What CISOs should know about SOC modernization

Signs that SOC modernization is necessary

CISOs should look for growing fatigue, frustration and turnover among SecOps staff, as these are indicators that the SOC is struggling to cope. Similarly, upward trends in KPIs such as number of incidents, severity of incidents, mean time to detect, mean time to respond and mean time to recover could signal systemic problems.

If the SOC's current performance introduces unacceptable levels of cyber risk, consider investing in modernization initiatives to better align the security program with the organization's cyber risk appetite and business objectives.

Core components of a modern SOC

To modernize the SOC in a way that best meets the organization's needs, a CISO must design the right balance of people, processes, technology and facilities.

Many components of a modern SOC are familiar, such as threat hunting, vulnerability management, disaster recovery and identity and access management. Others, however, are truly next-generation in their capabilities and outcomes. Consider, for example, the following.

• AI-enabled SecOps systems. AI is turbocharging systems that detect threats, analyze them and mitigate or eliminate them, such as SIEM, SOAR, endpoint detection and response (EDR) and XDR. It can also support automation of routine and repetitive tasks, freeing staff to tackle more challenging and engaging projects.
• Threat intelligence platforms. Threat intelligence platforms are services that capture, aggregate and share data on millions of security events from threat intelligence feeds to inform threat hunting, incident response and risk analysis. They integrate with platforms such as SIEM, SOAR and XDR to help these applications recognize, prevent and respond to threats.
• Security platform integration. Next-generation SOCs integrate multiple security platforms and tools, such as SIEM, SOAR and XDR, to present a coherent view of the entire threat landscape and support analysts in prioritizing and responding to events.
• Compliance management. Organizations face an ever-increasing volume of cybersecurity standards and regulations. Next-gen SOCs regularly monitor all operational activities, compare them to requirements specified in relevant standards and deliver reports on compliance.
• Staffing and training. The demand for experienced cybersecurity professionals far outstrips the supply. Modernizing SOCs and training staff on new tools can improve job satisfaction and relieve burnout, helping engage and retain team members.

Tips for modernizing the SOC

To be successful, SOC modernization projects take careful planning, senior management support, smart investing and sufficient time. Consider the following best practices.

1. Understand how the current SOC operates. This involves assessing how well team members interact with each other, how efficiently events are processed, and how effectively preventive measures are implemented. Consider using and tracking SOC KPIs.
2. Secure senior management approval. This might mean preparing a business case for an updated SOC, relevant cyber-risk statements, a cost-benefit analysis and a projected cybersecurity ROI analysis.
3. Identify the desired level of performance. Determine time frames to assess and resolve events and how to improve them, establish how to improve event reporting, identify how to achieve regulatory compliance, and define procedures and processes that could benefit from automation.
4. Prepare a project plan for the new SOC. Ensure senior management reviews and approves SOC project plans. Issue regular status reports.
5. Establish a new baseline for the SOC and how it should operate. Define expectations for security alerts and reports, threat analysis and resolution, threat hunting, security tool upgrades and replacements, work area configurations and integrations with company networks, systems and other resources.
6. Determine how the transition to a new SOC will occur. Assuming the existing SOC will be operational during modernization, define how and when new and upgraded systems will take over from existing platforms; the period of time that both legacy and new platforms should be in parallel operation; how training on new systems will take place; and how integration with other entities, such as the network operations center, will occur.
7. Evaluate various technology options. While new systems with greater functionality might be ideal, consider that existing systems might be upgradeable. Weigh how best to introduce new systems and upgrades to the operating environment.
8. Evaluate staffing requirements. Identify ways to deliver additional training to existing employees and assess staffing gaps.
9. Evaluate facility requirements. If the existing SOC facility is sufficient, determine if upgraded or reconfigured workstations are necessary. If adding space or relocating to a new SOC location, ensure sufficient time in the project plan for construction.
10. Establish plans for updating policies and procedures. Existing procedures for handling threat events may need revisions based on new technology, such as AI-based systems that automatically perform formerly manual activities.
11. Define SOC team member responsibilities. During the transition, each team member will likely have regular duties, as well as additional ones associated with learning and using the new systems.
12. Test all new and upgraded systems. Ensure new and upgraded systems perform as needed; this can be accomplished by using sample data from previous events.
13. Complete the new SOC cutover and transition. Perform system acceptance testing with vendors, ensure the SOC team is fully comfortable with the new technology and procedures, and ensure employees organization-wide know how to report security issues going forward.

 Paul Kirvan, FBCI, CISA, is an independent consultant and technical writer with more than 35 years of experience in business continuity, disaster recovery, resilience, cybersecurity, GRC, telecom and technical writing.