Exert effort to assure the right people are involved for your SOC.
SOC Requirements and Organizational Support
Identify the business relevance for security operations.
Protected Assets Defined
Identify the assets to protect.
Systems Operational Requirements Defined
After determining what systems exist, identify business continuity and operational requirements.
Organizational definition of success for the SOC.
Metrics / Service Level Objectives
Metrics and service level objectives.
Standardized Rubric for Quantifying Impact
Method is in place to quantitatively assess the impact of an incident for reporting from the SOC.
Catalogue of who does (and perhaps doesn't) get service from the SOC.
Relative position of this SOC
Multi-SOC architecture considered both within the organization and external to the organization. Liasons with ISACs, Law Enforcement, etc.
Leadership Endorsement of Design objectives
With the aggregated research, seek formal approval to build SOC.
Start Building SOC
Identify staff size and model, with appropriate outsourcing.
Organizational capabilities to absorb or interface
The SOC will surely be created after some security capability already exists. It might absorb existing function or staff, or operate in parallel.
Define what will be performed and how outsourcing will address the remaining operational needs. Identify SOC staff arrangement (specialists / generalists) and tiering. Account for 24x7 needs.
Define and document processes at appropriate level of specificity. This might be playbooks, standard operating procedures, etc.
Select and procure technology
Identify what technology is in place, and what is the best match for technology needs within the SOC.
Begin SOC Operations
With the staff hired, outsourced contracts created, processes defined, and technology purchased and installed, you can begin to operate.
Process Enhancement Methodology
The build phase will have created initial processes, but this must be iteratively improved.
Develop and enhance analytical methodology for analysts within the SOC. Cultivate a practice of objectivity, and consistent application of agreeed upon methodology.
Interface to Incident Handling
Incident Handling may be a function of the SOC. Or, it might be an external outsourced capability. It could be a phase shift with the existing staff of the SOC. It might also be a different team within the organization. Rehearse the handoff to incident handling.
Define Operating Plan with strategies and objectives
The SOC operating plan will express how the SOC performs work.
Create a catalogue (knowledge base)
This catalogue is of incident response investigative and response actions, when they're advised, and how they are performed well.
Enumerate possible investigative tasks
There are a certain actions where data can be collected. Develop a defined set of investigation actions, technical implementations (perhaps multiple) and when to utilize.
Validation and Verification actions
Act through all deconfliction actions and verification of reported issue to establish issue existence and severity (impact per previously defined impact quantification method).
Define and execute all remediation actions
Execute actions for any type of containment or remediation (including resumption of normal operations).
Procedures, Playbooks, Specificity
Execute all procedures, or plays in the playbook with the appropriate degree of latitude (specificity) for practitioners to perform.
Execute all monitoring for detection
Perform actions to identify and investigate candidate issues.
Ingest threat intelligence, correlate, and provide insight to investigations and response.
Perform incident response (IR) on an ongoing basis.
Perform all forensic investigation work.
Monitor state of threats globally, and evaluate the organization's asset catalogue in light of known threats.
Develop and execute exercises.
Develop ongoing operational methodology for selection of optimal candidates for hiring into SOC.
Mentor and Train Staff
Build a learning practice with existing staff, regardless of current skill level. Include opportunities for internal and external training and presentation.
Execute "Patch Now" or "Stand-down" tempo shift actions.
Ongoing maturity assessment using SOC-CMM
Annually (at least) perform a SOC-CMM self-assessment and determine change. Recalibrate growth objectives and possibly operational objectives.
Threat Hunting Practice
Perform threat hunting on ongoing basis.
APT Response Capability
Develop a response function with is capable of prolonged engangement with advanced adversaries when they are encountered. This is an advanced practice which will likely not be developed initially.
Above operational actions performed on an ongoing basis.
Buy The Full Gantt Chart
More details in the full chart.