Choosing the appropriate operating model is a strategic decision that requires careful consideration of various factors. These include the purpose behind implementing a Security Operations Center (SOC), the mission of the SOC, relevant business limitations, budgetary constraints, and the specific context of the organisation, such as its size, threat landscape, and industry sector.
It’s important to note that each SOC is unique, and there is no one-size-fits-all operating model or checklist that can provide immediate clarity on how a particular SOC should be designed and operated. In the upcoming articles, I will delve into the key factors to consider when determining the most suitable operating model for your organisation. In this context, the term “operating model” encompasses the approach to delivering SOC services (whether through an internal, external, or hybrid SOC) as well as the geographical location, operating hours, and structure of the SOC (refer to Figure 1 below).
CONSIDERATIONS FOR SELECTING AN OPERATING MODEL
Choosing the appropriate operating model is a critical initial phase in establishing a Security Operations Center (SOC). This decision sets the foundation for the SOC’s design, service delivery, and continuous improvement. It is essential to ensure that the operating model aligns with business requirements while remaining practical in terms of budget and resources.
When determining the details of the operating model, organizations should consider various factors that fall into three key categories: organizational context, resource implications, and operational requirements. These considerations play a vital role in shaping a successful SOC implementation.
Designing and implementing a Security Operations Center (SOC) requires careful consideration of various factors that shape the strategic approach. The following considerations are essential in determining the appropriate operating model for a SOC:
- Budget: Assess the available budget to cover the implementation and ongoing operation costs of a SOC.
- Business Drivers: Identify the specific reasons and objectives driving the need for a SOC within the organization.
- Business Priorities: Determine the key priorities and requirements of the organization and how the SOC can contribute to achieving broader organizational goals.
- Risk Appetite: Evaluate the organization’s risk appetite and how a SOC can be leveraged to mitigate risks effectively.
- Organization Size: Consider the size of the organization, including both the number of employees and the extent of the IT infrastructure. Some organizations may have a relatively small workforce but manage a vast IT and network ecosystem due to their business model.
- Geographic Footprint: Take into account the geographic spread of the organization, as this may necessitate multiple SOCs to cover different time zones and regions effectively.
- Threat Profile: Understand the specific threats that the organization is likely to face and ensure that the SOC’s capabilities align with the detection and handling of those threats.
- Industry Sector: Consider industry-specific factors, such as regulatory requirements (e.g., Payment Card Industry Data Security Standards – PCI DSS) that mandate a monitoring capability.
- Data Sensitivity: Evaluate the sensitivity of the data handled by the organization and ensure that the SOC operating model enables the organization to maintain the necessary level of control over sensitive data.
- Data Footprint: Assess the volume, type, format, and accessibility of the organization’s data, as these factors impact the SOC’s design and capabilities.
By carefully considering these factors, organizations can tailor their SOC operating model to align with their unique environment, business context, and specific circumstances, thus maximizing the effectiveness of their security operations.
When considering the operating model for establishing a SOC, organizations should take into account various factors that impact resource requirements and associated costs. Here are some key considerations:
- Staffing: Determine the level of expertise available within the organization and assess the need to recruit skilled personnel for the SOC team.
- Operational Hours: Define the operational hours of the SOC, which will affect the staffing requirements and associated costs. Options include:
- Business hours only
- Business hours with on-call staff after hours
- Extended business hours (e.g., 12 hours a day, 7 days a week)
- 24×7 coverage in a single location or across different geographic regions (e.g., follow the sun model).
- Resource Utilization: Assess existing resources that can be repurposed for SOC services, such as technologies and physical space that can house SOC resources.
- IT Impact: Consider the impact of the SOC on IT resources, including potential increases in network overhead due to log collectors and agents. Ensure that the existing infrastructure can support the additional requirements.
- Organizational Structure: Determine whether the SOC will have a distributed or centralized structure. If multiple SOCs are planned, define their respective roles and assess the need for consistent tool usage.
- Geographic Location: Decide on the physical location of the SOC, considering factors such as cost reduction opportunities and challenges related to staffing and effective communication.
- Dedicated Facility: Consider the benefits of a purpose-built SOC facility for optimizing team interactions. However, also develop contingency plans to mitigate risks associated with a single point of failure.
- External Engagement: Evaluate the engagement with external parties such as service providers and suppliers, ensuring that current service level agreements align with the SOC implementation and avoiding unwanted vendor lock-in.
By carefully considering these factors, organizations can make informed decisions about their SOC operating model, effectively balancing resource requirements and costs while establishing a robust security infrastructure.
LMNTRIX clients have highlighted several concerns regarding operating a SOC solely during business hours:
Alert Triage Delays: Alerts generated overnight require triage at the start of business hours, potentially causing delays in monitoring, detection, and response.
Limited Real-time Monitoring: Business hours-only coverage may not support real-time monitoring, leaving the organization vulnerable to threats outside those hours.
Overnight Exposure: An overnight breach can leave the business exposed without immediate detection and response capabilities.
Limited Return on Investment: Solely relying on business hours for SOC operations can limit the overall return on investment.
Mismatched Risk Appetite: The SOC’s ability to handle alerts may not align with the organization’s risk appetite.
Based on client recommendations, it has been suggested that operating a 24×7 SOC is more conducive to its success. However, implementing a 24×7 operation introduces additional considerations, such as staffing levels, shift scheduling, and handovers. Organizations have options to address this, including partnering with a Managed Detection & Response (MDR) or Managed Security Service Provider (MSSP) to augment their existing SOC team or expanding internal staffing levels. Alternatively, a more cost-effective approach could involve having SOC personnel on standby after hours.
The operating hours and structure of the SOCs run by surveyed LMNTRIX clients show some variance.
As shown in Figure 2, the survey highlights a clear preference for establishing a 24×7 SOC, with a noticeable trend towards adopting a single, centralized SOC.
To prioritize operational requirements and select the right operating model, it is essential to consider the following criteria:
Operational Efficiency: The ability to efficiently process large volumes of alerts, respond to complex threats, and provide advanced SOC capabilities.
Timely Incident Response: Ensuring prompt response to security events and incidents to minimize potential damage and mitigate risks effectively.
Scalability: The capability to scale SOC services and capacity dynamically based on evolving business needs, allowing flexibility for growth or downsizing.
Customization: Tailoring SOC capabilities and adopting bespoke tools that align with the organization’s specific environment, objectives, and unique requirements.
Comprehensive Understanding: A deep understanding of the organization’s IT infrastructure, business environment, IT and business strategies, organizational culture, business processes, and ongoing transformation activities.
Threat Intelligence Integration: Access to threat intelligence from a diverse range of sources, enabling a holistic view of the threat landscape and informed decision-making.
Effective Communication: Seamless communication with stakeholders, both internal teams and external parties, to facilitate collaboration, information sharing, and alignment of security efforts.
By considering these operational requirements and prioritizing them accordingly, organizations can effectively select an operating model that meets their specific needs and empowers them to build a robust and efficient security posture.
Stay tuned for the upcoming articles where I will delve into the specifics of the three different methods for delivering SOC services.