Cybersecurity professionals encounter the concept of integrating people, processes and technology frequently. The concept will appear in virtually every vendor's sales presentation as well as in many books, blog posts and papers on managing a security operations center (SOC). Although some authors have offered tips on dividing the budget between the three, or which aspect is the most important, the truth is that all three are vital to success. Failure to integrate people, processes and technology can doom a security program. Focusing on the key elements of the individual areas can help you align and integrate them successfully.
After defining the SOC functions, the next step is to find or assign the talent needed to execute the functions. Security talent may be internal or outsourced, but it is critical that you always maintain ownership of your program.
- Map people to roles. Every role must have a clear definition that includes job description, responsibilities, necessary skills, desired experience, immediate and ongoing training, chain of command and career progression paths.
- The size, budget, structure, mission and vision of an organization determines the number of roles and the types of roles that will be needed. Depending on your specific organization, you may need multiple security analysts with different responsibilities and skills, a malware analyst, an SOC manager, a forensic analyst, an incident coordinator, a platform engineer, a threat intelligence analyst or a number of different specialists.
Processes are intricately related to your security program's goals, but they are also related to SOC functions. In many cases, a function may be associated with more than one process.
- Specific roles should be linked to the process definition as well as the function. The use of assignment models can be beneficial for this step.
- The number and type of processes depend on the specific needs of the organization. Examples of processes that can typically be defined include incident triage, breach response, security monitoring, incident response, forensic analysis, hunting, content management, incident analysis, threat intelligence management, malware analysis, security devices management and program management.
Technology supports and enhances SOC capabilities by providing advanced threat detection, automation for event triage, visibility on systems and networks, incident analysis and enhanced investigation capabilities. Examples include:
- Data analytics that leverage environmental and contextual data, business context and asset information can contribute to advanced threat detection.
- Data collected from logs, packets captured at selected pinch points, endpoint data and network flows provides greater visibility into your system and network.
- Combining a historic view with a view of the data that triggered the detection of an incident can provide enhanced incident analysis as well as improved investigation capabilities.
- Technology is also crucial for automating incident handling and program management tasks.
- Technologies must be compatible, and data silos need to be eliminated to obtain a proper integration with people and processes.
People, processes and technology are the three pillars of your SOC. However, when you begin to draft a written plan to integrate them, you may find that aligning the three within your SOC is not as easy as you expected. Regardless of what some vendors claim, there is no magic wand that will create perfect, instant integration. It takes teamwork and effort, an effective strategy, proper implementation, program management and continuous improvement to create the best SOC possible. Rest assured, however, that the results will be worth your efforts.