Appendix C - How Do We Get Started?

If we have established the need for a SOC, the next logical question is, “How do we stand up a new SOC?” When we stand up a new capability, various priorities compete for our time and energy. The purpose of this section is to sort these priorities into different phases of SOC creation and growth, introducing many of the topics covered throughout the ten strategies. For more information on standing up a SOC, see [288] and Chapter 2 of [15]. Before we discuss the roadmap to standing up a SOC, here are some tips for success. Every SOC is different, so the timelines and order of priorities will differ; the following serves as a starting point and presents an ideal timeline for SOC stand-up:

  • Ensure expectations and authorities of the SOC are well-defined and recognized from the start, especially from those in the SOC’s management chain.
  • Do a few things well rather than many things poorly; shun activities that can be easily or better performed by other organizations.
  • Beg, borrow, or steal as much as possible: • Assimilate existing CND or CND-like capabilities into the SOC. • Leverage existing technologies, resources, and budget to help get started. • Don’t let the initial influx of resources detract from the importance of a permanent budget line for people, capital improvements, and technology recap.
  • Focus on technologies that match the threat and environment and act as a force multiplier; avoid getting caught up in “technology for its own sake”; extract the maximum amount of value from a modest set of tools.
  • Having a flashy, well-organized ops floor isn’t just for the analysts—it also keeps money flowing from IT executives. Having an advanced SOC is a point of pride for many seniors, and this starts with what they see when they walk onto the ops floor.
  • Enable the rock-star analysts to lead all aspects of the SOC in a forward direction through continual improvements to processes and automation.
  • Ensure strong quality control of what leaves the SOC from day one. Gaining trust and credibility is a big challenge, considering that rookie mistakes can easily undermine progress and stakeholder trust.
  • Tune into the constituency mission, in terms of monitoring focus and response actions.
  • Ensure each aspect of the SOC is given due attention. Start with a careful selection of the best people the SOC can attract, given budgetary constraints. In Figure 32, we summarize the triad of CND that is of keen interest to new SOCs.
  • C.1 Founding: 0 to 6 Months In the beginning, there was no SOC—most likely, only pockets of CND being practiced across the constituency and a desire by seniors to “keep us out of the newspaper” or “defend the mission.” From the time the decision is made to create a SOC, we have the following initial priorities:
  • Form the team that will begin constructing the SOC, including its ops floor. Base this on existing experts in cybersecurity and CND, possibly along with the first hires to the SOC or outside consultants.
  • Define the constituency.
  • Ensure upper management support.
  • Solicit input on which problems the SOC should solve and which capabilities are needed from constituency seniors.
  • Write the SOC charter; get it signed by the constituency CEO or CIO.
  • Collect CND best practices from literature and other SOCs.
  • Secure funding for people and technology, based on a rough order of magnitude budget.
  • Select a team organizational model (Section 4.1.1).
  • Find the right place for the SOC in the constituency org chart (Section 5.1)

PPT Triangle


Analyst collaboration forum/SharePoint/wiki and unstructured file share limited to SOC only.