Strategy 2: Achieve Balance Between Size and Agility

The SOC’s structure must balance three needs:

The need to have a cohesive CND team
The need to maintain logical, physical, proximity to the assets being monitored
The budgetary and authority limitations inherent in the constituency served.

Picking an Organizational Model

The further an analyst is separated from monitored assets—logically or physically—the less they are able to maintain context and sense of what is normal and abnormal behavior on those hosts and networks, and respond in a relevant or timely manner.

Drivers

Size of company
Frequency of incidents
Company concerns about incident response

Structuring the SOC

Small SOC (5-20 people)

Tier 1
Tier 2
System Admin
Advanced Capabilities (optional)

SOC Org Chart

Large SOC

Tier 1
Tier 2
Trending
Scanning
VA/PT
System Admin
Engineering

Synchronizing CND Across Sites and Organizations

Goals and Drivers

Where to Place the Main SOC

The best place for the SOC is at or very near the company headquarters.

Strategy 2: Achieve Balance Between Size and Agility

Picking an Organizational Model

Drivers

Structuring the SOC

Small SOC (5-20 people)

Large SOC

Synchronizing CND Across Sites and Organizations

Goals and Drivers

Where to Place the Main SOC

Small and Large Centralized SOCs

Incorporating Remote Analysts

Centralized SOC with Continuity of Operations

Centralized SOC with Follow the Sun

Tiered SOC

Coordinating SOCs

Popular

Recent content

Picking an Organizational Model

Drivers

Structuring the SOC

Small SOC (5-20 people)

Large SOC

Synchronizing CND Across Sites and Organizations

Goals and Drivers

Where to Place the Main SOC

Small and Large Centralized SOCs

Incorporating Remote Analysts

Centralized SOC with Continuity of Operations

Centralized SOC with Follow the Sun

Tiered SOC

Coordinating SOCs

User login

Search

Popular

Recent content