Task 1: In order to keep all members of the team working together and honing their skills and focusing their mindsets on security, it has been suggested that the IT security expert can use games. Review the suggested games in Chapter 5 Your Most Valuable Resource is Your People in Designing and Building a Security Operations Center. Design a game that staff analysts could play that would help to train them in becoming more observant and able to see through the noise of all the data that passes through their servers. Integrate components of the Structured Analytic Techniques for improving their analysis of data sets.
First, investigate the mindset of a cyber security analyst.
Read Proactive Cybersecurity: Reshaping the Way we Think About Data Breaches. http://www.techhealthperspectives.com/2014/02/06/proactive-cybersecurity-reshaping-the-way-we-think-about-data-breaches/
Read Chapter 5 Your Most Valuable Resource is Your People – Analysts
Who is the analyst?
What responsibilities do they have?
Who is the security engineer?
Who is the security architect?
Who is the SOC Team Lead?
Who is the SOC Manager
How does their job differ from the analyst?
Second, it has been suggested that using an agile project method of thinking about security and using the 30 day Scrum approach might be more effective. Review concepts of agile project management.
Read Can Agile Mindset Address Federal Cybersecurity? http://www.information-management.com/news/infrastructure/Agile-Software-Development-Cybersecurity-10027271-1.html
Read Continuous Delivery: The Agile Successor http://www.drdobbs.com/architecture-and-design/continuous-delivery-the-agile-successor/240169037
Review this LinkedIn Learning section: Section 5 – An Overview of Agile Project Management from the course: Project Management Foundations with Bonnie Biafore
Third, investigate the adverse impact on analysis of the analyst’s cognitive limitations and pitfalls.
Read and analyze Challenging Mindsets https://www.e-education.psu.edu/sgam/print/book/export/html/156
View the three graphic sets presented. Note what you initially see then try to look at each from a different perspective. Check your observation against the answers at the bottom of the page.
Then read the discussion.
Review the Structured Analytic techniques that present a toolbox
Review the CIA’s Tradecraft Primer: Structured Analytic Techniques for Improving Intelligence Analysis pdf (found in important documents)
Building a SOC is not an easy task, certainly not easy when all you hear is that there is a massive shortage of security experts and if you can find one, he or she will come at an exceptionally high cost. At the time of writing this chapter, it is true that well-trained security professionals are far and few between and they are expensive, but that does not mean it is impossible to find great people for your SOC or to secure your organization.
The first thing you need to do is evaluate the skill sets you would like to have in order to make sure you are really looking for exactly what you need. All too often when I look at a security organization and an operation center, their open requisitions for new employees go unfilled for long periods of time. Typically, the answer to these unfilled positions is that they cannot find the right qualified candidate. But when looking a bit deeper, I usually can find that they looking for someone who just does not exist. For example, their job descriptions may detail a role for a junior analyst but requires a master’s degree and 10 plus years of experience along with a ton of industry certifications. It is great that they have high ambitions, but this is a bit unbalanced and would not necessarily attract the right candidates to the job. Sometimes this can happen in an organization where HR requires specific education or industry experience in order to command the types of salaries that are needed to attract security professionals. Since cyber security professionals are still somewhat new roles in organizations, there are not very many precedents set for salary or compensation levels across different types of industries. This means that HR is forced to try and find other similar roles to model benefit packages after and although they may find similar technical descriptions of these roles, they are actually quite different. These disconnects can happen for a number of reasons, but as universities have started building programs and are granting degrees in these specialty areas, these issues are beginning to get resolved. Let us take a closer look at some of the representative positions in a SOC and some of what the real requirements are for various positions you may find in a typical SOC. We will review some of the technical and soft skills required to be successful in these positions and let us also look at some of the basic job descriptions and associated job postings that you can use to attract top talent.
Where you get your people from is also very important to understand before you start writing job descriptions. There are four main ways to get a new person to work in your SOC.
- Off the street
- From another internal department
- Managed security services provider
First you can hire them right off the street as most organizations traditionally do. This is always a gamble because you only have basic references, phone calls, or interview meetings you have had with the individual to determine his or her personality, technical strengths and willingness to be part of the team. It is hard to determine what is real or what is showmanship when you are putting someone through the interview process. Make sure that you expose potential candidates to as many people as reasonably possible during your interviews to gain a well-rounded perspective. Make sure you meet together as a team, if possible, to discuss the candidate and see if there is a good fit culturally as well as technically. Do not discount people that have desire or passion for learning and cyber security. One of the best ways to build a loyal, highly trained staff is to grow them organically inside your SOC. If you are able to keep people engaged and interested and you have the ability to invest in their knowledge, then you will reap the rewards of growing your own cyber security professionals in your SOC. Not only should you focus on external resources but you should focus on growing all your staff to make them the best operations team you can. When you focus on expanding their skills, you will be able to retain them as valued employees. People want to grow and if they become stagnant in your organization, then you will see a high rate of turnover. Do not be scared to invest in your people. It is true that some will take their skills and leave, but the better you treat them and the more you invest in them. the more you will be able to retain them.
Next you can bring someone into your SOC who is from another department of your organization. This could be someone from IT or another technical area who is interested in cyber security and wants to explore other technical spaces than the one he or she is in now. Bringing existing employees into your SOC, especially people from IT, can be an incredibly positive boost to an operation’s organization. They may already know a lot about the IT infrastructure and the key people that your SOC will have to work with. They may be well liked and respected in the organization with established relationships and can help pave the way for a new organization such as a SOC that is being formed. I cannot stress enough the value of having an existing employee coming to work in your SOC. For a new SOC or new security program just starting up, getting existing people in the organization who know the ropes to help get you get going is a must have. Security is not always looked upon favorably as your organization may require the SOC to watch what people are doing. I do not mean spy on people and certainly there are some different privacy laws from country to country that prevent the actual watching of people, but as rules are broken, events are triggered that will cause an investigation. That is not such a big deal, but catch someone doing something wrong and it becomes a very big deal. Not only that, but when the SOC finds vulnerabilities or sees attacks on the network, people in IT may not view the SOC’s investigations and the answering of questions as their favorite things to do during the day. Having people on staff with already established relationships in the organization can help smooth over these types of issues before they become bigger problems. Not only that, but existing employees may know what different servers are used for and what oddly named servers are for and who is responsible for managing them. These are all things that the SOC will have to figure out, but having someone on the team who already knows and has some of this knowledge will help the SOC progress and mature faster in gaining the required familiarity it needs to protect the network.
A SOC can also hire a professional services organization to place contractors in key roles. These contractors will typically be more senior security analysts or engineers who have been in the same role at other companies and have general knowledge of the tasks that need to be performed in a SOC environment. Not only have these contractors likely done a role at another company previously, but they also will typically be trained by the contracting company to ensure that their clients are getting a seasoned resource for the time they are onsite providing value for that customer. Contractors are not always the best solution because you have to pay them to learn your processes and procedures and help them learn where everything is, but that is typically offset by the skills they can quickly bring to the table. The right contracting agency that specializes in cyber security staff augmentation will have a deep well of resources that can be tapped for almost any need. Have a new intrusion detection system being installed or need help implementing a new intelligence program? Provide the contracting agency with your specialized needs, and they will work to find someone who can get the job done. Staff augmentation agreements with contracting companies can be for general analysis roles to help build up your staff temporarily or can be for the implementation of specific projects. Most of the time you will also get the option to hire a person full time from the contracting agency if you really get along with them and believe a more long-term relationship is beneficial. There will be costs associated with hiring a contractor full time so make sure that if you are going to use this option, you understand those charges up front.
Managed Security Services (MSS) is something that we will discuss in more length during another chapter, but it is worth it to mention that organizations can be very successful using a provider. Although an MSS can also provide professional services engagements and staff augmentation, in this case we are talking about not hiring someone to work internal but instead removing the function internally and outsourcing. In this situation, you will outsource specific functions to an external organization and only have response requirements for the activity when the MSS finds something that requires your attention. The MSS will provide the resource coverage you need remotely and will take over the key functions you need to have managed. They will do this with highly qualified and specialized employees that may be unavailable or unaffordable for some organizations. The key to a successful MSS relationship is being a good partner and making sure your expectations are reasonable by only outsourcing functions that lend themselves to easy execution without intimate knowledge of your organization or business.
When you are out there in the market for new staff to fill your SOC, make sure you think about the operational security of your organization. I know that there is a working balance, but you should put some thought into what you want to tell people and what should be kept a secret as to how you run your operations as this is a way to further protect your organization. For example, if you need a front line tier 1 analyst in your SOC and you create a job description stating all the vendor names of all the security products you use and would require a junior analyst to have experience with, you may be giving away a bit too much. By listing all these products, you are giving away potential social engineering, marketing, and intelligence information that an attacker can use, and you may also create a bias to potential candidates. Maybe a potential candidate has great experience, but because you are using one type of antivirus product in your organization versus another, it may make them skip over applying for your job posting. I know this seems silly as they should just be glad you are using antivirus, but do not lose out because of brand recognition or vendor preferences. On the other hand, it is ok to discuss what compliance or regulatory requirements you have as knowledge of those programs is helpful when framing out work that needs to be done in security. Being familiar with programs such as the Payment Card Industry (PCI) Data Security Standard and the Sarbanes–Oxley Act of 2002 (SOX) helps to give you a good gauge as to a person’s experience and his or her capabilities in helping your organization stay compliant. Again, when you are looking for a more junior person, having knowledge of products and programs is what you want; for example, familiarity with antivirus is what you want, and the specifics of the product they will get when they are on the job with you. Additionally, how you use the product, what your processes are, and the tasks you are going to require them to perform will almost always be new to them because they are your processes and nobody else’s. Of course there will always be similarities from organization to organization that are using the same tool sets, but you will almost always have some distinctions that are specific to your operations or your organization. Also, when an attacker may be looking to infiltrate your organization’s network, knowing that you use one brand of IDS versus another may give them an advantage in crafting their attacks to help them be more successful in being able to get past the kind of IDS they know you use. You need to think about what information is important for all job descriptions, not just junior analysts. A person’s exposure to SEIM, firewalls, data loss prevention systems or whatever is vitally important, their knowledge of specific brands may not, but that will be up to you. If you really do need someone who has mastery level skills in a particular brand of SEIM, then think about getting an outside hiring agency to market the role for you. That way people will not be able to directly associate your internal operational security controls to the security of your specific organization.
The culture that develops in a SOC is fairly unique. It is true that when you have any group of people that all work closely together at length, they will develop their own culture, will enjoy a specific sense of humor, and have shared personal feelings and developed trust. But in the case of a SOC, it may be different; it may be more of a group culture of acceptance, knowledge, and general weirdness. There are people that will thrive in these types of environments and those that will not. In larger SOC’s that run 24×7 operations, people may not have real personal space. They may share a desk and a computer with people who work on other shifts. They use the same keyboard and mouse as the others and will work on some of the same projects, tasks, and tickets and at times may even operate as if they shared the same brain. Anyone who is lazy or messy will be spotted right away. Someone who is a clean freak sitting at a desk right after someone who is a slob is a type of the cultural and interpersonal clashes that you will need to deal with in a SOC. As a SOC grows and matures, everyone in the SOC grows and matures. When one person in a SOC learns something new and shares it, everyone in the SOC learns something new. Everyone who lives in a SOC will benefit from the knowledge brought in from the outside and from creative people who figure out how to do things better and then share those skills. This happens much in the same way as when one person comes to work sick and a few days later everyone in the SOC is sick. It did not take us long at one high security SOC to figure out that we needed hand sanitizer right next to the biometric hand scanner that everyone used to gain access to the operations floor.
Not unlike other areas of IT, people who are focused on cyber security are very passionate. There is a sense of pride in making sure that the network and all its resources are protected. Bringing someone new into this culture is not always easy. In great SOC cultures that I have worked in, you know it just clicks, you have fun, you respect the people you work with and you learn something new everyday that you go to work. And when you have stayed in touch with the people you have worked with for over 10 years after you left that SOC, then you know you had and still have something special.
A single bad apple can absolutely poison the well in a SOC, so you have to be careful. When a person is not pulling his or her weight, not properly documenting tickets, showing up late, or passing work off to others, the moral in the SOC can go down fast and people can start to gang up on the offender. Unlike other work environments where some of this may go unnoticed, in a SOC it will become very obvious to team members who are picking up the slack. Make sure you stop this early because as things become toxic, work will suffer.
The cultural fit is extremely important in a SOC environment. People have to work very close to each other and will work under some extreme conditions that can also be very high stress. Making sure you have the right personality mix is vitally important.
Personality is a key ingredient for an individual in a SOC environment. You need to find people that are naturally curious and want to uncover the real or root cause of events. These are your modern day Sherlock Holmes who will leave no stone or packet of data unturned in order to get not just an answer but the right answer that satisfies their curiosity. People that thrive in a SOC environment do not need their own office and like working together as a team. They are able to ask for help appropriately and when needed, and will always look for opportunities to share their knowledge in order to better the group. In some very positively charged SOC environments I have been in, positive competition was also a large part of the personality of the people. They would compete to see who could find the most zero day exploits, or who could write the best intrusion detection signatures, or who could develop the best rules to capture new hacking attempts or abnormally behaving devices. They would also attack each other in a lab for bragging rights. This was all in great fun and not only did it inspire people to learn, but it also helped in developing leaders and trainers, not to mention how it benefited and advanced the security of the organization. Without positive personalities like this in the SOC to drive development, innovation, and inspiration your SOC will get stagnant, stale, and filled with people coming in every day to punch a clock
CORE SKILL SETS
There are some basic skill sets you should look for in someone you are considering to work in your SOC. These skills are the basic core skill sets that anyone in any position in your SOC should have, and this includes management. One of the basic skill sets that are important for people in a SOC to know at a minimum is rudimentary networking. They should know IP addressing, basic routing, and basic protocol information. They should understand what protocols are and how they operate as well as what ports they use. They do not necessarily need to know an extensive list of ports and protocols, but the more common ones are fine. Do not interview someone just to blow him or her away technically, which is not fair. Instead, gauge where they are and determine if they are trainable to the position you need. Next, they should understand some simple attack methodologies like brute force, overflows, and denial of service as well as how some types of malware work. These simple attacks combined with basic networking skills will give anyone in the SOC a running start when the first real event comes in that they need to address. Obviously the more advanced a person is in these areas the better he or she will be, but do not discount a potential candidate who does not have advanced skills in these topics but has a strong willingness to learn. When we get to the chapter on training, you will see how easy it is to bring people in and give them the skills they need to be successful. You need to be able to get junior analysts in the door and invest time and knowledge on them. I have many, many examples where I have brought someone into a SOC as a junior analyst. They have only had a basic understanding of IT in general but because of their positive personality, drive, determination, and willingness to learn, not only did they come in to the organization and do a great job, they excelled, exceeded expectations, and rose through the ranks to become some of the best platform, intelligence, or general cyber security engineers in the business. So an individual coming into a SOC needs to have a good attitude in order to be successful but also having had some exposure to some programing languages, hex code, and the use of command line instruction from different platforms are a big help as well. Even though you may need a more seasoned and senior person today, look to promote from within and develop your staff to take on greater roles and responsibilities, and then hiring may be easier as you will be freed up to find people who you can train.
To break it all down, here are some of the core skill sets needed for an individual to be successful starting out in a SOC:
- Basic networking
- Simple attack methodologies
- General understanding of malware
- Must have a passion for technology
- Must be genuinely curious
- Should be good at deductive reasoning and critical thinking
- Be creative
- Have a general quest to learn and gain knowledge
Roles and responsibilities
In a typical SOC, there are various job functions and roles inside those functions that you need to have in order to build out your operation center. We talk more about organizational structure later, but this is as good a time as any to look at a basic organizational chart to frame out the positions we are going to discuss. Each position, although related to each other, is very different and will have a different focus and different skill sets. As such, each position should have a different job description, and individuals in those positions should be held accountable for very different goals and objectives.
You start off with you basic analyst; this role is your front line initial triage staff. Their jobs are very regimented and prescriptive. They are to do what is documented and nothing else. Anything outside what is documented needs to be escalated. Your second layer or tier 2 is your senior analyst. These folks are there to take more complex escalations from your front line and quickly resolve any issues they can. They also need to make critical decisions to escalate problems to an engineering group or to an incident response lead if the problem deems it. Their position is also prescriptive but has room for flexibility and they have decision capability for escalation purposes. An incident response lead can function in many different capacities depending on the situation. They are there to control the flow of information between analysts, engineers, management, and the customer. They should follow very prescriptive processes to ensure that everyone follows the right process and that all key decision makers are properly informed during crisis times. Engineers can be broken down in many ways and depending on your organization, you may have many groups or just one group. Either way, your engineers should be your most technically skilled SOC staff in a specific area. They operate at a descriptive as opposed to prescriptive level. They will typically be writing rules, building infrastructure, solving problems, and working with vendors to address functional or implementation issues. They can also be research engineers that focus on security intelligence or special projects needed at your organization. Depending on the size of your SOC, you may also have a layer of management in the basic design. If you run several shifts for 24×7 coverage, then you may need a shift supervisor, someone who makes sure that tickets are addressed properly during shift hours. This is also someone who can take customer escalations and deal with management problems as they arise, such as employees calling in sick. The shift supervisor should be one of your best technical analysts who can operate at an engineering level but wants to take their career on a management track. This way they can jump into any issue and make sure that each team is moving along smoothly during that shift. They will also be the liaison for management to report issues, communicate objectives, and resolve any potential problem areas. In addition to shift supervisors, you can have team leads that are directly responsible for individual team performance. These are individuals who work inside a team such as engineering but manage the people, projects, and workflow in that group on a daily basis.
Lastly, there is the SOC manager. This person is responsible for the entire operations of the SOC and will typically have all shift supervisors and team leads reporting into him or her, again depending on the size of your operations team.
You may have many other types of positions in your SOC. This is just a basic framework to begin the conversation of the roles and what the staff should look like from a skills perspective and how you should view them. The perfect SOC employee will be one that you grow and you keep engaged and keep happy, and they will in turn help keep your organization secure.
Your first line staff—the people that answer the phone, triage most of your issues, and review most all your events—are your security analysts. There are many different types of analysts you may have, but your most junior analysts are tier 1/level 1 or the first tier of people who evaluate events. They are the first to open a ticket and peek inside to see what is going on. Your tier 1 analysts are typically not given very much flexibility in how they handle issues. They are given a rigid and prescriptive approach in dealing with events. They are to follow predefined and documented procedures and escalate anything that does not fit the norm to a second tier or a tier 2 senior analyst. It is critical to train your analysts on how to spot problem areas in order for them to be the first and best line of defense for your organization. The more time you spend training your front line analysts, the easier it will be to protect your organization and run an efficient SOC. You also need to listen to your front line analysts. They will tell you where they are wasting their time, how to improve processes, and what they could be doing to make things better and more secure. Give them the opportunity to help shape the SOC, as it should be your hope that one day your front line SOC analysts will become your trusted engineers or managers. I will also argue that you should never hire tier 2 senior analysts. The skills that make a senior analyst are specific to your operation and the operation of your processes, programs, and procedures. While it is true that you can hire people that have more technical skills and require less training, technically there may be no end to the training you can give someone on soft skills that will help them. Being an effective analyst requires a good balance between being technically competent and being able to work with people. A senior analyst will have these skills, will understand the finer points of your processes, and will be able to execute key tasks with finesse, a style that nobody off the street will be able to do until they really learn the ropes of your organization.
When thinking about this position and what you need the role to perform for you, think about the technology that they will need to interact with. Will they access devices directly, will they just work out of a ticket system and nothing more, or in smaller SOCs will your tier 1 and tier 2 really be the same people? Although it is nice to have clearly defined roles with junior people working alongside more senior people, it is sometimes a luxury as not all organizations can afford an army of cyber warriors. This does not mean the job descriptions change or that the functions are different; you just need to combine the functions and merge the responsibilities into one person’s core competencies.
Sample job description and posting for a tier 1 or 2 analyst includes key technology that the particular SOC is focused on from an organizational perspective but as mentioned above, the names of the specific vendors or products are omitted. The omission of product and vendor names does not diminish the description; in fact, it makes it more focused and more to the point as you are not instantly drawn into thinking about the products but focused more on the skills.
SECURITY ANALYST—JOB DESCRIPTION
This position manages and monitors events from internal security devices, and authentication services associated with the organization’s security controls. Incumbents will possess strong technical analytical skills while providing accurate analysis of security-related problems. They have a well-rounded networking background and are responsible for performing extensive troubleshooting of customer issues in the fast-paced SOC. This individual is user focused and works to resolve user needs in a timely manner. These needs may involve resolving hardware/software failures, investigating and responding to security threats, and making change requests to the security policy of company devices.
ESSENTIAL DUTIES AND RESPONSIBILITIES:
Provide technical support for an on call 24×7×365 basis. This involves handling events such as identifying user security issues, extensive troubleshooting, and coordinating resolution or restore using a variety of applications and testing tools. The events can include hardware/software failures as well as security breaches, threats, or network connectivity issues. Regularly provide high-level proactive technical support, including security configurations, security policy modification recommendation, and diagnostics of remote network security issues.
Professionally and courteously answer inbound security-related calls and provide customers with the best possible customer service and experience, create tickets, fill out necessary checklist paperwork, generate trouble tickets for all work and informational requests, handle security-related user complaints, and escalate according to established procedures.
Ensure that the company is implementing best practice security policies that address business needs while protecting vital corporate assets.
Individual must be able to perform with minimal supervision of routine duties; must demonstrate ability to solve practical problems and deal with a variety of concrete variables in situations where only limited standardization exists; interpret instructions furnished in written, oral, diagram, or schedule formats; and be able to handle multiple tasks simultaneously.
Associate Degree or equivalent experience Special consideration given to relevant industry certifications
Typically, 2–4 years related experience required.
Background in networking or security to include intrusion detection/prevention.
Excellent written, verbal communication and organizational skills.
Knowledge and experience with PCs, LAN topologies, routers, hubs, and terminal servers.
Knowledge of security applications such as IDS, Security Event Management and anomaly detection tools.
Knowledge of VPN technology.
Knowledge of trouble ticketing systems/CRM.
Understanding of the operation of test and analysis equipment such as protocol analyzers, LAN/WAN sniffers, and so on.
Ability to read and interpret network diagrams.
Ability to read and understand packet captures
Basic understanding of the OSI model.
Strong interpersonal and user service skills.
Knowledge of Unix and Windows operating Systems.
Experience with processes in functional areas (i.e., trouble management, fault management, and incident management).
Understanding of network management concepts and software, including SNMP.
When you look to fill the role of security engineering, your descriptions are going to vary greatly. Engineers can be highly specialized and focused on the very specific needs of your organization. They can be platform focused such as IDS, proxy, or Data Loss Prevention or they can be threat based for the purpose of building intelligence. You may even have network or system engineers that are more IT focused and support the SOC and all its equipment. You have to keep in mind that with your engineering staff, their main purpose is to support the SOC who in turn supports the customer weather internal or external. So it is important that your engineers understand that with every device they deploy, ever rule they create, every piece of intelligence they collect, the analysts will be on the front end of their efforts, and will be responsible for acting on whatever they put in place. Although your security engineers are highly technical and will work on long projects they should not operate in a bubble and need to keep focus on the rest of the organization. This will become obvious when an engineer creates a new rule in a SEIM environment that generates thousands of false positive events that flood your ticket system all for your analysts to fix. As uncle Ben said to Spider-man, “With great power comes great responsibility”. Your engineers will have great power over your security infrastructure, make sure they are responsible and accountable.
Engineers should be responsible for looking over tickets that have been closed by the SOC analysts. They should review a specific percentage of tickets each week to ensure that not only are the analysts properly working the tickets but that they agree with the analysis conclusion that was used to close the ticket. This exercise will help not only build better quality control into the overall SOC system but it will help highlight areas that the engineers need to train the analysts on or even areas where the engineers need to fix a system to make things easier or to work better for the analysts.
Sample job description and posting for an engineer, again this will include technology but will not specifically call out brands or products. Below is an example of a job description and posting for a security engineer who has overall critical responsibility for the management and configuration of host-level security on an organizations server network. This could easily be transitioned to be a job for an engineer focused on intrusion detection, intelligence, or Security Event Management
SECURITY OPERATIONS ENGINEER—JOB DESCRIPTION
This position manages and monitors events and performance from host-based security products associated with the company’s security controls. Incumbents will possess strong technical analytical skills while providing accurate analysis of security-related problems. They have a well-rounded networking background and are responsible for performing extensive troubleshooting of customer issues in the fast-paced SOC. This individual is user focused and works to resolve user needs in a timely manner. These needs may involve resolving hardware/software failures, investigating and responding to security threats escalated from the analysis group, and making change requests to the security configuration and policy of company devices. Candidates will be the subject matter expert on the team for patching, application whitelisting, hardening, scanning and monitoring as well as security metrics for all severs on the organizations network.
ESSENTIAL DUTIES AND RESPONSIBILITIES:
Provide technical support for an on call 24×7×365 basis. This involves handling events arising from the SOC to perform extensive troubleshooting, and coordinating resolution or restoration of primary responsible systems. Engineer will have overall responsibility for configuration control architecture and software management tools, including but not limited to the knowledge, configuration, and deployment of application whitelisting software tools, and server configuration control software. Duties will include the research, design, test and recommendation of security controls for the organizations server and storage infrastructure. Responsibilities will include the monitoring and metrics associated with security controls to ensure controls are tuned for peak effectiveness.
Additionally, duties will require the evaluation, recommendation, and adjustment of work processes as necessary to correct adverse trends. Candidates must have extensive knowledge of industry accepted standards for system hardening and be able to tune systems to the extent practicable to prevent non-authorized personnel from accessing server infrastructure while ensuring full business functionality.
Candidate will be required to work closely with operations teams to develop processes and security standards for the organizations virtual and physical server environments. Measure, identify, and remediate servers that do not meet security standards. Will be required to work closely with analysts in the SOC to identify and address threats in a timely manner and to troubleshoot and resolve operational issues involving security controls.
Engineers in this role are required to participate in troubleshooting efforts and must be able to perform technical writing, participate in briefings, as well as be a mentor for peer engineers and analysts. It should be expected that management from time to time would assign special projects.
Education Level Preferred: Bachelor degree in Computer Engineering, Computer Science, or Information Systems Special consideration given to relevant industry certifications
Minimum of 5 years server security experience in mid-sized to large it organizations.
Must have experience with security-related technologies including Active Directory, host-based firewalls, host-based intrusion detection systems, application white listing, server configuration controls, logging and monitoring tools, antivirus, and antivirus systems.
Must have in depth, hands-on experience with security features and system administration of Linux, UNIX, and Windows operating systems.
Must have an understanding of security vulnerabilities in common operating systems, web and applications servers, including knowledge of remediation procedures.
Experience or understanding of NERC, PCI, and SOX compliance standards.
Experience analyzing new requirements and making security recommendations based on business objectives.
Must have experience implementing and maintaining security controls and best practices.
Must possess excellent communication skills and ability to cooperate with other business functions.
Although the security architect is not always in the basic SOC organizational chart, it is worth putting a bit in about this role. The architect can be a critical function in a SOC environment and needs to work closely with a SOC. This role can either be managed inside the SOC under an engineering function or can be outside but still under an information security department or CISO function. An architect must be laser focused on the operational functions of any infrastructure or control that they are recommending for implementation. An infrastructure that is not properly managed or the output not properly addressed is a waste of time and the results from those efforts will be lost. The architect must understand how the SOC works and be in lock step with the operations team. They need to ensure that any new technology can be properly managed in the operations center, which is fully integrated with the SOC tool sets and that the proper training and support functions exist for the ongoing care and feeding of that new technology.
SECURITY ARCHITECT—JOB DESCRIPTION
The security architect will achieve organizational security goals by determining technical security requirements, planning, and guiding the implementation of security systems. The incumbent will enhance security team accomplishments and competence by planning the delivery of solutions, answering technical and procedural questions for less-experienced team members, teaching improved processes, and mentoring others. Architecture will determine security requirements by evaluating business strategies and requirements, researching information security standards, and conducting system security and vulnerability analyses. Risk assessments and the studying of proposed architecture/platform of business systems will support any identified integration issues. Lastly, the architect must verify installed security systems by developing and implementing test scripts to ensure the success of requirements being met.
ESSENTIAL DUTIES AND RESPONSIBILITIES:
Analyze and design security solutions for business and organizational applications and infrastructure, and provide expertise and consulting to internal or external clients. Will identify and document information security risks and propose mitigating or compensating controls based of best practices, industry standards, or regulatory requirements. Will have the responsibility for understanding complex business needs, requirements, and project scopes, with a focus on information security requirements. Will research, design, and develop new information security controls and will have the ability to assess current IT environments and make recommendations to increase security. Will work closely with compliance, IT, and security organizations to achieve goals.
5+ years of experience as an information security engineer/architect
- Background in networking or security to include intrusion detection/prevention.
- Excellent written, verbal communication, and organizational skills.
- Knowledge and experience with PCs, LAN topologies, routers, hubs, and terminal servers.
- Broad knowledge of many aspects of information security with in-depth understanding and hands on experience in many of the following areas: firewalls, proxies, IDS/IPS, VPN, virtualization, authentication technologies, content filtering, DLP, PKI and encryption technologies
- Deep knowledge of industry regulations and requirements such as PCI-DSS, HIPAA as well as ISO27001, NIST, and so on.
- Experience developing information security policy, planning, and rollout of products to achieve organizational regulation and policy goals.
- Experience designing and deploying security solutions
- To include:
- – Building requests for information (RFI) for vendors
- – Performing proof of concept tests (PoC)
- – Vendor selection
- To include:
- Ability to produce high quality technical documentation and Detailed solution design documentation
- Should have ability to multitask and adapt to the changing demands of the organization
- Will need to work with multiple teams and cross functional groups of individuals with no direct management responsibility.
SOC TEAM LEAD
I cannot say enough how important the SOC team leads are in your SOC and in your overall organization. These are the key people that you will need to ensure that everything is running smooth and that issues are being addressed appropriately, they are the ones driving the ship. Your team leads may be a single-shift supervisor or could be stove piped into different functional areas such as an analyst lead, and incident lead and an engineering lead. The larger the SOC the more leads you may want to have to manage individual functional teams, so depending on what makes sense to you and the roles you need you will split these job functions out. Ultimately you need to have a single person who is responsible for what happens on a shift and this is going to either be a lead or a senior lead. A senior lead may be whom all the other leads report to if you need more than one team lead. When looking at the SOC team lead, this should be the single person who is operationally responsible for what is going on during a shift across all teams. This person will ultimately reports to the SOC manager and who will be responsible for executing on the SOC managements requirements.
The lead must be able to do almost every job proficiently and in most cases better than anyone else in the SOC. Not only is this one of the most technically competent an experienced people in the SOC but they must also be very aware of any and all situations happening in the SOC. They need to have sharp instincts to know when an analyst or engineer is having trouble and be able to step in to provide guidance. The team leads are not only your top technical people but they are also management. Because they are management they need to have people and management skills to ensure that everything runs smooth. Your team leads are going to be the leads for just about everything such as scheduling, training, work load and the handing out of any special projects. They will also be the people that should recommend individuals for promotions and raises during review times. These are the lieutenants of the technical front line and need to be able to keep cool at times of extreme stress like when a major incident is happening. They will direct operations and ensure that all requirements are taken care of and that processes are followed, all the while providing support and cover as needed.
Quality control is another area that should be the responsibility of the team leads. They should be responsible for reviewing tickets in the system and spot-checking the work of the analysts. They should review a set percentage of tickets every week to ensure that quality work is being accomplished and they should be looking to see if there are common errors or issues that may require additional training for either individuals or the group as a whole. These spot checks could revel that people are not following process but it is also a great way to see if there are any tickets being improperly addressed or filed or even lost in the system
SOC TEAM LEAD—JOB DESCRIPTION
This is a team leader position with high visibility and significant responsibility supporting the SOC. This individual is responsible for providing direction, leadership, and mentorship to technical and non-technical personnel within the operations environment. The individual should have excellent customer service, analytical and troubleshooting skills along with the ability to work under pressure. It is a key requirement of this position to be able to quickly and efficiently resolve security issues while maintaining high levels of operational metrics. It is imperative that support for internal colleagues is provided as well to include, but not be limited to, supporting escalated ticket-based work, providing training on various security devices and concepts, and creating documentation to better achieve operational goals.
ESSENTIAL DUTIES AND RESPONSIBILITIES:
- Responsible for leading a team of personnel in a SOC environment
- Be able to prioritize and direct workflow
- Addressing technical and non-technical escalations
- Coordinate and schedule shift coverage, and assign resources for special projects
- Meet service level agreements
- Help establish and enforce policy and procedure
- Coach and mentor all levels of skills sets within the team
Education Level Preferred: Bachelor degree in Computer Engineering, Computer Science, or Information Systems Special consideration given to relevant industry certifications
Possess current certifications for enterprise level security platforms
Minimum of 5 years server security experience in mid-sized to large IT organizations.
- Must have experience with security-related technologies including active directory, host-based firewalls, host-based intrusion detection systems, application white listing, server configuration controls, logging and monitoring tools, antivirus, and antivirus systems, network monitoring and network-based security facilities.
- Extensive experience with firewall technology
- Extensive experience managing operational teams
- Past experience managing crisis teams and performing incident response
- Generally familiar with basic scripting/programming: Examples such as: PERL, BASH, SQL
- Ability to coach and mentor all levels of skillsets within the team
- Intermediate to advanced level device configuration changes, network troubleshooting, and security-related issues
- Advanced knowledge of Linux administration with command line and system knowledge
- Excellent problem solving skills and keen ability to diagnose and troubleshoot technical issues
- Dedication to client service and passion for learning
- Well spoken, articulate, attention to detail, with excellent writing abilities
- Must be able to communicate technical details in a clear manner
- Ability to manage multiple projects
Not unlike the SOC team leads people in SOC management rolls need to also be technical, they need to be able to translate organizational objectives into technical controls that everyone in the SOC can understand. They need to also understand technical issues being dealt with during an incident or when supporting critical infrastructure issues. The SOC manager needs to know their people really well and be able to think on their toes. During incident repose or times of crisis they need to be able to put the right people in the right places at the right time to efficiently and effectively deal with any issues that may arise in order to prevent or limit any exposure an organization may have during an attack or breach. In working with the team leads, they need to address organizational concerns, grow the team’s collective knowledge and ensure that the entire operations group is meeting or exceeding standards. Additionally, management needs to be responsible for deploying, maintaining, tuning, monitoring and managing all aspects of the organizations SOC. Additionally, the SOC manager has to be a liaison between the operations team and the rest of the organization. In some cases, the SOC manager may also need to be the primary point person for any external agencies or governing authorities. This is very important when incidents have a criminal implication or when auditors come in to check on regulatory controls. All of that has to be properly managed and controlled so that the organization can maintain its compliance and ensure that there is cooperation with any authorities that may need to be involved in incidents.
The SOC manager is also the key person responsible for all the metrics in the SOC. This would be to ensure that the SOC is operating effectively, efficiently, and that the metrics demonstrate an acceptable level of performance. The manager needs to also perform predictive analysis to ensure they are brining in the right staff to fill critical roles, promoting the right people and ultimately achieving organizational security objectives. Management should also always be on the lookout for new ways to build metrics that demonstrate effectiveness or weaknesses and use these tools at all levels of the SOC to help engage everyone to better bring them into alignment with expectations.
The SOC manager needs to also work with the rest of the organization and if available a larger security organization to identify areas where the SOC is causing problem or for areas of opportunity for the SOC to further help meet security objectives. A SOC can create problems for other groups such as IT, in that escalations may need to be handled better or information flow needs to be done differently. In these cases, it is important that the SOC manager work with these external teams to understand what they need or how the SOC can work with them better so as to not cause issues and make life easier for everyone involved. Additionally the person in this role needs to be an evangelist for the operations group and ensure that the right amount of publicity is being heard internally to the rest of the organization. All too often the SOC goes un-noticed behind closed doors unless there is an issue or someone is helping to promote the great work everyone is doing in security operations. A SOC manager must create value out of the SOC for the organization, effectively communicate that value, and provide people with the tools and products that demonstrate that exceptional value. The manager who is able to place the interests of their customers internal or external, clients, and other groups in the organizations first will succeed the best.
In a later chapter, we talk more about structure and reporting but it is important to think about how a SOC manager plays a role in the overall organization. This person could be the CISO for a smaller organization or report into a larger security or IT department.
SOC MANAGER—JOB DESCRIPTION
Lead and manages the efforts to integrate, implement, and maintain the organizations security infrastructure and operationalize the security requirements and goals of the organization. Provide technical and operational oversight for security tool deployment and implementation. Continuously monitor levels of service of the SOC as well as interpret and prioritize overall threat levels through use of metrics from the analysis of intrusion detection systems, firewalls, and other boundary protection and security devices as well as any other security incident management products deployed to protect the confidentiality, integrity, and availability of resources. Recognize potential, successful, and unsuccessful intrusion attempts and compromises thorough review and analyses of relevant SOC reporting, event detail and summary information. Must provide oversight for incident management and response, security investigations and forensics, vulnerability management, remediation assistance, intelligence gathering and dissemination, threat scenario modeling, impact assessments, and security exercise preparedness. Ensure the integrity and protection of networks, systems, and applications by technical enforcement of organizational security policies. Monitor and proactively mitigate information security risks and adjust posture as needed to continually strengthen the fidelity of attack detection. Provide briefings at various levels of management regarding ongoing security incidents and operational metrics. Establish reporting and information sharing relationships with governing and partner organizations, and other appropriate external agencies and organizations for the purpose of tracking threats or sharing common security incidents. Develop and maintain processes and procedures used to manage operations and incident response process and a root cause continuous improvement program. Develop and maintain reporting metrics and mechanisms used to execute and measure SOC activities. Maintain and enhance the security roadmap used to provide technical, personnel and procedural growth and the implementation of new tools and techniques. Develop papers, briefings and technical marketing materials designed to show the value of the security operations and the individual tools deployed in the organization. Provide executive level briefings regarding status of the SOC implementation, effectiveness of security tools and infrastructure, areas of concerns, ongoing project status and cost benefit analysis for the use of the SOC and the cost avoidance of detected and mitigated security incidents. Work within a 24/7 shift-scheduled security operations environment.
ESSENTIAL DUTIES AND RESPONSIBLITIES:
This role is responsible for the visibility of organizational security controls to protect the environment and all security technology data outputs that terminate in the operations center. They must effectively ensure operational control or “watch” of the environment, developing and integrating all security processes, and threat intelligence services. This includes formalization and ownership of a SOC capabilities and responding to all security incidents. This role is responsible for the successful operations and expertise of all security technologies and establishing escalation processes for those selected security incidents that have been deemed critical.
This role will also manage penetration and vulnerability testing activities and will ensure the Security Architecture and Engineering teams work together to provide feedback on the “health” of the enterprise security baseline based on those tests. This role develops and communicates requirements for security technology automation and works with IT, business representatives, HR, architecture, and audit teams on the overall solution set for design specification, technology selection, and security objective development. This is a heavily metrics-driven operations role that provides a critical data and reporting foundation as direct inputs to the overall risk management function. This role will influence and drive the overall enterprise information security strategy.
The ideal candidate has a proven history in enterprise security operations managing technical staff. The SOC manager will have strong level of technical depth in information security and is focused on driving metrics-driven results. The ideal candidate is output driven and able to leverage multiple forms of communication to articulate complex concepts with proficiency to both technical contributors and executive management.
Bachelor’s degree in a technical engineering or IT-related field or equivalent and 8+ years related experience. Related experience includes senior level SOC analyst, SOC shift manager, or team lead. Incident response and handling experience required. Requires background in in the following domains; security products and technologies; security engineering, networking protocols and data center management; security analysis and investigations.
- Leadership and management in an enterprise security operations role.
- Familiarity with operating enterprise security technologies and establishing enterprise security processes.
- Experience with advanced threat management.
- Experience with cloud, mobile, SIEM, and open source security technologies.
- Experience integrating heterogeneous operational security technologies.
- Familiarity and experience standards frameworks ISO, NIST, ITIL, and so on.
- Development of detailed metrics and reporting for executive management.
- Candidate must possess excellent written visualization and verbal communication skills.
- Experience in security operations within a 24×7 environment.
- Strong knowledge of information security principles and industry best practices.
- Experience with computer forensics
Shall we play a game? (War Games, 1983)
Now that we have reviewed all the personnel and their functions in the SOC, we now have to get them to start protecting our organization and we need to keep them engaged. We know who the players are, what their functions are and what they are supposed to be focused on accomplishing in the SOC. But let us be real honest for a moment, depending on the size of your SOC and the size of the organization you are protecting or if you are a managed security services provider, the daily grind of working in an operations center can be very boring at times with limited sprits of excitement, it is like fishing without the sun and beer. Analysts review tickets and decode packets of data and try to find out if the bad things their systems are telling them that happened really did happen or if it is just a false positive. Typically the work should be a dull roar unless you are dealing with active threats on the front line and engaged in crazy attacks and breaches every day as some MSSP organizations are. For an analyst that is required to work tickets and may even have a quota of tickets they need to work are going to suffer eye strain and after a time will want to start to skipping steps just to get the work done. Another thing that might happen is that they analysts will only pick the tickets they want to work on instead of the tickets that are a priority to work on. This does not do anyone any good and drastic mistakes can occur, things can get missed or signs of larger issues can go ignored. To combat the eye strain, and sometimes repetitious work people have to do in the SOC the management team needs to come up with creative ways to give them frequent breaks, help keep people engaged, excited, and also progressing in their career.
One of the ways to help keep people sharp and engaged is to play fun games that help keep the focus on the prize of securing the organizations environment. To start you could run a contest that keeps score of analysts and engineers ability to stop specific types of threats. The more creative you are the better it will be and the more fun you can have with it. This could be games that run a full month with a total scoring system or a one hit wonder with a single prize at the end. You can allow people to wear funny hats or dress causal for a month and you could even award the winners with an assigned parking space until someone beats their score or maybe until another winner is announced.
The cricket dartboard game is a good example of how you could accomplish this. You assign different types of true positive events to a value that aligns with your organizations security policies, for example: The numbers 20 thru 15 and the bull’s eye are used and are assigned a specific true and validated event that an analyst or engineer needs to find. Anyone can “hit” any number in any order but once an individual has scored three hits on the same number that number is closed for them and they cannot score any longer on that value. A player who has closed all of the numbers by finding these types of events first wins the game.
- Bulls eye = Unauthorized data transfer out of the network
- 20 = Detection of advanced persistent threat (APT)
- 19 = Successful use of default passwords on the network
- 18 = Successful cross site scripting attack
- 17 = Phishing email found with malware
- 16 = Unauthorized device found on the network
- 15 = Active virus found on system
You can also provide a double and triple score for each of these based on who the user is or how serious the event is. For example, if someone finds a virus talking to a command and control server on the CEO’s laptop (or if you are in the military you can do it by rank) that may be an instant triple 15. Or for example, if it is determined that an Advanced Persistent Threat actor has compromised a system and you have evidence that they tried to move laterally to another system then that may be a double 20. You will have to come up with your own system and score values but you should be able to see how this could be an easy and fun game to play. You should also add a prize value to winning, for example you could take the first three people to complete the board out for a nice dinner or give the first winner $500, second winner $250 and the third place winner $100. Either way, it is something that can help keep people engaged, get them thinking about different types of threats and will make them seek out different types of events that are important to the organization and not just work the issues they are comfortable working, or focus on one specific issue that may be in their comfort zone.
First one to root wins!
Defending your network or servers from being breached by a hacker or by advanced persistent threat actors should be amongst one of your biggest concerns. Or if you are trying to strengthen your controls because this has already happened once before and now you realize that you are more of a target now than you were before then you can set a bounty on a specific event that would find evidence that this is type of activity is taking place. The contest would simply be the first person that finds an unauthorized external actor accessing an internal system or server with administrative level credentials wins. Of course you never want to see this happen but we all know that having a system compromised is not a matter of if but when. So when this does happen, are you able to detect it and is the unauthorized access at an administrative level. In different SOCs, I have tried this game with a $1,000 prize to the first person that was able to find this activity on the network. It was a great motivator and the direct result was that analysts and engineers were evaluating and analyzing events and tickets to a depth that were never seen before. They were really taking the time to ensure that they knew what was going on and why something was happening in the hopes it would lead them to the prize. The direct benefit to the organization was a better quality of analysis on tickets and a nice motivator for the staff. The positive effects lasted long after the contest was over because the analysts were more educated in evaluating these types of events and the quality of work in the related type of tickets improved tremendously.
Other simple games can be played as a group that will help motivate your SOC to support them in avoid the day-to-day grind. You could offer them simple rewards like bringing in food for lunch if they meet or exceed specific Service Level Agreement goals like answering the phone by the third ring 100% of the time in a week. Another goal may be to ensure every new ticket is addressed in 15 min or less for a month. The prizes and contests should be customized to your SOC and what will motivate your people. Take a look at your metrics or your security goals and you will easily find areas that will need improvement, then try to see how you can rap those improvement areas into very specific targets. Then ask your team what they want for a prize and see what kind of answers you get, you may find that they would love to have a more comfortable chair, or a bigger desk. If your SOC manager or even your CEO has a really comfortable chair, maybe you can offer up your CEO’s chair for a week to the winner. Not every game has to have a cash value, make it fun and be consistent, you could do a game every month or just on special occasions or when you see issues and need a shot of motivation. Be creative, just because the SOC has a serious role does not mean you cannot have fun while you are keeping watch of the network.
Sometimes games are just not enough and will certainly not resolve all problems. Sometimes people in a SOC just need a break and need to get away from the ticket queue for a while. This could become a big moral issue and when people really start to get eyestrain and board as an analyst they will want to move on and leave the organization. If you are properly investing time and money into training your staff then you will not want them to move on so you need to keep them interested and engaged. One great way to do this is to assign special projects. There is almost never a shortage of things to do in a SOC or in the overall security organization so special projects should always be available, if not then there may be something else wrong. Anyway, figuring out a list of special projects that needs to get done is a great way to not only help mature your SOC and move forward but giving out those special projects can greatly help and motivate people in your SOC. By giving someone a special project even a short-term special project you are telling them that you are confident in their abilities and that they have skills that you would like for them to utilize. Not only should they be excited to take on a special project but this should also be a nice break from working a ticket queue for a while. Special projects can really be almost anything and will greatly depend on what your needs are for your SOC and your organization. But they could be something as simple as updating training documentation or building a new training program or as complex as helping an engineer with a new product implementation. Another great project is the developing or exploring of new metrics or reports or even giving someone the opportunity to build new visual displays for the SOC video wall or projectors. These are just really simple ideas but I am sure you could find better ones in your SOC. The special projects can be simple or complex, they can be a way for you to see if an individual is ready for advancement or just a way to help break up the work load and definitely a great way for you to help give people a break from a relentless queue of tickets.
DO NOT FORGET YOUR PEOPLE
You SOC will only work as hard as you work for them. People like to be recognized for the work they do, sometimes they want this a bit too often or even when they do not deserve it but that is just human nature. Sometimes people working for an organization think they should get an award for just showing up to work on time. Whereas other people pull their own weight as well as the weight of several other people and never get recognized for all that they do. The people who work in a SOC environment need to constantly dig deeper, they need to be on the lookout for attacks coming from every direction and they need to be able to detect and defend against it all whereas the attacker just need to be right once. The members of a SOC have to monitor several to several hundreds if not thousands of servers when an attacker just needs to focus on one. The people in a SOC work hard to keep their skills up and constantly learn new things so that they can be better prepared for whatever comes their way. A SOC can see hundreds or even thousands of events populated into tickets a day out of billions of possible logs but an attacker just needs to hide one malicious payload inside one needle in that haystack. Analysts and engineers need to remain focused and ensure they get the best fidelity they can with the tools they are given or have designed. Make sure you take care of your SOC so that they can take care of the entire organization.
Some organizations have formal recognition programs such as employee of the month. If they do, then it is important that SOC management make sure that every single month someone from the SOC team is nominated. Continue to nominate people even if the nominations are not accepted. It may seem like a small thing but to some people simple recognition goes a long way and management should never miss an opportunity to positively recognize the efforts of individuals. Other organizations have informal recognition programs that allow anyone to nominate any other person for a nominal cash reward for going above and beyond. These programs should be popular and encouraged by management. If none of these formal organizational programs exist, management can still take the initiative to support the SOC and do special things as a group. The SOC is a team, they work hard together so getting them involved in team or group activities should not be very difficult. Plan a team BBQ or cookout during working hours and rotate people from the SOC to take a break outside for a while. Since most SOCs are dark and closed off rooms this should be a welcomed change on a nice day. If you run a 24×7 SOC, plan on doing the cookout later in the day so that your first and second shift can overlap. For the third shift you can do an early morning cookout before the other shifts. I know cooking steaks at 7:00AM may not be the most appetizing things for you but I am sure the people who have to work the overnight shift will appreciate it. If doing a big BBQ or cookout is just not possible then there is always the ability to bring in Pizza, or have you ever thought about how many burgers you can get from the drive through window for only one dollar each, it is a lot and you can feed quite a large SOC for very little money. Food is typically always a welcome treat in a SOC, so do not think you need to go overboard to recognize the efforts of the SOC, sometimes it is the small things that go the furthest.
As it has been mentioned before there will come a time in which the organization your SOC is working to protect will be successfully attacked and compromised. Keep in mind that this is not the time to beat up the SOC, instead you need to look at how it happened, perform root cause analysis and ensure that the SOC has the right tools, processes, and procedures to prevent it from happening again. Additionally you should think about what would have happened if the SOC were not there and what kind of chaos would have ensued if professionals were not available to find the issue, even if it was after the fact. The SOC will not always protect the organization from every attack but will be able to defend against most. They should be able to detect and limit the exposure from a successful attack while being able to direct incident response and help guide any recovery efforts.
Get expert help for Designing and Building a Security Operations Center and many more. 24X7 help, plag free solution. Order online now!