How to build an effective SOC

Identifying key issues and choosing security solutions to address them.

It is not enough just to implement a SIEM system and name your security team an SOC. It is more about building corresponding processes.

Not so long ago, we needed to explain what a security operations center (SOC) is to our enterprise audience. Now, more than a third of large organizations already have such a department, and many more are thinking about establishing one. When they do, however, they run up against something that’s becoming a major problem in the cybersecurity industry: a shortage of skilled professionals. Of course, that is not the only factor that affects SOCs, but it’s the root problem.

Of course, anyone can buy instruments and solutions, subscribe to threat data feeds, and assemble a team of watchers to look after those instruments, hoping that prepares then for a cyberincident. However, they will immediately face numerous problems: A lack of automation puts additional pressure on the team; security solutions can integrate badly with existing systems, solutions, data feeds, and more; having millions of indicators complicates the prioritizing of alerts; and to top it all off, analysts face professional burnout.

Another problem that is hard to anticipate if you have not yet tried to establish an SOC is the common mistaking of one department for another — in this case, IT versus security. The two have different priorities and targets. Implementing security solutions and processes can interfere with IT specialists’ routine work and severely complicate their lives. Conversely, while trying to simplify processes, IT can interfere with security’s systems. That’s just one reason you cannot put the same people in charge of both IT and cybersecurity — they cannot prioritize both tasks equally; one will always win.

In other words, it is not enough just to implement a SIEM system and name your security team an SOC. It is more about building corresponding processes. That’s where we come in.

How we can help

For starters, we offer the instruments an SOC needs — and more important, we have experience in their implementation and usage. That experience led us to assemble a new offering for Security Operations Centers. With its basis in our expertise, solutions and services, this range of instruments and practices will help SOCs overcome difficulties and fortify companies’ defenses.

In addition to our threat intelligence feeds and time-proven solutions such as Kaspersky Anti Targeted Attack and Kaspersky EDR, we now present tailored assessments of existing security operations along with performing penetration testing. Armed with knowledge about existing attack scenarios, our experts can determine how intruders are likely to behave according to the specifics of your industry, region, and market. They use this knowledge to evaluate an SOC’s and incident response team’s preparedness — its ability to detect and prevent attacks — and provide a detailed report on existing gaps as well as recommendations for enhancing security processes.

To learn more about this offering, please visit the Kaspersky for Security Operations Center