Beruflich Dokumente
Kultur Dokumente
Technology
Processes
Echoing the advice under step 1 about limiting the initial iii. d
efining the workflows for events and incidents to
scope of the SOC, it may be best to pursue a few quick align with the organisation’s existing processes
wins instead of creating a full-scale, broad-function SOC iv. p
lanning to automate the solution as much as
solution. Choose a few business-critical use cases and possible, including the necessary technologies to
define the initial solution based on those use cases, have complete visibility of the threat landscape
keeping in mind that the solution must be able to scale for the systems and data in the initial SOC scope
in the future to meet additional needs. Having a more and to thwart attacks as early in the Cyber Attack
narrowly scoped initial solution also helps to reduce the Lifecycle as possible
amount of time needed to implement it and achieve initial v. determining if the technical architecture is sound,
results more quickly. When designing the SOC solution, such as performing tabletop exercises for all use
important actions include the following: cases to identify potential issues
A.Define the functional requirements. These requirements
should be tied to business objectives whenever applicable.
WWW.LOGRHYTHM.COM PAGE 12
HOW TO BUILD A SOC WITH LIMITED RESOURCES
Step 3: Create processes, procedures, and training Step 6: Deploy end-to-end use cases
These must cover all six phases of TLM. If the SOC staffing Once solution capabilities are deployed, you can implement
will be partially outsourced, it is important to work with use cases across the analytics tier and security automation
the outsourcer to ensure that processes, procedures, and and orchestration tier, such as detecting compromised
training on both sides take that into account. credentials and successful spear phishing campaigns. Testing
should be performed during a variety of shifts and during
shift changeovers. All the forms of solution automation
Step 4: Prepare the environment mentioned earlier are particularly important to test
Before deploying the SOC solution, it is critically important rigorously. The reliability and security of remotely accessing
to ensure that all the elements are in place to provide a the solution should also be verified to the extent feasible.
secure environment for the solution. Notable elements
include tightly securing SOC staff desktops, laptops, and
Step 7: Maintain and evolve
mobile devices; having secure remote access mechanisms
in place for staff (and outsourcers if applicable) to interact Once the solution is fully in production, it will need
with the SOC solution; and requiring strong authentication ongoing maintenance, such as updating configuration
for remote access to the SOC solution at a minimum (and settings and tuning over time to improve detection
preferably for local access as well). accuracy, and adding other systems as inputs or outputs
to the solution. Other maintenance will be needed
periodically, including reviewing the SOC model, SOC roles,
Step 5: Implement the solution FTE counts and so forth, so that adjustments can be made.
WWW.LOGRHYTHM.COM PAGE 13
Contact us:
Regional HQ
2 Peck Seah Street
#03-01, Airview Building
Singapore 079305
apac-info@logrhythm.com
www.logrhythm.com
+65 6222 8110