Strategy 1: Know What You Are Protecting and Why
Strategy 2: Give the SOC the Authority to Do Its Job
Strategy 3: Build a SOC Structure to Match Your Organizational Needs
Strategy 4: Hire AND Grow Quality Staff
Strategy 5: Prioritize Incident Response
Strategy 6: Illuminate Adversaries with Cyber Threat Intelligence
Strategy 7: Select and Collect the Right Data
Strategy 8: Leverage Tools to Support Analyst Workflow
Strategy 9: Communicate Clearly, Collaborate Often, Share Generously
Strategy 10: Measure Performance to Improve Performance
Strategy 11: Turn up the Volume by Expanding SOC Functionality
This book presents an overview of how to organize and consider the many functions in cybersecurity operations centers (SOCs). It describes strategies that can be applied to SOCs of all sizes, from two people to large, multi-national centers with hundreds of people. It is intended for all cybersecurity operations center personnel, from new professionals just starting in a SOC to managers considering capability expansion of the SOC. Starting with a Fundamentals section table which summarizes functional categories and areas, the book guides cyber professionals through applying mission context to 11 strategies of a worldclass SOC:
Strategy 1: Know What You Are Protecting and Why Develop situational awareness through understanding the mission; legal regulatory environment; technical and data environment; user, user behaviors and service interactions; and the threat. Prioritize gaining insights into critical systems and data and iterate understanding over time.
Strategy 2: Give the SOC the Authority to Do Its Job Empower the SOC to carry out the desired functions, scope, partnerships, and responsibilities through an approved charter and the SOCs alignment within the organization.
Strategy 3: Build a SOC Structure to Match Your Organizational Needs Structure SOCs by considering the constituency, SOC functions and responsibilities, service availability, and any operational efficiencies gained by selecting one construct over another.
Strategy 4: Hire AND Grow Quality Staff Create an environment to attract the right people and encourage them to stay through career progression opportunities and great culture and operating environment. Plan for turnover and build a pipeline to hire. Consider how many personnel are needed for the different SOC functions.
Strategy 5: Prioritize Incident Response Prepare for handling incidents by defining incident categories, response steps, and escalation paths, and codifying those into SOPs and playbooks. Determine the priorities of incidents for the organization and allocate the resources to respond. Execute response with precision and care toward constituency mission and business.
Strategy 6: Illuminate Adversaries with Cyber Threat Intelligence Tailor the collection and use of cyber threat intelligence by analyzing the intersection of adversary information, organization relevancy, and technical environment to prioritize defenses, monitoring, and other actions.
Strategy 7: Select and Collect the Right Data Choose data by considering relative value of different data types such as sensor and log data collected by network and host systems, cloud resources, applications, and sensors. Consider the trade-offs of too little data and therefore not having the relevant information available and too much data such that tools and analysts become overwhelmed.