Every organization that has cyber assets should have a Cybersecurity Operations Center (CSOC or SOC). MITRE’s Ten Strategies of a World-Class CSOC has guided many CSOC of all varying sizes, in many differing sectors to build, manage, and improve the CSOC. Here is an excerpt from the Executive Summary:
- Consolidate functions of incident monitoring, detection, response, coordination, and computer network defense tool engineering, operation, and maintenance under one organization: the CSOC.
- Achieve balance between size and visibility/agility, so that the CSOC can execute its mission effectively.
- Give the CSOC the authority to do its job through effective organizational placement and appropriate policies and procedures.
- Focus on a few activities that the CSOC practices well and avoid the ones it cannot or should not do.
- Favor staff quality over quantity, employing professionals who are passionate about their jobs, provide a balance of soft and hard skills, and pursue opportunities for growth.
- Realize the full potential of each technology through careful investment and keen awareness of—and compensation for—each tool’s limitations.
- Exercise great care in the placement of sensors and collection of data, maximizing signal and minimizing noise.
- Carefully protect CSOC systems, infrastructure, and data while providing transparency and effective communication with constituents.
- Be a sophisticated consumer and producer of cyber threat intelligence, by creating and trading in cyber threat reporting, incident tips and signatures with other CSOCs.
- Respond to incidents in a calm, calculated, and professional manner.
In this book, we describe each strategy in detail, including how they crosscut elements of people, process, and technology. We deeply explore specific areas of concern for CSOCs, ranging from how many analysts a CSOC needs to where to place sensor technologies.