So your company has decided it needs a SOC. My deepest condolences. But before you start grabbing log sources, deploying a Sentinel workspace or doing anything technical, the first thing you need to ask is: why?
Why does your organisation need a security operations function? While larger organisations may have the strategic foresight to build a SOC early on, medium-sized organisations are usually compelled to create one by either a) a major cyber security incident, or b) a new regulation / bill enforcing security monitoring. In either case, for most businesses, the goal is ROI (Return On Investment), that is, saving money by catching costly security incidents before they happen. Some metrics for calculating ROI will be discussed in a later section.
Thus, it is vital to remain focused on your business’ key mission and functions, or you will end up wasting time and money. The definition of a SOC on the previous page focused on the core functions of an IT SOC- monitoring, triage and response -and this is what we will be focusing on in this guide. However, other roles can also be allocated to the SOC to meet business needs, such as:
- OT SecOps
- Malware analysis
- Threat hunting
- Digital forensics
- Vulnerability assessment and management
A full list of potential SOC functions can be found in section ‘0.2 SOC Functions’ of MITRE’s 11 Strategies.
Understanding the business threat context is crucial. Smaller business and not-for-profits organisation are unlikely to be targeted specifically, and so may receive only a handful of alerts per day. Large mining companies are targeted by financially motivated threat actors and by hacktivists fighting for a cause. Critical infrastructure, defence contractors and important government departments will face complex attacks from nation state actors who may be pursuing political or even military goals, and may not be constrained by funding.
This context will help decide whether your SOC needs 24/7 coverage, which will significantly increase staffing costs.
So list out your key business functions and the technology stacks they use. For instance, mostly businesses will have some or most of the following:
- Servers and applications
- Endpoints – processes, commands, file events, logon events
- Accounts – Active Directory and / or Microsoft Entra environment
- Cloud infrastructure
- File sharing services (e.g. SharePoint, OneDrive)
- Office networks
- Websites
- Databases
A full list of potential data sources can be found on the MITRE ATT&CK website, but the above list should be considered core for SOC functionality.
Leverage any existing asset inventories to avoid unnecessary work. Any assets that your business cannot operate without are called the crown jewels. For instance, many businesses would collapse if their customer database got ransomwared.
Be sure to take note of any specific legislation that may require your organisation to keep or dispose of certain records. In Australia, for instance, most states require health companies to retain patient data for 7 years.
You then want to start considering how to prioritise protecting the Confidentiality, Integrity and Availability for each of these systems. For instance, websites are available to the whole internet, so they will be attacked continuously. If your website is just a static advertisement for your business, then a compromise could result in the page getting defaced, malware spread to site visitors, and a bad PR day. But if your website is connected to a key database and it gets SQL-injected, the consequence could be a loss of critical business data.
Priorities should be re-evaluated and refined over time. Nonetheless, start thinking early about which specific parts of your infrastructure are most important to secure and what you need to prevent from happening to them.
The next step is to do some initial research into what logs you can obtain from each of these systems. Many cloud services require higher license tiers for logging. Services in your Microsoft tenant can be easily ingested into your Sentinel workspace with out-of-the-box connectors. Some services such as firewalls may require the provisioning of a forwarder VM, to pull the logs via API and then forward them to Sentinel. Consult the vendor documentation for details. Take advantage of granular logging settings to reduce unnecessary log volume at the source, as Sentinel charges per gigabyte ingested. For instance, it would be wise in most cases to disable ‘sniffer traffic’ logs for FortiGate firewalls, packet captures are large and provide little monitoring value.
In the next section, we will discuss budgeting.