CyberSoc Implementation Plan

Abstract

Cybersecurity operations centers (CyberSoc) should have all they need to defend the ever-changing information technology (IT) company today. This comprises a diverse set of advanced detection and prevention tools, a virtual sea of cyber intelligence reporting, and access to a rapidly growing pool of experienced IT experts. Despite this, most CyberSoc fail to keep the enemy (even the most inexperienced) out of the enterprise. The odds are stacked heavily against the defense. While the attacker only needs to identify one way in, the defenders must protect all entry points, restrict and analyze damage, and locate and eliminate adversary points of presence in business systems. Furthermore, cybersecurity professionals are increasingly aware that capable adversaries may and will get permanent access to company networks. As if the situation wasn’t horrible enough, we are frequently our own worst enemies. Many CyberSocs devote more time and effort to dealing with politics and human concerns than to detecting and responding to cyber threats. All too frequently, CyberSocs are established and run with a sole focus on technology, neglecting to address people and process challenges. The major goal of this work is to provide as a guide for when a CyberSoc implementation is required.