Securing the Digital World

Revisiting the SOC Structure

Nov 02, 2016 | by Prashant Mishra |


Building and maintaining skill sets and expertise in a SOC is a difficult task - and many security leaders face this challenge. They are not able to retain best of the talent for long term. There are too many tools for them to invest in,,, too many alerts that pop up when the tools are deployed... and, an insufficient number of people to look after the alerts or to manage the tools. Traditional approach of L1,L2 and L3 doesn't help retain the talent, as many L1,L2 analysts who are assessing the alerts get bored easily and start to look for new jobs, sooner or later.

A better approach for managing talent within SOC environments, would be to have a role-based approach and not a level-based approach. The entire SOC team could therefore be comprised of the following:

  • Monitoring team - Watch and review the incident dashboards
  • Content team - Develop new rules, create signatures, etc.
  • Threat Intelligence - Proactively identify and create new indicators that are specific to the local environment.
  • Hunting Team - Watch for indicators/behavior of compromise by using data exploration features.
  • Incident Response - Investigate when incidents happen.
  • Red,Blue and Purple teams - Proactively finds threats, test the defenses, and ensure that there is proper collaboration between the teams.

This new "team" and "role" approach adds new capabilities to the traditional structures that have existed for decades. It may takes time and focus to implement, and this approach will become easier as you start to add these functions. A phased approach is better than a big bang approach.

All the team members within SOC team should be rotated into different roles across these teams. This will help build skill sets in the team, retain talent, and also build backup of critical team member expertise. In the past, some organizations may have outsourced these functions - by taking the approach mentioned above, you will be able to bring the capabilities in-house, giving you more control of your SOC.