How to BUILD

Next-Gen

SOC
Chintan Gurjar
About Me

B.Tech London Returned to

Born in India Computer Master’s India New Zealand London
Worked in
1990 Engineering Cybersecurity 2014 Worked for Worked in
consulting firms
2011 2013-14 Big4 product-based
2014-2017
2017 firms
2020-Present
Companies I worked for: Domains I worked in: Outside of Work:
• Pentest/Red-teaming • Mentoring & Coaching
• Threat Intelligence & Hunting • Blogging/Webinars
• A tiny bit of DevSecOps • Paragliding
• Vulnerability Management • Cricket, Badminton, Table Tennis
• Audit and Risk Management
• Reading management books
Total Experience
Contact Me:
• 7 Years in Offensive Security
• 4 Years in Defensive Security [email protected]
@iamthefrogy
Certifications
OSCP | CEH | CTIA | MGT516 (SANS) | Chintan Gurjar
CCFA | CCFH | CBE
SCR – Situation, Complication, Resolution

Situation
● Juggling business, compliance, and consumer obligations.
● SOC has become resource intensive. Need PPT (People Process Technology).

Complication
● Huge of amount of data sources
● No correlation
● Lack of standardization
● Poor visibility
● Lack of communication among other teams to security teams
● Cost cutting

Resolution
● Convert security events and threat information with actionable intelligence.
Traditional SOC vs. Next-Gen SOC

Traditional SOC Next-gen Collaborated SOC

SOC
 Next-Gen SOC Organizational Entity

https://www.soc-cmm.com/downloads/SOC-CMM_whitepaper.pdf
BENEFITS OF NEXT-GEN SOC (INTETEGRATED SOC)
Tactical Benifts
● Find threats earlier in the cyber kill chain
● Focus efforts on real threats than traditional daily events and alerts
● Dynamic correlation to rule logic improvisation by working with SIEM and other team

Operational Benefits
● Intelligence-driven processes
● Improved effectiveness of SIEM, NGFWs, IPS, IDS, and SWGs.

Strategic Benefits
● Executives can understand relevant threats and appropriately allocate resources where necessary.
● Improved internal and external communication with top executives and board members
Metrics are key to action

Convert to Prepare Perform

Raw Data Take Action
Information Metrics Analysis

Process of defining quality metrics:

• Know your audience well (Strategic, Operational, Tactical)

• Be S.M.A.R.T (Specific, Measurable, Achievable, Relevant, and Time-Bound)
• Document metrics
• Discuss with the client
• Sign off
• Implement
 Phases of SOC implementation

Phase 1 Phase 2 Phase 3 Phase 4

Assess the current Design your target Develop an Comprehensive
maturity state SOC state implementation reporting
roadmap
 Phase 1
Assess the
current
maturity state
 Assess

Overview – Assess The Current Maturity State

Objectives
● Make your client understand the benefits for re-assessing and refining SOC
● Assess your current prevention processes and competencies, and it’s completeness
● Assess your current detection processes and competencies and their completeness
● Assess your current analysis processes and competencies and their completeness
● Assess your current response processes and competencies and it’s completeness

Results Benefits
After completion of this phase, you will know the Activity will enable you to:
current maturity state of your SOC and will have ● Understand difference traditional vs next-gen
an idea what of where the re-defining process SOC
needs to be started. ● Know where you stand
● Optimize security operation through next-gen
processes
 Assess

Discuss why build Security Operation Center

Discuss why running SOC? Objectives, strategic vision etc.?

Process:
1. Discuss scope, goal, responsibilities, etc.
2. Put everything on the whiteboard.
3. Organize notes and remove duplicates.
4. Finalize benefits, goals, and objectives of SOC.
 Assess

What do you know about your organizations’ security state

State of Knowledge
Process:
Known Known
Knowns Unknowns
1. Assess what the client knows about their
“Things we are aware of
Knowns

“Things we are aware of

and understand” but don’t understand” SOC in terms of all these 4 criteria
2. Ask each stakeholder to define PPT (People,
Process, Technology)
✓ 3. Think of an additional PPT you would have
included to mature the state of SOC
4. Discuss why to include or why to exclude
Unknown Unknown 5. Prioritize based on the organization’s need,
Knowns Unknowns
cost, etc.
Unknowns

“Things we understand
but not aware of” “Things we are neither
6. Identify what to outsource/insource.
aware of nor
understand”

SOC Levels by domains covered
Foundational
• Device monitoring
• Intrusion management
• Log collection and retention
• Reporting & escalation
• Vendor management
• Audit compliance
• Firewall
• AV/EDR
• SIEM
• VA
• Patch management
• Ticketing
Operational
• Entire Foundational +
• Event analysis and incident triage
• Hardening
• Static malware analysis
• Change management
• Cloud security
• Encryption management
• IAM
Security Operations Capabilities
Assess
Strategic
• Entire Foundational +
Operational +
• SIEM with defined use-cases
• Threat intelligence
• Digital forensics
• Network flow analysis
• Dynamic malware analysis
• Visualization and dashboards
• Threat hunting
• Use case management

SOC Levels by maturity of elements
Foundational
• Network and system architecture diagrams
• Asset inventory and classification
• Access control policies and procedures
• Vulnerability management processes
• Patch management processes
• Configuration management processes
• Security monitoring tools and processes
• Security training and awareness programs
• Data classification and protection policies
• Disaster recovery and business continuity
plans
Assess
Operational Strategic
• Development of long-term security
strategies and roadmaps
• Alignment of security initiatives with
business goals and objectives
• Real-time monitoring and analysis of
• Collaboration with other teams, such as the
security events
incident response team, to ensure a
• Detection and analysis of security threats
coordinated and effective approach to
and vulnerabilities
security
• Incident response and remediation
• Management of security budgets and
• Continuous improvement of security
resources
posture through lessons learned and
• Regular reporting and communication of
analysis of security events
security posture to executive leadership
• Security testing and assessment processes
and stakeholders
• Threat intelligence gathering and analysis
• Risk assessment and management
• Vulnerability management and remediation
processes
• Patch management
• Security architecture design and review
• Security incident management and
• Vendor and third-party risk management
response
• Cybersecurity strategy development and
• Compliance management
review
• Collaboration with industry partners and law
enforcement agencies on cybersecurity
issues.
Security Operations Maturity
 Assess

Clear comunication is the key

SOC is the single pane of glass which definitely requires a transparent and clear communication strategy.

Communication Best Practices

Problem = Disjoint teams and no communication 1. Security operations should not be handled haphazardly; a
consistent and transparent communication should be
Solution = Collaboration through transparent communication maintained.

2. Create an open and accessible channel of communication

within the threat collaboration space.

3. Set up a central web/knowledge portal that is easily

accessible throughout the threat collaboration space where
Vulnerability Operations
you can store cookbooks, SOPs, guides, policies, metrics,
tools, etc.
Management
4. Organize regular meetings with key personnel from various
working teams (VM, SIEM, TH, CTI, Appsec, Security
Architecture) to discuss issues, share objectives, and
SOC communicate operational procedures related to their
Management individual roles.

Benefits of internal collaboration

1. Improved communication
2. One organization one goal
Incident Response Threat Intelligence 3. Improved revenue growth
4. Improved knowledge sharing
5. Increase productivity
6. Increase problem solving ability
7. Increase operational efficiency
 Assess

Identify and document Security Obligations

Process:
1. Identify stakeholders
2. Brainstorm security obligations
1. Business obligations
2. Customer obligations
3. Regulatory obligations
4. Other obligations
3. Discuss
1. Identify what all business/customer/regulatory obligations are
there.
2. How will it affect SOC processes and priorities?
3. How to solve them?
4. Log them into requirements
 Assess

Identify Threats to your Organization

Process:
1. Brainstorm threats Low to Critical
2. Identify critical assets in your organization
3. Identify crown jewel data in your organization
4. Discuss what can be the threats to your critical assets and data
1. Consider past incidents of your organizations
2. Consider incidents' case studies from other organizations
3. Consider threat modelling techniques
4. Consider talking threat intelligence team (in-house or vendor)
 Assess

4 core elements of successful SOC division

Team Management, retain and Provide clear career path and in-house, external
People motivate resources trainings along with CTFs, incentives and reward
program

Standard Operating Procedures Write and maintain policies, workflows, procedure

documents, cookbooks, policies, table-top exercises.
Process Daily operations, Workflow Management Implement and measure the key success criteria for
the program using KPIs and OKR methods.
Success Measurement management

Prevention Enable all prevention, detection, technologies,

implement processes for analysis and escalation with
Detection
Technology response capabilities. Provide visualization and
Analysis dashboards.
Response
Based on your maturity of the SOC, what all services it
can provide or integrate within. Threat intel, threat
Services What all services can you provide hunting, security monitoring, vulnerability management,
etc.
 Assess

People

Threat Intelligence Incident Responder

Malware Analyst
Analyst (Minimum)

SOC Analyst (L1, L2, L3) eDiscovery and CISO

(Minimum) Forensics Examiner (Minimum)

SOC Manager
VM Analyst External 3rd Parties
(Minimum)
 Assess

People Challenges in SOC

Challenges What?
Deliver 24*7*365 coverage How you are going to roate shifts to avoid burnout problem and keep the team engaged.

Determine how many head Create a head acount post analysis and also think about budget allocation. Get approval from
count are needed actually the amangement. Align business need with the head count.

SOC is the scale problem, large number of repetitive work, huge amount of big data. As a
Burnout problem
manager, you need to solve the burnout problem

Keep people motivated all the Develop learning mindset, look at the bigger picture, incentives, long-term learning, attention
time in spite of repetitive work to details, out of work learning, etc.

Prepare a specific and detailed RACI matrix and allocate responsibilities to avoid duplication
Set proper separation of duties
of work

How much and when you are investing in training and how you are setting S.M.A.R.T goal to
Training and development ROI utilize that knowledge into real practical world. Think of the return you will get on your
investment of training.

Understanding and meeting If you don’t know what they need, you can’t deliver. Understand their need, align business
stakeholder requirement requirement with SOC drivers, define key metrics to deliver before starting the process
 Assess

Process

Core SOC Processes SOC Process Drivers Frameworks & Methods

● Incident Response ● Use case management ● SOC-CMM

● Threat hunting and ● Detection and engineering ● NIST CSF
Intelligence ● Integration ● Threat modelling
● Vulnerability Management ● Quality assurance ● TaHiTi Threat Hunting
● Security Monitoring ● Dashboard and visualization ● Other…
● Compliance and
Governance

Select, Prepare, Use

 Assess

Gauge your current progress with the technological checklist

Prevent Detect Analyze Respond
Perimete
r
❑ NF ❑Network logging ❑Sandboxing ❑IP/domain
Network
❑ WAF ❑System logging ❑Ticketing system blocking For each tool, identify, discuss,
❑AV logging ❑Automation ❑Endpoint
❑ VPN and document the following (if
❑Log management software containment
❑ IDS ❑IDS ❑eDiscovery ❑Filtering
applicable):
❑ Antivirus ❑Threat ❑Analysis tools ❑Proxy blocking
❑ DLP intelligence feeds ❑Static & ❑Etc. 1. Using?
❑ IAM ❑Etc. dynamic
❑ NAC malware analysis 2. Integration/automation
❑Netflow analysis
❑ Web gateway ❑Etc. capability?
❑ Email gateway
3. Priority?
❑ Anti-DDOS
❑ Etc. 4. Use case management?
5. Maturity of the
implementation?
6. Maturity of the usage?
 Assess

Technology challenges

False positive Risk/Threat based Cost challenges while Log collection and
management prioritization increasing visibility integration

Log storage and Keeping up to date with

Logs normalization Reliability
capabilities new cyber trends

Performance monitoring Upgrades and Customization and

and optimization management configuration
 Assess

Services that can be integrated/provided through SOC

Security Incident
Security Monitoring Management & Security Analytics
Response

Vulnerability
Threat Hunting Threat Intelligence
Management

Log Management Security Governance Security Compliance

 Assess

Putting all together – People > Process > Technology > Service

https://www.soc-cmm.com/downloads/SOCTOM%20whitepaper.pdf
 Assess

SOC should cover layer defense model

External Perimeter
1. Define attack possibilities on each
layer.
Internal Network
2. Discuss possible attacks/threats on
Host each layer based on the target
device.
Application
3. Discuss what devices/solutions can
Data potentially provide log information.

4. Log information in the workbook for

later implementation.
Operational
 Assess

Perform SOC Maturity Assessment

2 SOC-CMM’s Maturity Assessment Tool

https://www.soc-cmm.com/
Your feedback is necessary

sarahah.top/u/chintangurjar
 Phases of SOC implementation

Phase 1 Phase 2 Phase 3 Phase 4

Assess the current Design your target Develop an Comprehensive
maturity state SOC state implementation reporting
roadmap
Phase 2
Design your
target SOC
state
 Design

Overview – Design your target state

Activities to be performed
● Now you know your gaps
● Design the ideal target state
● Optimize your security operations people, processes and technologies
● Prioritize your gap initiatives

Results
● A defined security and gap pressure posture
● Identified optimization opportunities
● An ideal target state (where you want to be)
● Formalized security operation SOPs
Benefits
Activity will enable you to:
● Identify planning gaps specific to your
organization’s threat landscape.
● Formalize the implementation process with an
official policy and guide.
 Design

Overview – Design your target state

Follow the below process to design your ideal target SOC

1. Gather the overall goals and objectives of the organization

2. Know the current state of the organization's security posture

3. Know the organization's compliance requirements
4. Determine your organization's budget and resources
5. Follow industry best practices
 Design

Gather the overall goals and objectives of the organization

• Describe the organization's mission, vision, strategies and values.
• Explain how the organization's goals and objectives align with its security
operations.
• Include any relevant formulas, methodologies, metrics, compliance (e.g., return on
investment, cost-benefit analysis, Business impact analysis) that can help
demonstrate the value of the ideal target SOC of the organization that you want to
develop.
• When drafting all these, it is important to organize it in a way that will make it easy
for the audience to comprehend and follow. Utilize a logical and straightforward
structure to arrange the information to ensure maximum clarity and
comprehension.
 Design

Business requirements & SOC drivers

Business
SOC Drivers
Requirement
High-quality Should focus ensuring the security and reliability of the systems and processes that support
customer service customer service.

Become a leader in Should focus on continually improving the security posture and resilience of the organization
its industry to maintain a competitive advantage.

Provide
Should prioritize transparency in its communication and reporting and accountability in its
transparency and
incident response processes.
accountability

Should focus minimizing the risk of security breaches, downtime that could disrupt business
Increase revenue
operations and damage the organization's reputation.
 Design

Business requirements & SOC drivers cont.

Business Requirement SOC Drivers
SOC's goals and objectives should focus on ensuring the security
A healthcare organization's mission is to
and reliability of the systems and processes that support patient
provide high-quality patient care
care, such as electronic health records and telemedicine platforms.

SOC's goals and objectives should focus on protecting the

A retail company's mission is to offer a wide
organization's e-commerce platform and customer data to prevent
range of products at competitive prices.
disruptions to online sales and maintain customer trust.

SOC's long-term objectives should focus on continuously

A software company's vision is to become a
improving the security posture and resilience of the organization to
leader in the industry by offering innovative
protect against emerging threats and maintain a competitive
products and services.
advantage.

A financial services company's vision is to be SOC's long-term objectives should focus on protecting the
the preferred choice for customers seeking organization's systems and data from threats such as cyber-
investment and wealth management attacks and data breaches to maintain customer trust and
services confidence.
 Design

Business requirements & SOC drivers cont.

Business Requirement SOC Drivers
A nonprofit organization's values SOC's principles and practices should prioritize environmental sustainability
include social responsibility and in its operations, such as by implementing energy-efficient security controls
sustainability. and reducing paper consumption.

A government agency's values SOC's principles and practices should prioritize transparency in its
include transparency and communication and reporting and accountability in its incident response
accountability. processes.

A manufacturing company's goal SOC's outcomes should focus on implementing security controls that
is to increase efficiency and minimize the risk of disruptions to production and reduce the time and
reduce costs. resources required for incident response.

SOC's outcomes should focus on implementing security controls that protect

A professional services company's
the organization's systems and data from threats such as ransomware and
goal is to attract and retain top
data breaches to maintain a positive employee experience and reduce the
talent.
risk of turnover.
 Design

Overview – Design your target state

Follow the below process to design your ideal target SOC

1. Gather the overall goals and objectives of the organization

2. Know the current state of the organization's security posture

3. Know the organization's compliance requirements
4. Determine your organization's budget and resources
5. Follow industry best practices
 Design

Know the current state of the organization's security

posture
• This has been already completed on the slide no. 27.
 Design

Overview – Design your target state

Follow the below process to design your ideal target SOC

1. Gather the overall goals and objectives of the organization

2. Know the current state of the organization's security posture

3. Know the organization's compliance requirements
4. Determine your organization's budget and resources
5. Follow industry best practices
 Design

Know the organization's regulatory and compliance

requirements
• Data protection laws: such as the General Data Protection Regulation (GDPR) in the European Union,
the California Consumer Privacy Act (CCPA) in the United States, and the Personal Data Protection Act
(PDPA) in Singapore.
• Cybersecurity standards: such as the Payment Card Industry Data Security Standard (PCI DSS) for
organizations that handle credit card transactions, the National Institute of Standards and Technology
(NIST) Cybersecurity Framework for federal agencies in the United States, and the Cybersecurity Law
in China.
• Industry-specific regulations: such as the Health Insurance Portability and Accountability Act
(HIPAA) for healthcare organizations in the United States, the Gramm-Leach-Bliley Act (GLBA) for
financial institutions in the United States, and the Basel III regulatory framework for banks
internationally.
• Information security management systems: such as the ISO/IEC 27001 standard for information
security management systems.
• Network and infrastructure security: such as the Federal Information Processing Standard (FIPS)
140-2 for cryptographic modules and the Cybersecurity and Infrastructure Security Agency (CISA)
Cybersecurity Assessment Tool (CMAT) for federal agencies in the United States.
 Design

Know the organization's regulatory and compliance

requirements
• Endpoint security: such as the Defense Information Systems Agency (DISA) Security Technical
Implementation Guides (STIGs) for federal agencies in the United States.
• Cloud security: such as the Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM) and the
ISO/IEC 27017 standard for cloud security.
• Application security: such as the Open Web Application Security Project (OWASP) Top Ten and the
ISO/IEC 27034 standard for application security.
• Physical security: such as the National Institute of Standards and Technology (NIST) Physical Security
Handbook and the International Organization for Standardization (ISO) 7498-2 standard for physical
security.
• Cloud security: such as the Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM) and the
ISO/IEC 27017 standard for cloud security.
• Application security: such as the Open Web Application Security Project (OWASP) Top Ten and the
ISO/IEC 27034 standard for application security.
• Physical security: such as the National Institute of Standards and Technology (NIST) Physical Security
Handbook and the International Organization for Standardization (ISO) 7498-2 standard for physical
security.
 Design

Overview – Design your target state

Follow the below process to design your ideal target SOC

1. Gather the overall goals and objectives of the organization

2. Know the current state of the organization's security posture

3. Know the organization's compliance requirements
4. Determine your organization's budget and resources
5. Follow industry best practices
 Design

Determine your organization's budget and resources

• Describe the organization’s resources available to allocate to its security

operations, including people, tools, infrastructure, support and maintenance.

• Explain how these resources align with the organization's goals and objectives
or business’s requirements.

• Identify any areas where additional resources may be needed to support the
target SOC.

• Identify how existing resources can be utilized with time allocation, priority
setting, cross-team training and functioning.
 Design

Overview – Design your target state

Follow the below process to design your ideal target SOC

1. Gather the overall goals and objectives of the organization

2. Know the current state of the organization's security posture

3. Know the organization's compliance requirements
4. Determine your organization's budget and resources
5. Follow industry best practices

All the SIEM best practicies you need so far
❑ Developing a clear security strategy
❑ Implementing robust security monitoring and detection
capabilities
❑ Establishing effective communication and collaboration
❑ Ensuring the SOC team has the necessary skills and
resources
❑ Establishing regular testing and training
❑ Providing adequate staffing and coverage
❑ Ensuring that all security-related information is
documented
❑ Continuous improvement through process engineering
❑ Establishing clear roles and responsibilities
❑ Ensuring that the SOC has the necessary tools and
technologies
Design
❑ Establishing incident response protocols
❑ Measuring and reporting on the effectiveness of the SOC
❑ Implementing a security information and event
management (SIEM) system
❑ Maintaining up-to-date knowledge of the threat landscape
❑ Establishing strong partnerships with cybersecurity
vendors
❑ Providing regular training and education to the SOC team
❑ Define the scope and purpose of the SOC
❑ Implement a centralized management and monitoring
system
❑ Ensure compliance with relevant regulations and standards
❑ Foster a culture of security

Consider the following when refining or reconfiguring security
operations
People
❑ Will staffing levels be altered?
❑ Will certain individuals be assigned to
different job titles or roles?
❑ How will personnel be organized in the
new structure?
❑ Is relocation to one location necessary,
and will this be feasible?
❑ Will reporting relationships be adjusted?
❑ How can performance measurements be
unified across teams and departments
to ensure alignment with the business
objectives?
❑ Will career paths be affected, and if so,
how?
Process
❑ What processes need to be put in place to
enable knowledge sharing so that all
analysts can quickly access known errors
and resolve problems?
❑ How can procedures be documented in a
way that will ensure proper escalation of
processes?
❑ Are any changes needed to the ticket
classification and prioritization schemes?
❑ What is the best way for tickets to be
submitted?
❑ How will resolution be defined, and how will
users be notified of the resolution?
Design
Technology
❑ Is the current tool customizable?
❑ Can it be integrated with necessary non-IT
systems?
❑ Does the tool have the capability to
accommodate a bigger user base?
❑ Will the tool cover all the areas,
departments, and technologies required
after consolidation?
❑ What measures must be taken to migrate
existing data to the new tool?
❑ What implementation or configuration
expenses should be anticipated?
❑ What kind of training is essential for proper
usage of the tool?
❑ What other new tools and technologies will
be necessary to sustain the optimized
state of security operations?
 Design

Optimize SOC Technically

❑ Provide centralized dashboard with threat analytics data.
❑ Automate L1 tasks (collection, parsing, storage, triage, ticket creation, automated sandboxing, escalation etc.)
❑ Only add necessary logs and don’t add so many logs to increase visibility without use case management and
quality control checking of logs
❑ Work with use case management only
❑ Use tags everywhere for asset, data, owner and location classification
❑ Enable SIEM workflow to automate complex requirements write playbooks
❑ Tune platforms, logs, any other data that gives actionable insights
❑ Define service level agreements (SLAs) with customers or internal stakeholders
❑ Automate operational/’respond’ tasks
❑Cross product orchestration/integration
❑Delete file
❑Network isolation
❑Kill process
❑Reboot/Shutdown
❑Start/Stop windows services
Your feedback is necessary

sarahah.top/u/chintangurjar
 Phases of SOC implementation

Phase 1 Phase 2 Phase 3 Phase 4

Assess your current Design your target Develop an Provide
state state implementation comprehensive
roadmap reporting
 Phase 3
Develop an
implementatio
n roadmap
 Implement

Overview – Develop an implementation roadmap

Activities to be performed

● Present your argument to management in order to create an effective sourcing strategy.

● Assign duties and duties to the implementation plan
● Develop a comprehensive program to measure progress.

Outcomes Key Benefits

● Establishing a formal agreement with stakeholders
to secure their backing
● Creating a comprehensive approach to acquiring
materials and resources
● Allocating specific roles and tasks to personnel
involved in the project
● Producing a timeline with the most important goals
and objectives listed first
● Developing a system to track progress and make
necessary adjustments
● Support your decision to implement a security
operations program with the approval of
stakeholders.
● Identify the appropriate sourcing strategy and
subsequent SLAs.
● Formalize the implementation process with an
official and prioritized roadmap.
 Implement

Create RACI Matrix for SOC initiatives

A RACI matrix is a tool used in project management to assign roles and responsibilities to team members for the
completion of specific tasks or objectives. It stands for Responsible, Accountable, Consulted, and Informed.

Define all the SOC roles and responsibilities, along with specific initiatives, objectives, goals, tasks and log them
into RACI matrix.

Post this, use any project charter document to formalize everything.

Identify stakeholders that are:

◦ Responsible: This person is responsible for completing the task. There can
be multiple people with this role for a single task.

◦ Accountable: This person is ultimately accountable for the successful

completion of the task. There should only be one person with this role for
each task.

◦ Consulted: These are the people who need to be consulted before the task
can be completed. They may have expertise or information that is necessary
for the task to be done effectively.

◦ Informed: These are the people who need to be kept informed about the
task, but are not directly involved in its completion.
 Implement

Identify drivers of continual improvements (Revisit 6 month)

Regulati
on
Change
Technolo
Threat
gy Landscape
Advances

Managem
ent Budget
Reviews
Continual
Improvement

New
Staff Organization
Structure
Technolo
gy

Audits
Process or
Maturity Assess
ments
 Phases of SOC implementation

Phase 1 Phase 2 Phase 3 Phase 4

Assess your current Design your target Develop an Provide
state state implementation comprehensive
roadmap reporting
 Phase 4
Provide
comprehensive
reporting

Factors that can change the way you report
Type of audience
(Strategic, Operational,
Technical)
Type of project
(One off, Short term, Yearly,
Compliance requirement)
Report
Type of
Type of Service Type of company
Activities
(In-house SOC, MSSP) (SOC is big, what are you (Industry, Consulting)
doing?)
Metrics agreed Frequency of the
Project duration
upon reports
(Yearly, Reoccurring, Short
(What you can do vs. what (Daily, Weekly, Monthly,
term, Long term)
they want) Quarterly, Yearly)
Format of Report Compliance
(PPT, Excel, Word, (What compliance is
Automated through Portal) chosen)
 Report

SOC Reporting by Audience

For the strategic audience:
• An overview of the key security risks and challenges facing the client, and how the SOC is addressing these risks and challenges.
• A summary of the key security metrics and performance indicators for the quarter, such as the number and severity of security
incidents, the effectiveness of security controls, and the level of compliance with security standards and regulations.
• An overview of the key security trends and developments, such as new technologies, threats, and regulations, and how they are
affecting the client's security posture.

For the operational audience:

• A detailed description of the security services provided by the SOC during the quarter, including the scope of the services, the
key activities and tasks performed, and the outcomes achieved.
• An overview of the security operations and processes in place, and how they are being used to detect, investigate, and respond
to security incidents.
• A description of the security tools and technologies used by the SOC, and how they are being used to monitor and protect the
client's systems and networks.

For the technical audience:

• A detailed description of the security controls and monitoring systems in place, including the technologies used and the
specific security policies and rules that are being enforced.
• A description of any security vulnerabilities or threats that were identified during the quarter, and the actions taken to address
them.
• A summary of any security updates, patches, or other changes made to the client's systems and networks during the quarter,
and an assessment of their impact on the security posture.
 Report

Reporting by Activities
• Summary of all security incidents and response activities.
• Summary of risk assessment and vulnerability scans.
• Summary of security policy and procedure enforcement.
• Summary of patch management and application updates.
• Summary of network and system monitoring activities.
• Summary of user training and awareness activities.
• Summary of user access control and privileges.
• Summary of security architecture status and security events.
• Summary of security posture and performance metrics.
• Summary of security incident management process.
• Summary of security incident response and remediation activities.
• Summary of security audits and compliance activities.
• Summary of third-party vendor assessment and risk management.
• Summary of physical security measures and access control.
• Summary of incident response and forensics activities.
 Report

Reporting by frequency of sending

Daily reports
• Summary of key events and incidents that occurred during the day
• Status of ongoing investigations and remediation efforts
• Summary of security controls that have been tested or are being monitored
• Status of security projects and initiatives

Weekly reports
• Summary of key events and incidents that occurred during the week
• Status of ongoing investigations and remediation efforts
• Metrics on the number of alerts, incidents, and false positives
• Trends in attack types and vectors
• Status of security controls and their effectiveness
 Report

Reporting by frequency of sending cont.

Monthly reports
• Summary of key events and incidents that occurred during the month
• Trend analysis of security metrics over the past month
• Review of security policies and procedures, including any updates or changes
• Status of security projects and initiatives
• Summary of security training and awareness efforts

Yearly reports
• Summary of key events and incidents that occurred during the year
• Trend analysis of security metrics over the past year
• Review of security policies and procedures, including any updates or changes
• Status of security projects and initiatives
• Summary of security training and awareness efforts
• Review of incident response plans and procedures
• Summary of security risk assessment results
 Project Execution Summary
Collaborate to
Identify specific
improve Identify critical
Identify technology and
Why build SOC? organization’s threats to your
obligations tool
state of organization
requirements
knowledge

Use the security Determine

operations initiative start Perform Assess the SOC
Define RACI
project charter and end times, security posture maturity of
Matrix
to formalize the and assign analysis client
initiative responsibility

Start executing
Provide Improve SOPs
project in Get feedback & Repeat the
reporting on and relevant
quarterly suggestions entire process
quarterly basis documents
phases
Define initiative start and end date with responsibilities
Questions to think about:

• Does this roadmap align with the goals of our organization?

• Are we dedicating adequate resources to each quarter?
• Is the proposed implementation the most practical option?
• Should any initiatives be rescheduled for a different quarter due to resource constraints?
• Are there any major organizational shifts planned in the near future that could affect the project?
 Contact Me:
Your feedback is necessary [email protected]
@iamthefrogy
sarahah.top/u/chintangurjar Chintan Gurjar