When SysArmy security expert meet with the customers, we realized that many of them are in the dilemma of whether to have a centralize Security Operations Center (SOC). Many of them know for well that to build and operate a SOC, even at tiny scale, can be costly. Yet, if you are worrying about your data being stolen by cyber thieves or operations being interrupted by online attackers, it is the right time to have a simple SOC.
At the beginning, all companies need to assess the damage of an attacker could do to its business, imagining the type of data would be accessed if your organization were breached, and would you have the resources to recover, or could you recover? And If the answer is terrifying, then the answer is a big 'YES'.
The first step is to get some good talent to be responsible in your organization as the key security officer (commonly their title is CISO, for Chief Information Security Officer)
At 2nd step, a company will typically seek out better visibility into what is going on in its network. Many companies do not have a full inventory of their information assets, and embarking on a program to create a SOC can be one of the most important thing to do. However, please do take note that the first expectation of having a SOC is not to do security enforcement, but to get visibility into the environment.
3rd steps will be to determine what to monitor. Many of our clients usually start by focusing on managing the operations of network perimeter devices, such as firewalls and intrusion prevention and detection systems. The company will have to determine how much it wants to do internally and to what degree it will outsource its security monitoring.
4th step is to start developing a monitoring plan. During this stage, a program to better monitor and manage information security systems is very crucial, companies should be careful in developing a plan based on what data and system need to be protected instead of figuring out what a product can do.
At the end, companies should continuously look into maximizing the amount of security information they are collecting and storing, even if their small SOC has no means to analyze it. If a company detects a breach, the first thing an analyst will need is getting and correlating the data to find out what happened. If we were to investigate an attack, we always try to collect as much data as we can to make our investigation more accurate.