Stronghold Cyber Security CEO Jason McNew was recently sourced for an article by Digital Guardian on how to build a security operations center (SOC). In it, McNew channels a bit of The Profit’s Marcus Lemonis in discussing the 3Ps – people, processes, and products – and how they relate to cyber security.
A three tiered system is a good start. The three tiered system can be modeled, for example, upon the Department of Defense Instruction 8570 (known simply as DoD 8570), widely recognized in the cybersecurity community as an excellent framework for identifying what certifications are necessary to fulfill a particular security role. 8570 is vendor agnostic, and is a simple three tiered chart that maps various certifications to particular security roles. These roles could be, for example, Security Analyst, Security Engineer, and Security Manager.
Next is policies. Formal policies have to be written, and these policies must have the backing of the business owners/executives, etc., so that they can be enforced effectively by the SOC folks. This isn’t as hard as it sounds however, because every security policy a SOC could ever want has already been written and is readily available through NIST, ISO, SANS, etc. Usually these policies will need to be tailored for a particular organization, but they definitely do not need to be written from the ground up. Another excellent resource (that just isn’t used enough in the commercial world) are the DoD’s STIGs (Security Technical Implementation Guides).
Last (but not least) of the 3P is “products” or technology. We have to have the right technology, such as a CRM (customer relationship management), trouble ticketing system, KMS (knowledge management system), and of course various vendor tools which are needed to maintain the technology that we are securing.
The full article, titled “How to Build a Security Operations Center (SOC): Peoples, Processes, and Technologies”, by Ellen Zhang, can be viewed in its entirety here.