Standing up a Security Operations Center

I see people struggle with starting a Security Operations Center. It is a daunting task that is frequently bestowed by management with a high priority, lots of money for blinkenlights but almost none for training.

Here's the first thing to know:

• People > Process > Technology

People are more important that Process which is more important that Technology (or Tools). Yes, all three are required. Yes, tools make us more efficient, but you've gotta have great people to start. Remember that when you're budgeting.

So, you're about to spend a bunch of money on software, appliances, and other tools to get you better controls. So, remember this:

• Prevention -> Detection -> Response

What's that mean? Of course you want to prevent as much "evil" in your environment as possible. But, prevention fails. Get your management on board with that as early as possible. Otherwise, the question becomes "How many times can I fail before you fire me?"

Once prevention fails, you have to rely on Detection. So your IDS tells you that someone is pwned. Then what? Respond! That's where your Incident Response kicks in.

Standing up all this is very difficult and you probably don't have the man-power already to do it right. You'll need Engineers to get everything installed and functional. Not easy work. But, then you'll quickly need Analysts to go through all the data generated by these systems; understand & prioritize it. Then, those Analysts get to do the really fun stuff: Incident Response and Forensics.

Training

Formal Training is so incredibly important. I suggest:

• SEC401: Security Essentials Bootcamp Style
• SEC511: Continuous Monitoring and Security Operations
• SEC504: Hacker Tools, Techniques, Exploits, and Incident Handling
• FOR500: Windows Forensic Analysis
• FOR508: Advanced Digital Forensics, Incident Response, and Threat Hunting

Books

Before you get too into this, you need your framework. What are your guiding principles. I highly suggest the "MITRE SOC Book", Ten Strategies of a World-Class Cybersecurity Operations Center by Carson Zimmerman. This is a wonderful, free resource. This helped jump start the SOC building process at one place I worked.

Cisco press has their Security Operations Center: Building, Operating, and Maintaining your SOC book. It was helpful. A good compliment to the MITRE one.

Syngress has Designing and Building Security Operations Center from David Nathans. Something you want on your shelf, too!

I've had the pleasure of hearing both Carson and David speak. These guys know their stuff and have distilled much of it into paper so you can learn from their mistakes.