Best Practices For Setting Up A SOC

Download as pdf or txt
Download as pdf or txt
You are on page 1of 2

UNCLASSIFIED

Best practices for setting up a security operations centre (SOC)


May 2023 | ITSAP.00.500
A security operations centre (SOC) combines people, processes, and technology to work together to improve your organization's resilience against cyber threats. A SOC is run from a central location by a team of information
security professionals, including security engineers who may work closely with your development team, security analysts, and threat hunters. As cyber threats become more complex and threat actors become more
sophisticated, many SOCs are being set up regionally as a first line of defence against cyber attacks, especially in healthcare and academia. Other reasons why SOCs are becoming more popular include an increase in the
number of industrial control systems (ICS) and operational technologies (OT), as well as the adoption of mobile and cloud technologies. This document provides guidance for organizations of all sizes on best practices for
setting up and operating your SOC. It also provides guidance to organizations interested in subscribing to a SOC as a service (SOCaaS) from a third-party provider.

What does a SOC do? What are the benefits of a SOC?


A SOC is primarily responsible for detecting and responding to cyber incidents and threats. SOCs can also conduct, vulnerability One of the main advantages of a SOC is that it combines efforts to support incident
assessments, penetration testing, threat hunting, and auditing for regulatory compliance. SOCs performs the following activities: response, including threat identification, containment, eradication, recovery, and
reporting. These combined efforts will assist your organization, whether it’s a large
Monitor Respond enterprise or within critical infrastructure, in improving your cyber security posture.
Continuously collect security and event data in real-time Take immediate action to respond to incidents and deploy
Other benefits that a SOC can provide include:
from across your organization’s IT infrastructure. This appropriate mitigation measures to address the threat.
includes data from on-premises (on-prem) devices, the cloud, ICS Following an incident, SOCs will restore your network and systems  Proactive threat hunting. By combining historical data and threat intelligence,
and OT systems, remote systems, and mobile devices. back to their baseline state and recover any lost or compromised SOCs can help to find early evidence of attacks that might otherwise have
data. gone unnoticed. SOCs can use artificial intelligence (AI) technology to look for
Detect patterns in the data collected and flag suspicious traffic for follow-up. Using
Identify abnormal trends, discrepancies, or other indicators Analyze various tools, SOCs can establish a baseline of your organization's expected
of compromise (IoCs) from the volumes of data collected. Conduct root cause investigation using log data and other traffic to facilitate finding malicious activities.
Potential threats are categorized by severity and evaluated to information to determine the source of the incident. This  Improved incident detection and response times. Depending on the size and
determine whether they are actual threats your organization can help prevent similar incidents from happening in the future. level of expertise, SOCs can quickly detect signs of an attack, conduct an
should be concerned about. Automated detection tools can also
initial investigation, and start remediation to stop the threat. This heightened
be used to isolate real threats.
response can limit the extent of damage to your organization and help to
prevent threat actors from accessing your valuable assets and sensitive
SOC as a service (SOCaaS) information.
If your organization has limited resources, it may be challenging to set up and operate a SOC. As an alternative, your organization could  Cost savings. SOCs can maximize your IT environment and reduce the number
consider a SOCaaS subscription model. One option to explore is a hybrid approach to security. With this approach, SOC functions like of tools and devices required to adequately protect your environment, reducing
monitoring and incident response would be done in-house but specialized functions like penetration testing or malware analysis would be your IT budget.
outsourced. When selecting a SOCaaS provider, you should consider the following:  Increased security visibility and centralized management of incidents. Using
tools and dashboards to provide real-time situational awareness of your
• What SOC services are offered? • What tools and technologies are used • What is included in the service level
organization’s security posture, SOCs will help you better coordinate resources
• Can teams and services be easily scaled to collect the data? agreement (SLA)?
needed to fix and contain threats.
up or down to adapt to organizational • What data will be captured? • How is the SLA measured or assessed?
 Regular auditing of systems. By ensuring industry and government regulations
needs or in response to specific events? • How will the data be used? • What security standards and practices are followed, SOCs can help to protect your organization from reputational
• Can services be tailored to your • Where is the data stored? are followed to assure supply chain damage, administrative or material privacy violations, and legal liability in case of
organization’s environment and industry? • How is sensitive data protected? vulnerabilities are mitigated? a breach.

© Government of Canada | This document is the property of the Government of Canada. It shall not be altered, altered, distributed beyond its intended audience, produced,
reproduced or published, in whole or in any substantial part thereof, without the express permission of CSE. Cat. No. D97-1/00-500-2023E-PDF ISBN 978-0-660-48586-7
UNCLASSIFIED

Best practices for setting up a security operations centre (SOC)


May 2023 | ITSAP.00.500
Considerations when establishing your SOC
With cyber attacks becoming more frequent and complex, the question is not if an attack will happen, but when. This is something your organization should keep in mind. A SOC can help to increase your organization’s resilience against cyber
threats and minimize the impact in the event of a compromise. The following are some best practices to consider when setting up and operating a SOC:
1. Develop a SOC strategy with the appropriate scope.  Establish a clear incident response plan, and test it regularly, to ensure critical functions can be restored and
 Identify which organizational assets, like systems and data, are highly valuable or sensitive and need to be recovered in a timely manner. Simulate the issue response within an isolated, testing zone so that the production
monitored and protected. environment is not affected.

 Perform a cyber security risk assessment to understand the threats your organization faces. It can also be useful to  Ensure SOC services operate within their legal and regulatory requirements. Appropriate security controls should be
understand the level of sophistication of threat actors targeting your organization. For Government of Canada (GC) in place and enforced, like data validation to identify sensitive information.
departments, refer to ITSG-33, Annex A, Table 5 for description of threat agents. For non-GC organizations, consult  Develop clear documentation of processes and procedures to enable SOC team members to work efficiently.
the structured threat information expression (STIX) v2.1 framework for description of threat actor skill levels.
 Build the right SOC team by hiring people with a wide range of technical skills and experience. Create a retention
 Understand the legal, regulatory, and compliance requirements that your organization operates under to know what strategy to minimize staff turnover.
the SOC is required to do or protect.
 Provide ongoing training to new and existing employees. This can improve their job satisfaction and improve skill
2. Design a SOC solution that meets organizational needs. levels to keep pace with evolving and emerging technology.
 Select a SOC model that is comparable to your organization's threat profile and is achievable given your resources.  Invest in appropriate resources to care for your employees mental well-being. This can avoid burn out as a SOC is
Your requirements and the threats you face will change over time, so your model should be easily adapted to keep an area of high operational tempo.
pace.
4. Maintain and update the solution as necessary over time.
 Incorporate threat-oriented defence into the routine security operations including those from threat frameworks
 Encourage regular communication and collaboration amongst SOC team members and various stakeholders, like
such as MITRE ATT&CK and OWASP top ten.
users, management, and system owners, across the organization. This can create a valuable feedback mechanism
 For large organizations with broad geographical coverage, like hospitals and schools, consider integrating or for the SOC to provide better services to your clients.
consolidating multiple SOCs into a regional SOC. This enables SOCs to share information, jointly invest in tools and
 Collect metrics to measure SOC performance and effectiveness which will allow you to adjust the SOC operations
expert staff, and increase the situational awareness for the participating organizations.
accordingly.
3. Implement and operate the solution efficiently.  Enhance SOC activities to include attack simulation and assessments, cyber deception, and insider threat hunting
 Collect meaningful data from sensors and logs generated from applications, operating systems, the network, the in order to stay ahead of sophisticated threat actors.
cloud, and ICS/OT systems.
 Use automated technologies as part of your incident response strategy. Learn more
 Select an event management solution that includes log collection and processing, storage, querying, alerting, and  Network security logging and monitoring  National Cyber Security Centre's (NCSC)
incident management. A number of commercial and open-source security information and event management (ITSAP.80.085) publication on building a security operations
(SIEM) platforms are available to help your organization derive value from the volumes of event data collected  Developing your incident response plan centre (SOC)
daily. Consider the ongoing configuration, support and licensing requirements when choosing the appropriate SIEM (ITSAP.40.003)  MITRE Corporation's 11 strategies of a world-
platform.  Developing your IT recovery plan (ITSAP.40.004) class cybersecurity operations center

© Government of Canada | This document is the property of the Government of Canada. It shall not be altered, altered, distributed beyond its intended audience, produced,
reproduced or published, in whole or in any substantial part thereof, without the express permission of CSE. Cat. No. D97-1/00-500-2023E-PDF ISBN 978-0-660-48586-7

You might also like