Strategy 2: Achieve Balance Between Size and Agility
The SOC’s structure must balance three needs:
- The need to have a cohesive CND team
- The need to maintain logical, physical, proximity to the assets being monitored
- The budgetary and authority limitations inherent in the constituency served.
Picking an Organizational Model
The further an analyst is separated from monitored assets—logically or physically—the less they are able to maintain context and sense of what is normal and abnormal behavior on those hosts and networks, and respond in a relevant or timely manner.
Drivers
- Size of company
- Frequency of incidents
- Company concerns about incident response
Structuring the SOC
Small SOC (5-20 people)
- Tier 1
- Tier 2
- System Admin
- Advanced Capabilities (optional)
Large SOC
- Tier 1
- Tier 2
- Trending
- Scanning
- VA/PT
- System Admin
- Engineering
Synchronizing CND Across Sites and Organizations
Goals and Drivers
Where to Place the Main SOC
The best place for the SOC is at or very near the company headquarters.
Small and Large Centralized SOCs
Incorporating Remote Analysts
Centralized SOC with Continuity of Operations
Centralized SOC with Follow the Sun
Tiered SOC