Rook Security Guest Post: 10 Keys to Building a Next Generation SOC

This is a guest post from J.J. Thompson, Founder and CEO at Rook Security, a global provider of IT security solutions. You can contact Rook at or follow them on Twitter @rooksecurity.

The next generation Security Operations Center (SOC) faces tough challenges. The SOC needs to meet IT security needs to protect their business, while remaining nimble to immediately address emerging threats, and being pragmatic in prioritizing activities and investments.

Whether you’re setting up your own SOC or working with a provider, below are 10 keys to setting your security team on a track for success with a next generation SOC.

1.) Visibility. The #1 responsibility of security teams is to detect and respond to attacks. To do this, the SOC needs data and visibility to identify legitimate attacks, the nature of attacks, and different attack types. This requires that Tier 1 baseline controls be put in place and the associated tools from companies like Alert Logic are properly deployed.

2) Intelligence. Real threat intelligence ties human analysts to metadata about attacker profiles, attack signatures, attack timing, Internet advanced warning indicators, and target information, including:

  • What kind of data is on the host
  • What is it connected to
  • What is its current posture
  • What could potentially be exploited
  • What are recent attack patterns
  • Where did they originate

When armed with this intelligence, a SOC can provide predictive analysis, early warning, and mitigate threats before or during an attack while also effectively communicating with the executive team and others.

3) Resource throttling. Security processes as well as threats can affect many parts of the business, so smart executives look for end-to-end solutions and processes that can be dialed up and dialed back to meet changing business and security requirements.

4) Outcome-based metrics. All metrics are not created equal. The best SOCs track and share metrics that can help the business understand when it needs to change behavior or adjust security resources. For example, it’s no longer sufficient just to provide the total count of identified vulnerabilities as that doesn’t map to an outcome or adjustment. Instead, a next generation SOC should report on:

  • The count of vulnerabilities that are net new (newly discovered since the last scan)
  • Exempted (known but risk accepted)
  • Carried forward (previously identified, but still unresolved)
  • Each of these is due to a different root cause, and therefore requires different paths to resolution. The count of vulnerabilities simply doesn’t provide the requisite information for a change of behavior to drive an improved outcome.

5) Real-time scalability. Thanks to the strong marketing message behind virtualization and cloud, many executive teams expect their security resources to increase or decrease at a moment’s notice through some sort of virtual dial. The biggest challenge for a SOC to deliver on this expectation is balancing security value versus spend and expected outcomes (and explaining that to the executive team.) Collecting and communicating this information is critical and scalability success will be when resources (people, time, and money) that run security operations can be re-deployed when needed based on risks, threats, and policy decisions that take place between budgeting cycles.

6) Cloud options (public and private). Whether private or public, there is no question that the cloud offers many advantages including scalability, reliability, and efficiency. In each scenario, the organization gives up some level of control of their data to the cloud provider, especially the public cloud. In both scenarios, security controls must be implemented, whether by the business or by the cloud provider. Understand how security responsibility is shared in these different environments.

7) On-premise, remote, and cloud IR capabilities on demand. A compromise can occur at a satellite office a thousand miles away or in the cloud just as easily as it can at your headquarters. Having the capability to remotely respond to incidents instead of flying your team around the globe can save money and time in critical moments. Visibility, intelligence, and control are all key to being able to remotely respond to incidents.

8) Cloud enablement controls. The same controls needed to secure on-premises datacenters are just as necessary in the cloud. Architecture, exfiltration protection, DNS, and logging controls are among those required to manage and protect data in the cloud.

9) Approved cloud vendors by category. Not all cloud vendors are created equal. Identifying those vendors that enable the business, while maintaining sufficient security controls should be a common project for both the SOC team and management. Once the vendors are identified, it’s up to the SOC to implement controls to block unapproved cloud vendors.

10) Monitoring of cloud security controls integrated with core SOC monitoring capabilities. Although the implementation differs slightly, the controls implemented for the cloud environment should be integrated and handled the same as your core SOC monitoring capabilities. Your SOC should be indifferent to the location of the data. Security must follow the data and provide the same monitoring capabilities regardless of where it resides.

While it may seem like a lot, if you approach building a next generation SOC systematically, before long you’ll have a high-performing SOC team that protects your business in a resource-smart manner.

About our Guest Author…
J.J. is the founder and CEO of Rook Security and has over 12 years of experience serving clients in industries such as Media & Entertainment, Financial Services, High Technology, Manufacturing and Healthcare. Since Rook was founded in Silicon Valley in 2008, the team has grown to over 20 US-based professionals. J.J. is an alumni of Ernst & Young, LLP, where he led teams in delivery of services for Fortune 100 clients, specifically Office of the Chairman Accounts. Mr. Thompson focuses on management consulting through comprehensive data protection strategy, security operations, incident response, security assessments, and risk assessment projects.