5 Useful Tips to Build and Operate a Successful and Mature Security Operations Center

Corporate spend millions of dollars on building and operating Security Operations. To avoid failures and maximize the return out of investment (ROI), there are some expert pieces of advice to consider while designing and building a mature Security Operations Center (SOC).

Security operations success starts from knowing the corporate business and technical needs and setting appropriate goals. Following are the key success factors to be considered while building and running a successful SOC:

1. Knowing and setting the monitoring goals (Building Meaningful Use Cases):
Unfortunately, most of the SOCs are built without knowing what is needed to be monitored in the environment. It could be the business needs or technical requirements that need to be well understood and tackled before planning the building. The time invested in planning the SOC build should be much more than the time spent in the whole design and build process.

The effort pyramid should look opposite in this case.
These requirements (business and technical) are translated into use cases. A Use Case can either be a business use case for example: it can detect any financial transaction exceeding a specific number and get alerts on that, Or it can be a technical one e.g. an anomaly behavior to be watched out.

2. Setting up the right technical configurations (Rules, Integration, tuning etc.):
Another challenge is to translate these use cases into the rules to be configured on the SIEM tool. If the events are not parsed correctly or the rules are not configured properly i.e. the threshold setting and rule design is wrong, the required results cannot be achieved. These correlation rules should be tuned on periodic basis to get rid of noise of false positives. Similarly, there should be a periodic check on the integrated log sources not reporting to the SIEM tool.


Similarly, the log sources' details and network hierarchy details along with any vulnerability details of assets should be fed into the SIEM device to have a better visibility into the corporate environment.

3. Building the right team (Job responsibilities and SOC reporting structure):
Another important aspect is to team the SOC with skilled and appropriate people. Their job responsibilities and RACI should be built on the processes that are being built. e.g. Monitoring, triage, incident response, security intelligence etc. The staff should be well trained and have right tools to perform their jobs. The analysts should get help of threat intelligence and research feeds (if available).

4. Responding (Building robust incident response process):
Incident response is key to all activities within SOC. The response starts from triage, rating and remediating the root cause of the incident. There are several tickets opened and assigned to individuals who work on any steps within the incident response i.e. containing, remediating, eradicating etc. on the incidents or compromised systems.

A knowldege base is built based on the incident response history and experience. All this should be happening in a systematic and recorded fashion.

5. Lobbying and getting help from IT and other departments:
Day to day security operations require a lot of help and support from other departments like HR, Compliance, IT, Legal etc. A steering committee pertaining the Executives of these departments should be formed and coordinators should be assigned.

Lobbying with IT and other departments and their designated coordinators is crucial to build healthy relations. KPIs and goals can be set for representatives of steering committee and they can be provided with dashboards and reports access to the SIEM device to monitor the parameters set for their goals.


About this Author:

Bilal Aslam is a seasoned security consultant with over 12 years of experience in this field with 8 years in world's leading Security Consulting firms like Deloitte and PwC. Bilal graduated his Msc. Information Security from Royal Holloway University of London and currently working with IBM security services. Bilal has served clients in multiple industries and advised them on multiple security domains.


His major areas of interest are Governance, Risk and Compliance, Business Continuity, Security Intelligence, Cloud and Security Enterprise Architecture.

Join the CSO newsletter!

Error: Please check your email address.

Tags socjob responsibilitiesBuildSIEM toolsroioperateIT careersraciteam managementteambuilding

More about DeloitteUniversity of London

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Bilal Aslam

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place