SOC Build - Your Gantt Chart

👈Buy The Full Gantt Chart

SOC Build Book Forthcoming - Estimated October 2019

Picture

Establish Project

Exert effort to assure the right people are involved for your SOC.

Jan 1
Movie

SOC Requirements and Organizational Support

Identify the business relevance for security operations.

Jan 5
Picture

Protected Assets Defined

Identify the assets to protect.

Jan 10
Picture

Systems Operational Requirements Defined

After determining what systems exist, identify business continuity and operational requirements.

Jan 18
Picture

Success Factors

Organizational definition of success for the SOC.

Jan 25
Picture

Metrics / Service Level Objectives

Metrics and service level objectives.

Feb 1
Picture

Standardized Rubric for Quantifying Impact

Method is in place to quantitatively assess the impact of an incident for reporting from the SOC.

Feb 20
Picture

Constituents defined

Catalogue of who does (and perhaps doesn't) get service from the SOC.

Jan 18
Picture

Relative position of this SOC

Multi-SOC architecture considered both within the organization and external to the organization. Liasons with ISACs, Law Enforcement, etc.

Feb 28
Picture

Leadership Endorsement of Design objectives

With the aggregated research, seek formal approval to build SOC.

Jan 18
Picture

Start Building SOC

text

Mar 10
Picture

Staffing

Identify staff size and model, with appropriate outsourcing.

Jan 18
Picture

Organizational capabilities to absorb or interface

The SOC will surely be created after some security capability already exists. It might absorb existing function or staff, or operate in parallel.

date - previous plus 15
Picture

Structure

Define what will be performed and how outsourcing will address the remaining operational needs. Identify SOC staff arrangement (specialists / generalists) and tiering. Account for 24x7 needs.

date - previous plus 15
Picture

Processes

Define and document processes at appropriate level of specificity. This might be playbooks, standard operating procedures, etc.

date - previous plus 15
Picture

Select and procure technology

Identify what technology is in place, and what is the best match for technology needs within the SOC.

date - previous plus 15
Picture

Begin SOC Operations

With the staff hired, outsourced contracts created, processes defined, and technology purchased and installed, you can begin to operate.

date - previous plus 15
Picture

Process Enhancement Methodology

The build phase will have created initial processes, but this must be iteratively improved.

date - previous plus 15
Picture

Analytical Methodology

Develop and enhance analytical methodology for analysts within the SOC. Cultivate a practice of objectivity, and consistent application of agreeed upon methodology.

date - previous plus 15
Picture

Interface to Incident Handling

Incident Handling may be a function of the SOC. Or, it might be an external outsourced capability. It could be a phase shift with the existing staff of the SOC. It might also be a different team within the organization. Rehearse the handoff to incident handling.

date - previous plus 15
Picture

Define Operating Plan with strategies and objectives

The SOC operating plan will express how the SOC performs work.

date - previous plus 15
Picture

Create a catalogue (knowledge base)

This catalogue is of incident response investigative and response actions, when they're advised, and how they are performed well.

date - previous plus 15
Picture

Enumerate possible investigative tasks

There are a certain actions where data can be collected. Develop a defined set of investigation actions, technical implementations (perhaps multiple) and when to utilize.

date - previous plus 15
Picture

Validation and Verification actions

Act through all deconfliction actions and verification of reported issue to establish issue existence and severity (impact per previously defined impact quantification method).

date - previous plus 15
Picture

Define and execute all remediation actions

Execute actions for any type of containment or remediation (including resumption of normal operations).

date - previous plus 15
Picture

Procedures, Playbooks, Specificity

Execute all procedures, or plays in the playbook with the appropriate degree of latitude (specificity) for practitioners to perform.

date - previous plus 15
Picture

Execute all monitoring for detection

Perform actions to identify and investigate candidate issues.

date - previous plus 15
Picture

Threat Intelligence

Ingest threat intelligence, correlate, and provide insight to investigations and response.

date - previous plus 15
Picture

Incident Response

Perform incident response (IR) on an ongoing basis.

date - previous plus 15
Picture

Forensics

Perform all forensic investigation work.

date - previous plus 15
Picture

Self-Assessment

Monitor state of threats globally, and evaluate the organization's asset catalogue in light of known threats.

date - previous plus 15
Picture

Exercises

Develop and execute exercises.

date - previous plus 15
Picture

Hiring Staff

Develop ongoing operational methodology for selection of optimal candidates for hiring into SOC.

date - previous plus 15
Picture

Mentor and Train Staff

Build a learning practice with existing staff, regardless of current skill level. Include opportunities for internal and external training and presentation.

date - previous plus 15
Picture

Tempo Shift

Execute "Patch Now" or "Stand-down" tempo shift actions.

date - previous plus 15
Picture

Ongoing maturity assessment using SOC-CMM

Annually (at least) perform a SOC-CMM self-assessment and determine change. Recalibrate growth objectives and possibly operational objectives.

date - previous plus 15
Picture

Threat Hunting Practice

Perform threat hunting on ongoing basis.

date - previous plus 15
Picture

APT Response Capability

Develop a response function with is capable of prolonged engangement with advanced adversaries when they are encountered. This is an advanced practice which will likely not be developed initially.

date - previous plus 15
Picture

Ongoing Operations

Above operational actions performed on an ongoing basis.

Feb 26
Picture

Buy The Full Gantt Chart

More details in the full chart.

Buy The Gantt

Today