Security Operations (SOC) Management Components & Terminology
At its most basic elements, the objective of a Security Operations Management Program is to enable prevention, detection, management, and elimination of cyber threats.
To accomplish this core objective, there are two foundational components: monitoring & response. These inputs come from service requests, alerts, which are driven by endpoint, network, and other core security technologies. From there, there are numerous other services that can be provided depend on your internal resource levels (people, process, and technology), maturity, and strategy.
The whole program should be designed and operated in a manner whereby activities and capabilities are traceable to outcome-focused, measurable outcomes. These outcomes lead to management decisions based on organizational resource levels, risk, and customer preferences. These governance decisions then effect the inputs of resource levels (people, process, and technology), strategy, and the service offerings.
While operating the program, there are key decisions that are made both formally and informally. There are escalation preferences, threat classifications, and other triggers, throttles, rules, and communication preferences. We call these policy decisions.
With these elements in mind, it is possible to begin evaluation of your current capabilities, and determine how to build or optimize your Security Operations Management Program to facilitate prevention, detection, management, and elimination of cyber threats.
The Rook Navigator series is a set of enablers intended to assist operators and leadership determine when to build vs. partner on Security Operations Management programs of varying sizes and levels of complexity. Through sharing real-world examples, lessons learned, and applied successes, this guide helps security professionals navigate the dynamic challenge of Digital Security Operations Management.
