Best Practices For Setting Up A SOC
Best Practices For Setting Up A SOC
Best Practices For Setting Up A SOC
© Government of Canada | This document is the property of the Government of Canada. It shall not be altered, altered, distributed beyond its intended audience, produced,
reproduced or published, in whole or in any substantial part thereof, without the express permission of CSE. Cat. No. D97-1/00-500-2023E-PDF ISBN 978-0-660-48586-7
UNCLASSIFIED
Perform a cyber security risk assessment to understand the threats your organization faces. It can also be useful to Ensure SOC services operate within their legal and regulatory requirements. Appropriate security controls should be
understand the level of sophistication of threat actors targeting your organization. For Government of Canada (GC) in place and enforced, like data validation to identify sensitive information.
departments, refer to ITSG-33, Annex A, Table 5 for description of threat agents. For non-GC organizations, consult Develop clear documentation of processes and procedures to enable SOC team members to work efficiently.
the structured threat information expression (STIX) v2.1 framework for description of threat actor skill levels.
Build the right SOC team by hiring people with a wide range of technical skills and experience. Create a retention
Understand the legal, regulatory, and compliance requirements that your organization operates under to know what strategy to minimize staff turnover.
the SOC is required to do or protect.
Provide ongoing training to new and existing employees. This can improve their job satisfaction and improve skill
2. Design a SOC solution that meets organizational needs. levels to keep pace with evolving and emerging technology.
Select a SOC model that is comparable to your organization's threat profile and is achievable given your resources. Invest in appropriate resources to care for your employees mental well-being. This can avoid burn out as a SOC is
Your requirements and the threats you face will change over time, so your model should be easily adapted to keep an area of high operational tempo.
pace.
4. Maintain and update the solution as necessary over time.
Incorporate threat-oriented defence into the routine security operations including those from threat frameworks
Encourage regular communication and collaboration amongst SOC team members and various stakeholders, like
such as MITRE ATT&CK and OWASP top ten.
users, management, and system owners, across the organization. This can create a valuable feedback mechanism
For large organizations with broad geographical coverage, like hospitals and schools, consider integrating or for the SOC to provide better services to your clients.
consolidating multiple SOCs into a regional SOC. This enables SOCs to share information, jointly invest in tools and
Collect metrics to measure SOC performance and effectiveness which will allow you to adjust the SOC operations
expert staff, and increase the situational awareness for the participating organizations.
accordingly.
3. Implement and operate the solution efficiently. Enhance SOC activities to include attack simulation and assessments, cyber deception, and insider threat hunting
Collect meaningful data from sensors and logs generated from applications, operating systems, the network, the in order to stay ahead of sophisticated threat actors.
cloud, and ICS/OT systems.
Use automated technologies as part of your incident response strategy. Learn more
Select an event management solution that includes log collection and processing, storage, querying, alerting, and Network security logging and monitoring National Cyber Security Centre's (NCSC)
incident management. A number of commercial and open-source security information and event management (ITSAP.80.085) publication on building a security operations
(SIEM) platforms are available to help your organization derive value from the volumes of event data collected Developing your incident response plan centre (SOC)
daily. Consider the ongoing configuration, support and licensing requirements when choosing the appropriate SIEM (ITSAP.40.003) MITRE Corporation's 11 strategies of a world-
platform. Developing your IT recovery plan (ITSAP.40.004) class cybersecurity operations center
© Government of Canada | This document is the property of the Government of Canada. It shall not be altered, altered, distributed beyond its intended audience, produced,
reproduced or published, in whole or in any substantial part thereof, without the express permission of CSE. Cat. No. D97-1/00-500-2023E-PDF ISBN 978-0-660-48586-7