The National Cyber Security Centre (NCSC) has published a new version of its guidance on security operations centres (SOCs).
It said the move comes from its work with several government departments and has been made to make the guidance more accessible and help organisations decide what type of SOC is right for them.
The role of an SOC is to limit the damage to an organisation by detecting and responding to cyber attacks that successfully bypass security controls. It can include a multitude of security activities, such as vulnerability assessment, compliance activities and system configuration.
Writing in a blogpost, NCSC security architect Adam B said a running theme of the guidance is that an SOC should be proportionate.
“This is key,” he said. “Too many organisations get caught in the trap of buying the fanciest software with laser dragons and security badgers on their network perimeters, hoping it will solve all problems, when often all that's really needed is the appropriate log sources, a SIEM (security information and event management platform) and some keen eyes (and some rulesets).”
Evaluation and definition
Key elements of the new guidance include the importance of evaluating the threat to an organisation and defining a target operating model for developing proportionate services.
It is split into five sections – on the operating model, onboarding, detection, threat intelligence and incident response and management – and is intended to be agnostic on the technologies used.