Security Operations Center Design

Examining the key design elements in a successful SOC implementation

Over the past decade information technology has radically improved the operational capabilities of a Security Operation Center (SOC). Both what can be done and how it can be done have been changed dramatically by computer, network and communications technologies. Thus many security executives and managers are considering upgrading their SOCs. The purpose of this article is to capture the key elements that must be considered in SOC design, and to share information about what leading security practitioners are doing in that regard.


The Role of SOC Technology

Prior to the advent of electronic security systems, SOC monitoring and response was heavily dependent on human resources and human capabilities, which also limited the accuracy and effectiveness of monitoring efforts. Over the past two decades, the adoption of information technology into facility security systems, and their ability to be connected to SOCs via corporate networks, has significantly changed that picture. This means two important things:

* First, the total cost of ownership for an old-style SOC (that does not take advantage of current technology) is much higher than for a current-technology SOC — even though its contribution to security effectiveness is lower. Without a properly deployed, current-technology SOC, it is likely that your organization is spending more money than it needs to and is getting less security than it should.

* Second, achieving the lower security operations costs and higher security effectiveness that a current-day SOC can provide is not just a matter of SOC design alone. The strategic and tactical roles of global, regional and local SOCs, and the design of security operations at all levels cannot be done by selecting technology in isolation. Designs must use security technology and information technology to address current and expected future security risks. They must also take into account the organization's business culture.

In a recent half-hour interview that is available online at Microsoft's TechNet Radio website ( ), Johnny Walker, senior program manager for Microsoft Global Security, explains that the role of the technology design and concept of operations for a SOC is to provide situation awareness that enables precision response and supports forensics investigations.   Precision response is both a security factor and a cost factor. In the interview Walker explains, “Physical security strategy begins with a comprehensive risk and an investment model,” Walker says during the broadcast. “We kind of bucket it in four zones: technology, monitoring, communication and administration. First is the technology investment that is really built on your risk drivers. Next, you have to have an effective, sustainable and predictable monitoring model that goes on the total cost of ownership.

“Once you have heard an alarm and you understand the alarm, you have to be able to communicate it quickly to a response mechanism — whether that's your proprietary forces or a public safety response mechanism — it still has to work,” Walker continued. “So you have to invest in that third tier (communications). And then finally you have to have this administrative module that says, ‘Do I have the right design, is it working ?' So you have this process improvement piece going on so you can evolve the lifecycle of the system and know its readiness.”


Design Considerations

Once the homework has been done relating to risk assessment and business alignment, key aspects of the design can be considered, including:

•  location (primary and alternate);

•  range of functions (security, safety, and building services);

•  scope of monitoring (local, regional or global);

•  size (for personnel and equipment);

•  current and future technology;

•  lifespan;

•  stakeholders;

•  SOC team; and

•  security operations transition.

This content continues onto the next page...