Appendix G - Characteristics of a World-Class SOC

How do we know whether the SOC is doing well? Every organization is different, and there is no universal set of measures for SOC effectiveness. In this section, we describe the qualities of a SOC that has reached an ideal state of maturity, given the needs and constraints of its constituency. We draw on material presented throughout the book in articulating a target state for modern SOCs. While these qualities describe SOCs of any size or organizational model, we once again aim for common SOCs that:

  • Serve a constituency of some 5,000 to 5,000,000 users or IPs
  • Are members of their constituency
  • Have at least shared reactive authority
  • Has direct visibility into a large portion of the constituency
  • Follow an organizational model that includes both centralized and distributed elements.

SOCs that fall outside this description (e.g., national-level and coordinating SOCs) will certainly be able to leverage elements of this section but may find that certain qualities won’t apply. For instance, a mature SOC serving a small constituency may not be able to support advanced engagements with the adversary. Or, a mature SOC serving a very large constituency may not directly monitor constituency systems.

In describing a healthy, mature SOC, we start with the most basic elements of the SOC mission: prevent, monitor, detect, respond, and report—along with general programmatics, external connections, and training/career. SOC managers may certainly use these qualities as a basis to measure their SOC capabilities; however, we don’t always go into detail on how to measure them. This is done best on a case-by-case basis.

One important caveat to recognize is that we are describing the ideal state of a worldclass SOC. This state will never be reached in all regards, which is to say no one organization will ever receive an equivalent “100 percent” score. That said, we lay out these qualities as a target that a well-resourced SOC can shoot for.

Before we go any further, it is critical to recognize that the best way to measure overall SOC effectiveness is by running realistic drills and exercises against the SOC. Some exercises can include “tabletop” scenarios with the SOC and its partners, or exercising a COOP capability, if it exists. These are relatively low risk and can be done on a regular basis, perhaps annually. These, while useful, don’t hit the nail on the head.

The best way to test a SOC is to measure the SOC’s performance in response to an actual Red Team penetration of constituency assets.

G.1 Program

This section describes the qualities of the SOC’s overall program that span multiple functional areas.

G.2 Instrumentation

This section describes the qualities of the systems and procedures used to instrument the constituency for monitoring each stage of the cyber attack life cycle.

G.3 Analytics and Detection

This section describes the qualities of the analytics and detection tools used by the SOC. ‚ The SOC leverages a unified analytic framework for incident monitoring, triage, and detection, such as with a SIEM, purpose built for such use.

G.4 Monitoring

This section describes the qualities of the monitoring tools and processes used by the SOC