Build an SOC

Building an SOC and embedding it in the organization and working processes can be complex. Our advice for making an SOC a success is to start small, communicate the results within your organization and remember that an SOC is a means rather than an end.

What is an SOC?

In practice, a Security Operations Centre monitors the computer and network activities in an organisation. Log data from applications and devices in the company network are gathered and investigated for anomalies. The log data can come from servers, firewalls, web applications, antivirus software and even from industrial control systems. As a result, it concerns relevant information on the security of all systems and devices. All this information will provide insight into how secure the network, the systems as well as the hardware and software are functioning in the organisation.

How does an SOC work?

A number of criteria must be met for a successfully operating SOC. These criteria include:

  • a policy for information security which has support throughout the entire organization;
  • an accurate overview of the application landscape;
  • ownership of information systems and a recent risk analysis;
  • cooperation with the IT management organization.

When it comes to interpreting log data from various sources and their relationship to what is happening digitally, a Security Information & Event Management (SIEM) system could provide a solution.

In addition to information about systems, hardware, software and the network, an SOC also uses threat intelligence. This information involves vulnerabilities and threats in cybersecurity originating from other sources. Using this information, the SOC assesses events in systems and on all connected devices.

How is an SOC created?

Start by monitoring simple technical matters which benefit the organisation; for example, the log data from the Active Directory, firewalls, antivirus and web servers. Keep it simple and restrict the activities to the IT department. Monitor purely technical matters only.

Build up experience with the monitoring, registration and mitigation of incidents. At the beginning, the main emphasis should be on gaining experience with the entire monitoring and incident handling process rather than the monitoring itself. Expand monitoring to systems that are part of the primary operating processes in a controlled manner. Make agreements with the IT department about IT activities as result of this incident registration. Do not focus your monitoring on setting up an SOC in itself, but concentrate on what is important and useful to the organisation.

What does the NCSC do?

Additional information may be required to determine whether a specific event within a computer network is a threat. The NCSC provides this information through Indicators of Compromise (IoCs). An IoC allows you to determine whether specific events within your network have also been recorded by others. This information provides you with guidelines for assessing the event.

The NCSC is only allowed to provide parties with this information if they are among our target groups. We share knowledge about technical and practical matters to support organisations in central government and vital infrastructures based on legal frameworks. Setting up an SOC is also one of these topics. Would you like to know more about setting up an SOC? The fact sheet ‘Building an SOC: start small’ contains guidelines, tips and areas for attention.