Exert effort to assure the right people are involved for your SOC.
Identify the business relevance for security operations.
Identify the assets to protect.
After determining what systems exist, identify business continuity and operational requirements.
Organizational definition of success for the SOC.
Metrics and service level objectives.
Method is in place to quantitatively assess the impact of an incident for reporting from the SOC.
Catalogue of who does (and perhaps doesn't) get service from the SOC.
Multi-SOC architecture considered both within the organization and external to the organization. Liasons with ISACs, Law Enforcement, etc.
With the aggregated research, seek formal approval to build SOC.
Identify staff size and model, with appropriate outsourcing.
The SOC will surely be created after some security capability already exists. It might absorb existing function or staff, or operate in parallel.
Define what will be performed and how outsourcing will address the remaining operational needs. Identify SOC staff arrangement (specialists / generalists) and tiering. Account for 24x7 needs.
Define and document processes at appropriate level of specificity. This might be playbooks, standard operating procedures, etc.
Identify what technology is in place, and what is the best match for technology needs within the SOC.
With the staff hired, outsourced contracts created, processes defined, and technology purchased and installed, you can begin to operate.
The build phase will have created initial processes, but this must be iteratively improved.
Develop and enhance analytical methodology for analysts within the SOC. Cultivate a practice of objectivity, and consistent application of agreeed upon methodology.
Incident Handling may be a function of the SOC. Or, it might be an external outsourced capability. It could be a phase shift with the existing staff of the SOC. It might also be a different team within the organization. Rehearse the handoff to incident handling.
The SOC operating plan will express how the SOC performs work.
This catalogue is of incident response investigative and response actions, when they're advised, and how they are performed well.
There are a certain actions where data can be collected. Develop a defined set of investigation actions, technical implementations (perhaps multiple) and when to utilize.
Act through all deconfliction actions and verification of reported issue to establish issue existence and severity (impact per previously defined impact quantification method).
Execute actions for any type of containment or remediation (including resumption of normal operations).
Execute all procedures, or plays in the playbook with the appropriate degree of latitude (specificity) for practitioners to perform.
Perform actions to identify and investigate candidate issues.
Ingest threat intelligence, correlate, and provide insight to investigations and response.
Perform incident response (IR) on an ongoing basis.
Perform all forensic investigation work.
Monitor state of threats globally, and evaluate the organization's asset catalogue in light of known threats.
Develop and execute exercises.
Develop ongoing operational methodology for selection of optimal candidates for hiring into SOC.
Build a learning practice with existing staff, regardless of current skill level. Include opportunities for internal and external training and presentation.
Execute "Patch Now" or "Stand-down" tempo shift actions.
Annually (at least) perform a SOC-CMM self-assessment and determine change. Recalibrate growth objectives and possibly operational objectives.
Perform threat hunting on ongoing basis.
Develop a response function with is capable of prolonged engangement with advanced adversaries when they are encountered. This is an advanced practice which will likely not be developed initially.
Above operational actions performed on an ongoing basis.
More details in the full chart.