategies and ongoing authorizations of information systems have to be launched?
At Tier 2, business process level, you should determine:
- Which common security controls must be established?
- Which system/process-specific security processes, tools, and controls must be adopted?
- How should the security architecture be designed to best meet the needs of different business users?
- What changes may have to be made to the current business processes to make them more secure/risk-averse?
At the top Tier 3, information system level, determine:
- How should existing cybersecurity products be tailored to better serve the company’s security goals?
- Which supplemental technologies should be acquired and integrated?
- How should specific information technology products be implemented?
- What are the necessary levels of security coverage and threat monitoring?
- Who will be in charge of the new technology implementation and maintenance?
The above assessment helps outline a high-level security development strategy for a business and identify existing gaps in processes and tech stack. It is a pillar for establishing baseline IT infrastructure protection, event monitoring, and reactive cybersecurity response plan.
To further understand your levels of possible exposure it is also worth analyzing how well-protected the individual elements of your infrastructure are and whether you have any weak endpoints.
Supplementary Security Assessment
Organizations in regulated industries may also consider doing a more in-depth security assessment to evaluate its protection against common cyber threats such as:
- Unauthorized access
- Exposure to insider threats
- Data breaches and leaks
- Data loss
- Service disruption
- Direct attacks and exploits
Similarly, you may want to conduct a vulnerability analysis to understand the current security shortcomings and exploit vectors that a malicious party could pursue. One common approach here is to use penetration testing (pen testing) to identify flaws in IT system design and configurations. Then use the finding towards improving your threat prevention capabilities.
4. Evaluate Internal Resources Available
A thoroughly performed cyber-security assessment should provide you with a holistic understanding of the available security resources — human and tech. Both may not be sufficient for achieving the levels of protection you aim for.
According to the official data, 45% of businesses in the UK have only one employee responsible for cybersecurity. Larger organizations usually have 4-5 people in cyber roles. However, a five-person team is hardly enough to establish an efficient SOC center, especially for larger companies. For example, a SOC unit for a telecom company needs to have the following roles:
- SOC security analyst
- Security specialist
- Threat investigator
- SOC manager
Most of these require more than one hire, especially if you plan to run 24/7 operations. Given that cybersecurity is an in-demand skill, hiring for such positions can become complex. Companies in the US have less than 50% of the cybersecurity candidates they need to keep up with the demand.
Similarly, SOC operations also often require new cybersecurity technology investments and/or reconfiguration. Many organizations shopping for SOC lack baseline protection such as managed enterprise-wide anti-risk software, firewalls, and intrusion prevention systems — crucial for reactive cybersecurity responses.
Adoption of SOC, however, also requires investment in proactive cybersecurity tools such as threat monitoring solutions, SOAR (security orchestration, automation, and response) tools, intelligent event alert systems, and anomaly detection solutions. The lack of such tools makes timely threat detection and prevention an uphill battle.
Thus, you should define your current needs and gaps. Then consider different sourcing scenarios for covering them. We discuss how companies can obtain the necessary SOC expertise and technologies in our free eBook.
5. Appoint a Dedicated Security Officer
SOC implementation requires a high level of executive and business user engagement, as well as careful oversight and strong-willed execution. For these reasons, it is best to have an experienced security person in the driver’s seat.
The appointed Security Officer should be responsible for communicating the importance of the security agenda internally in the form of:
- Summarized findings and analysis of recent cyber-events
- Outcomes and results of recent cybersecurity assessments
- Existing gaps in the current cyber-security program and possible remediation scenarios
- Recognized threats and vulnerabilities that are due to being addressed
Additionally, a security officer should be provided with the authority to select the next cyber-technology investments and determine the optimal path for implementation. If you plan to source SOC expertise externally as a managed service, for example, a security officer will also act as the main point of contact with your partner and drive the adoption efforts.
To Conclude
SOC requirements vary from one company to another. The underlying rationale behind such initiative is often the same — improve the corporate security posture and transition to a proactive response to security threats. However, to get to this target, you may need to first get the basics right. This SOC checklist provides a general framework for setting the groundwork for subsequent SOC implementation — in-house or outsourced to a managed security services provider.
Infopulse offers flexible SOC adoption scenarios, ranging from a dedicated remote unit establishment to managed “as a service” offerings. Contact us to receive more information about SOC adoption.