SOC Resources for System Management

Published: 2016-03-30
Last Updated: 2016-03-30 01:08:56 UTC
by Tom Webb (Version: 1)
2 comment(s)

I have recently started looking at the MITRE 10 strategies for a SOC (hxxps://   Strategy one in their doc is to consolidate the following under one management team: Tier 1 Analysis, Tier 2+, Trending & Intel, SOC System admin and SOC Engineering.  This makes a lot of sense.  But what do you do when you don’t have enough skilled people or positions to have a separate system admins and engineers?


My group has  individuals assigned responsibilities to different products for patching, maintenance  and operational optimization. The current problem I run into is that we get into an engineering mode where a large amount of time is spent deploying, patching or scripting things. While all these items need to be done, it reduces our IR bandwidth with backlogs. One strategy is to have the tier 2+ group alternate between weeks for engineering/maintenance. This will force  them to better plan upgrades within that window or work on other assignments.  


Long term plans should include additional positions that can be assigned the maintenance and engineering of systems  What are other strategies being used by groups that maintain their systems, but without a dedicated resource to it? Please leave comments..


Tom Webb

2 comment(s)


Tom, You need to accelerate the plans to short time, try to explain to executive board the risk that have the organization for not having the security resources for IR (# security incidents, time to resolution, impact on money, business proceses affected, etc...).
While, try to assign a role for IR in Tier 2 "only IR", desirable 8x5 and ad-hoc on weekends. If you have few resources, focus on critical incidents (you need to define what is critical incident?).
Be aware if you have a security analyst with IT functions, SysAdmin functions and Cybersecurity functions the results will be not good for the organization, you need to maintain clear lines of separation between SOC functions and others, if you want to implement SOC services in the organization.
If you have challenges in budget, time, skills other choice could be a Managed Security Service Provider for SOC services.
Luis Pico
An intern driven SOC. Document basic runbooks for every run of the mill event the team deals with on a regular basis, and have an intern act as that first level triage and response. They're cheap, and it's a great learning experience for them. As new events come up or new alerts are added to your SIEM, write another runbook for them to work through. Make sure you tell them that if something seems off or they're all of a sudden getting a high volume of events, they should escalate to full time staff ASAP.

We're in the middle of building this setup, and so far it has done wonders for keeping our on-call full time staff member sane and not overwhelmed. A happy side effect is it forces you to document your response processes for every kind of event.

Diary Archives