soc 101
New SOC guidance 101

Security operations centres (or SOCs) are notoriously difficult to design, build and operate. But they’re also an important feature in many organisations and not always implemented as well as they could be. If you’re new to the world of SOCs and don’t know where to start, our updated guidance should help you better understand what you need. And if you’re a SOC veteran, I hope it challenges your own practices and provides some useful nuggets of information.

Different SOCs for different organisations

The new guidance comes from working with multiple government departments, learning from some, and teaching others. In all these engagements, one thing always rings true: there is no one-size-fits-all SOC. With that in mind, we have designed it to be accessible and to provide organisations with the right information to decide what kind of SOC is right for them.

A running theme in the guidance is that a SOC should be proportionate. This is key − too many organisations get caught in the trap of buying the fanciest software with laser dragons and security badgers on their network perimeters, hoping it will solve all problems, when often all that’s really needed is the appropriate log sources, a SIEM and some keen eyes (and some rulesets!)

Known gaps

There were many challenges when refreshing the guidance and trying to condense a topic that’s the subject of many books was one of them. This means that we haven’t covered everything. For example, the guidance doesn’t talk about tools, how to write a rule or code an alert. Instead it enables organisations to fully develop requirements themselves, and build a picture of what they need  to go to market or start a recruitment campaign.

For the long term

As the guidance explains, change is constant, so my hope is that the approach set out in this guidance will stand the test of time and stay relevant across multiple scenarios, different organisations, and toolsets.

We welcome your thoughts and comments on this guidance, as your feedback is extremely useful.

Adam B
Security Architect, NCSC

Original Source: ncsc[.]gov[.]uk

A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on Patreon using the button below

Digital Patreon Wordmark FieryCoralv2

To keep up to date follow us on the below channels.

Click Above for Telegram
Click Above for Discord
Click Above for Reddit