You are here: Home > Publications > RIPE Labs > Mirjam Kühne > How to Build a Security Operations Centre
Content by this author

How to Build a Security Operations Centre

Mirjam Kühne — 20 Nov 2017
The Dutch National Cyber Security Centre (NCSC) has published a document outlining some guidelines on how you can easily set up a security operations centre (SOC) in your company or organisation. Please find a summary below.

 

Background

Protecting and defending against digital attacks requires visibility and control of the digital infrastructure within your organisation and of all the events taking place within this. An increasingly common way to achieve this is to implement a Security Operations Centre (SOC). However, the establishment of a SOC can be a daunting task, which brings a wide range of issues into play. Our experience shows that building a SOC is mainly an organisational challenge, despite all the technology involved.

Start small

Building a fully fledged SOC from scratch is a major challenge. A simpler approach is to start small and then build on this in a slow and controlled manner to create a fully fledged SOC. In order to achieve this, begin by having the IT administration team monitor log data from a select number of key infrastructure or middleware components, such as your firewall, a web server or your antivirus program. Target the monitoring on technical aspects initially, in order to confine the necessary interactions to the IT administration team.

 

Initial steps

Before the monitoring structure within the IT administration team can be developed into a SOC, there are a number of measures an organisation must put in place first:

  • Establish an information security policy: such a policy describes the information security objectives of the organisation and the manner in which information security has been organised

  • Get an overview of the application landscape: this will provide insight into the information the organisation possesses and the manner in which the information is processed

  • Get access to the results of recent risk assessments

  • Establish good collaboration and adequate arrangements with the IT team

  • Assign clear ownership of each information system

While using technology as a starting point is a good approach to initiate monitoring, for a SOC to become truly effective, it must be tied in with the business processes. Therefore it is necessary to ensure an appropriate development strategy for the SOC. That involves proper training for SOC staff - try to find people who have the right motivation and mind-set, and invest sufficiently in training. You will also need to decide which components of a SOC you want to handle yourself and which ones you want and can outsource. 

Although the majority of the challenges in building a SOC relate to organisational matters, there is also a key technology choice to be made – the selection of a Security Information & Event Management (SIEM) system. SIEM systems are software products that are able to interpret log data from various sources and correlate it with cyber attacks and other security incidents taking place in and around the network. Many of these solutions have similar capabilities. The key differences are in the details, which means it is tricky to select the right system. Ensure you consider this decision carefully. Once you have chosen a solution, it will be costly and labour-intensive to migrate to another solution at a later time.

Conclusion

A SOC is an effective facility for monitoring business information security and digital threats. Establishing such a centre, however, requires investment of time, effort and resources. In order for a SOC to function successfully, it must grow in controlled fashion along with the organisation’s need for insight into and control of information security.10 Start small, share results with the organisation and build on a positive reception to these results to realise the next step in the development process. Ensure the planning, roadmap and implementation of a future SOC are realistic. Keep in mind that a SOC is a means and not an end in itself.

 

You can download the full paper from the NCSC website.

0 Comments

Add comment

You can add a comment by filling out the form below. Comments are moderated so they won't appear immediately. If you have a RIPE NCC Access account, we would like you to log in.