One of the major issues organizations face in building security operations centers (SOCs) is finding the qualified personnel needed to properly run the operation. SOCs often struggle with achieving optimal staffing, and many businesses don’t know where to begin in setting up an effective organizational structure. There are ways to create a strong foundation with just a few security experts and a nominal monetary investment, but it is critical that businesses invest in proper planning and prioritization of needs and resources up front. As organizations build or revamp their intelligence-driven SOCs, the following considerations will help ensure they have the proper staff and tools necessary to run their operations like a well-oiled machine.
Staffing security professionals with the right skillsets is a critical first step in developing a successful SOC. While even large enterprises can miss the mark, organizations that don’t already have an in-house security intelligence team in place, face the daunting task of starting from scratch. At minimum, organizations should invest in hiring three critical roles when building out their intelligence-driven SOC, which include a SOC manager, a security analyst and a security information and event management (SIEM) content author or engineer. These three positions ensure there will be combined expertise in strategic planning, operations, SIEM administration, threat intelligence and incident response – all necessities. While a SOC with these roles will still require considerable automation, meaningful metrics and potentially a hybrid staffing model, this three person team will create the foundation for a strong security posture and can sufficiently support a business hours only (8-to-5) operation.
Enterprises today face the enormous challenge of keeping up with the increasing number of new attack vectors spanning IT, Operational Technology, IoT and Physical, as well as disseminating the deluge of data generated into meaningful insights for rapid detection and response to threats. This large volume of data makes it not feasible for security analysts to analyze every potential security event – the optimal events per analyst hour (EPAH) should be between 8-12, giving the analyst enough time to triage and escalate events effectively. Security automation can help fill this void by drilling into the data to allow analysts to focus on the most pertinent threats. SOC professionals should focus on automating what they can, but it shouldn’t be forced or exclusive. For instance, tools that can automate investigatory tasks and incident workflow should be a priority. However, manual monitoring is still essential when it comes to malware detection, as a human is needed to confirm if there’s actually a threat. Thus, a one-size-fits-all approach will not work when it comes to automation.
Implementing Flexible and Hybrid Staffing Models
Staffing plans will evolve directly from the business’ needs, and a flexible model can help keep resource expenditure down. Adopting a flexible approach to staffing will alleviate the pressure on permanent team members during times of high activity, with the option to scale down when appropriate. For example, organizations can temporarily expand their staff when they’re starting to adhere to new compliance issues or setting up their SIEM. Another option is leveraging a hybrid staffing model that uses a combination of internal and external (professional or managed services) resources to operate their SOC. While this model may not offer as much in-depth capabilities as a full-fledged internally staffed team, it provides a cost-effective way to fill detection capability gaps.
Staffing for the Future
When building a new security program, the more effort organizations dedicate to the initial design, the less effort that will be required later to expand operations. Once a SOC is up and running – even with just three people – it should be poised for easy expansion if it’s established properly. As mentioned earlier, a three person team supported with automation could sufficiently run a business hours only SOC, which an extended hours (24x7) operation would require at least a team of 10 and upwards of 30 or more staff in some cases for very large enterprises. Tracking key metrics including performance indicators and security-level agreements, along with accountability for overall staff performance, will also help to optimize staff and increase retention.
Roadmap to a Mature SOC
While every organization is unique in its security expertise and posture, risk tolerance, compliance requirements, and budget, creating a strong foundation that incorporates continued investment in the proper staffing and tools is critical to detecting and responding in today’s threat landscape. Organizations can establish successful security operations capabilities with the knowledge of basic SOC elements and a roadmap for where to start and how to mature.
Start small, be flexible, and build.