Building a SOC:

start small
Start simply, grow according to
demand

Factsheet FS-2017-04 | version 1.0 | 15 November 2017

A Security Operations Centre (SOC) is an Background

Protecting and defending against digital attacks requires
effective facility for monitoring business visibility and control of the digital infrastructure within your
organisation and of all the events taking place within this. An
information security and digital threats.
increasingly common way to achieve this is to implement a
Establishing such a centre, however, requires Security Operations Centre (SOC).
investment of time, effort and resources. In
order for a SOC to function successfully, it must
keep pace in a controlled manner with the Target audience
organisation’s need for visibility and control of This factsheet is aimed at Information Security Officers in
information security. Start small, share results organisations that wish to begin monitoring business
information security.
with the organisation and build on a positive
reception to these results to realise the next step
in the development process. Ensure the The following parties have contributed to this
planning, roadmap and implementation of a factsheet:

future SOC are realistic. Keep in mind that a SOC AlertTeam, the Tax and Customs Administration, the Ministry of
Security and Justice, the Directorate-General for Public Works
is a means and not an end in itself. and Water Management, SSC-ICT and the Volksbank.
What are the challenges? Simple monitoring as the starting point
Effective operation of a SOC requires cooperation with many Building a fully fledged SOC from scratch is a major challenge. A
parts of the organisation since information is processed across simpler approach is to start small and then build on this in a
the organisation as a whole. This means the establishment of a slow and controlled manner to create a fully fledged SOC. In
SOC is a daunting task, which brings a wide range of issues into order to achieve this, begin by having the IT administration
1
play. However, experts that can offer assistance in this regard team monitor log data from a select number of key
are difficult to find, given that SOCs are a relatively new infrastructure or middleware components, such as your
phenomenon. Building a SOC is also costly and time- firewall, a web server or your antivirus program. Target the
consuming, and it can therefore be challenging to convince monitoring on technical aspects initially, in order to confine
management teams of the value and necessity. This factsheet the necessary interactions to the IT administration team. Focus
will help to address these challenges. on notifications highlighting a specific problem or on
indicators of potential future issues. Report any findings to the
IT service desk.
Building a SOC is mainly an organisational challenge, despite all
the technology involved.
There is a wide range of software products available that enable
monitoring of log files. Use a search engine or make your own
What is a SOC?
enquiries to help you make your choice.
There is no set definition of what a SOC is, but practice shows
that SOCs are most commonly tasked with security monitoring.
This involves the centralised collection and correlation of log Build up experience with the monitoring, detection,
data from relevant applications and devices in the network, in registration and mitigation of incidents. Do not increase the
order to identify any deviations that may have taken place. The number of systems to be monitored too soon. At the beginning,
collected log data can relate to a wide range of applications and the main emphasis should be on gaining experience with the
devices – from intrusion detection systems, firewalls, web entire monitoring process rather than the monitoring itself.
applications, Active Directory servers and anti-virus software to Ensure you have the right tools for registering incidents,
industrial control systems. This may involve any system able to generating periodic reports on this and recording any lessons
supply information relevant to providing insight into the learned. Arrange for staff tasked with the monitoring to
security or status of the network and the systems connected to participate in the appropriate meetings within the IT
it. When determining which type of information to collect, administration team and meetings relating to change
which systems to collect information from and which management. This will leave them well prepared for any
correlation method to use, the key is to focus on information changes to the network.
relevant to the organisation rather than on what is considered
2
customary to collect.
When you set out, do not focus on building a SOC, but simply
begin to gain insight into security based on the needs of your
A Security Information & Event Management (SIEM) system is a
organisation. There is nothing wrong with finding at a later
tool that forms an indispensable part of a SOC. SIEM systems
point that what you have created is in fact a SOC.
are software products that are able to interpret log data from
various sources and correlate it with cyber attacks and other
security incidents taking place in and around the network.
What is needed to be able to monitor security
In addition to information regarding systems and the network, incidents?
a SOC also uses what is known as threat intelligence – In order to achieve adequate monitoring of information
information from external sources regarding vulnerabilities and security, organisations will need to do more than simply check
threat information in the area of cyber security. This the log files of an antivirus program, firewall or similar. Before
information can be used to assess events relating to systems the monitoring structure within the IT administration team can
and within the network. be developed into a SOC, there are a number of measures that
3
the organisation must put in place first.

1 Information security policy

For an overview of aspects to consider when setting up a SOC, see
http://rafeeqrehman.com/wp-content/uploads/2014/12/Building_SOC.pdf
2
For background information, see
http://www.ey.com/Publication/vwLUAssets/EY-security-operations-
3
centers-helping-you-get-ahead-of-cybercrime/$FILE/EY-security- For aditional information, see https://www.cip-overheid.nl/wp-
operations-centers-helping-you-get-ahead-of-cybercrime.pdf content/uploads/2015/07/7-kritische-succesfactoren-voor-een-SOC.pdf
A key measure when building a SOC is having an information or on measures required to successfully cope with any offline
security policy that has been approved by the management. An time.
information security policy describes the information security
objectives of the organisation and the manner in which Development into a SOC
information security has been organised by it (who is Using technology as a starting point is a good approach in order
responsible for what). The objectives set out in the information to initiate monitoring. However, for a SOC to become truly
security policy can help to establish the areas that the SOC will effective, it must be tied in with the business processes. Which
focus on. The arrangements in the area of information security are the key processes within the organisation, which
will identify the key stakeholders. information flows are essential to these and how could those
information flows be disrupted? Putting processes at the centre
Overview of the application landscape of discussions makes it much easier to establish links with the
An overview of the application landscape provides insight into various departments and the staff who work there. In order to
the information the organisation possesses and the manner in succeed in establishing these links, it is necessary to ensure an
which the information is processed. Such an overview is key to appropriate development strategy for the SOC.
an adequate and effective monitoring structure. This
information is also an essential input for a sound risk Knowledge and skills for SOC staff
assessment. Understanding business imperatives and monitoring the
threats targeting the business goes beyond mere searches for
Results of recent risk assessments technical issues in log files. A specific check can determine
Risk assessments help establish the consequences for the whether a system generates a certain error. But how do you
organisation when the availability, integrity or confidentiality establish whether a login is valid? Or whether any accessing,
of certain information is impacted. They also help determine changing or deleting information is routine activity or the work
which threats pose an unacceptable risk to the processing of of someone with malicious intent? An altogether different
information. This information clearly identifies the main focus approach is needed when checking whether security has been
areas for the SOC. breached. In such cases, this requires a different attitude and, in
particular, a different way of thinking from staff. SOCs are a
Another key input for a SOC are the results and outcomes of risk relatively new development, as a result of which skilled and
management. The risk management department is ideally above all experienced SOC staff are difficult to find. Therefore,
positioned to answer the question of what the SOC should start a new SOC with employees who have the right motivation
monitor. This does not necessarily cover office automation and mind-set, and invest sufficiently in training.
only. Any system or information processing is eligible for
monitoring by the SOC if the risk assigned by the risk Choosing whether to do it yourself or outsource
management department is sufficiently severe. When implementing a SOC, an important decision early on is
4
whether to outsource it. The organisation may choose to set up
IT administration team and manage all the individual components of a SOC itself or
There is no doubt that a SOC will detect attacks and reveal outsource them to a third party. Each organisation will have its
vulnerabilities in the network. This will result in proposals for own specific needs, demands and challenges with regard to a
preventing attacks or enhancing security. Such proposals SOC. Each option must be assessed in terms of flexibility, costs,
should not be taken up by the SOC itself, but are instead a available knowledge and personnel, etc. These specific needs
matter for the IT administration team. Key aspects in this regard and demands can only be met if the right decision is made
are a well-developed incident management procedure, a well- between doing it yourself, outsourcing or perhaps a
equipped IT service desk, adequate arrangements with the IT combination of both.
administration team on the priority of notifications made by
the SOC and an appropriate mandate for the SOC. SOC services and products can be acquired from a large number
of providers. Gain a better understanding of what is available
Ownership of information systems on the market and what is involved in operating a SOC, by
In most cases, the issues identified by a SOC can be tackled by approaching several parties about the services they are able to
the IT administration team. Nevertheless, incidents could arise provide. If the information that is processed by a SOC is sent
that require decision-making at a strategic level. For this outside the organisation, ensure compliance with the
reason, each information system must have a manager as applicable legislation.
system owner to make such decisions. This concerns decisions
that must be taken when a contingency plan is put into action,
such as deciding whether to take an information system offline
4
See also https://ssl.www8.hp.com/ww/en/secure/pdf/4aa6-0788enw.pdf
Processes Threat intelligence
The incident management procedures are among the key A SIEM system will flag up a wide range of issues. To be able to
measures to put in place as they will help everyone to assess those issues properly, the SIEM system and the SOC staff
understand what is expected of them. Define types of incidents will need to be provided with accurate information and
by distinguishing between levels of impact and establish which insights. Invest in the acquisition of threat intelligence that will
steps SOC staff should follow. Establish which staff members be used to feed the SIEM system and ensure SOC staff have
should be approached if an incident arises. For this purpose, sufficient time to keep up-to-date with developments in the
select staff members with the appropriate responsibilities and area of digital threats.
mandate. Tell them that they may be approached in the event of
an incident and what decisions they are expected to make. Impact on privacy
Establish the required options for scaling up or escalating Information that is processed for the purposes of monitoring
matters and arrange this with the relevant responsible staff may include privacy-sensitive information. Together with your
members. In other words, ensure expectations are managed privacy officer, conduct a Privacy Impact Assessment (PIA) for all
appropriately within the organisation. Make arrangements for data collection activities that could include privacy-sensitive
normal monitoring tasks within the SOC to be continued information. Investigate the options that the available SIEM
during an incident. Develop a communication plan and design systems offer in the area of privacy protection.
processes so that the deployment and added value of the SOC
can be measured. More responsibilities for a SOC
Various parties point to tasks other than monitoring that could
6,7
Engaging with the business be given to a SOC. Although it is of course possible to
A SOC must engage with the business in order to understand accommodate the tasks of a range of employees (such as the
what is important to it. Liaise with the appropriate managers performance of penetration tests and forensic IT investigations)
and system owners. Involve the risk management department within the same organisational structure, caution is advised
in such discussions. The information security policy and the when assigning additional tasks to staff tasked with
outcomes of risk assessment can help provide insight into monitoring. Do not use quiet times as a reason to increase their
threats and to prioritise these appropriately. tasks. This carries the risk that the additional tasks will not be
given sufficient attention in busy periods or during incidents.
Come to clear agreements with the business regarding the Use quiet times to critically review the security monitoring set-
manner and format in which the information for the SIEM up, gain new knowledge, carry out drills and get up to speed
system is to be provided. Use periodic reports to engage the with developments. Cyber criminals are continually on the
organisation in the results achieved by the SOC. lookout for new ways in which to carry out their attacks. Allow
SOC staff to continually dedicate attention to this.
Selecting an SIEM system
Although the majority of the challenges in building a SOC relate Developing the SOC further
to organisational matters, there is also a key technology choice One of the risks of allowing a SOC to grow too quickly is that the
5
to be made – the selection of the SIEM system. Many of these amount of information collected exceeds the processing
8
solutions have similar capabilities. The key differences are in capability of the SOC. In addition to this, the IT service desk
the details, which means it is tricky to select the right system. A must be prepared for the number of notifications that a SOC
good decision is only possible once it is sufficiently clear will submit to them. Restrict the data that will actually be
whether a solution is able to address all the needs that exist collected on the basis of the throughput capacity of the SOC and
within the organisation. A sensible approach, once all the the IT service desk. Ensure that the expectations are clear by
organisation’s needs have been established, is therefore to communicating these objectives clearly to the organisation.
approach suppliers, visit trade fairs and, if possible, visit Discuss with the management team how the SOC and IT service
organisations that have already implemented a SIEM system. desk can grow in a controlled manner.
Ensure you consider this decision carefully. Once you have
chosen a solution, it will be costly and labour-intensive to Extension of a SOC will most likely result in an increase in the
migrate to another solution at a later time. In addition to the number of aspects to be monitored. Put differently, there will
capabilities of the SIEM system, also consider the installation be an increase in the number of correlation rules used to
and maintenance requirements and the knowledge the SOC
staff will need to have. 6
See chapter 8 in https://www.jbisa.nl/download/?id=17700082
7
See ‘Soorten SOC’ (Types of SOCs) chapter in
https://www.pvib.nl/kenniscentrum/documenten/expertbrief-security-
operations-center-een-inrichtingsadvies
5 8
Gartner regularly publishes an overview of the maturity of SIEM systems: https://www.computable.nl/artikel/nieuws/security/5901142/250449/
https://www.gartner.com/doc/reprints?id=1-3EG4GVX&ct=160810 security-operations-centers-worden-overspoeld.html
determine whether an undesirable event or deviation has
occurred. More rules means an increase in the maintenance
required for these rules, since each change made to a system or
the network might require a change to one or more rules.
Ensure the SOC is prepared for this.

A SIEM system is able to handle large volumes of information in

order to zoom in on relevant issues on the basis of smart,
customised rules. For mature SOCs, this includes the standard
technical checks as well as checks and matters that are closely
linked with the day-to-day processes of the departments. A
pitfall in this regard is that a SOC performs checks that,
although helpful to a department, have little to do with
information security. A SOC must remain watchful that its
checks continue to serve its original objective and that it does
not allow itself to become a big data department for the
organisation as a whole.

In the event that the organisation has established a Computer

Security Incident Response Team (CSIRT), allow the SOC to take
part in this. The SOC is able to provide useful technical data that
can help to trace the cause of an incidents and the origin of any
attacks.

The maturity level of a SOC can be established with the help of

9
the SOC-CMM – the SOC Capability & Maturity Model. The
principles in this model can also serve as the starting points for
a roadmap or as a checklist for building a SOC.

Conclusion
A SOC is an effective facility for monitoring business
information security and digital threats. Establishing such a
centre, however, requires investment of time, effort and
resources. In order for a SOC to function successfully, it must
grow in controlled fashion along with the organisation’s need
10
for insight into and control of information security. Start
small, share results with the organisation and build on a
positive reception to these results to realise the next step in the
development process. Ensure the planning, roadmap and
implementation of a future SOC are realistic. Keep in mind that
a SOC is a means and not an end in itself.

9
https://www.soc-cmm.com/
10
For aditional information, see
https://www.mitre.org/sites/default/files/publications/pr-13-1028-mitre-
10-strategies-cyber-ops-center.pdf
Publication
Nationaal Cyber
Security Centrum (NCSC)
P.O. Box 117, 2501 CC The Hague
Turfmarkt 147, 2511 DP The Hague
+31 (70) 751 5555

More information
www.ncsc.nl
[email protected]
@ncsc_nl

FS-2017-04 | version 1.0 | 15 November 2017

This information is not legally binding