Page 10 - Cyber Warnings
P. 10
Besides possessing excellent people management skills, the SOC Manager should be
trained in Project Management and Incident Response Management. Certifications could
include CISSP, CISA, CISM or CGEIT.
Plan for Capacity
SOCs are typically staffed eight hours a day, five days a week or around the clock. All
shifts should include at least two analysts with clearly defined responsibilities. A
standard 24/7 SOC should ideally be maintained by at least seven staff members;
otherwise, procedures should be implemented for off-hours monitoring, providing a one-
hour overlap for shift transfer and a floater to cover holidays, sick leave and time off
when needed.
Planning for capacity in each group is a function of workload and types of incidents
flowing. It is critical to predict the SOC’s workload, in order to be able to identify the
skillsets required to effectively manage all incoming threats, attacks and incidents.
Furthermore, the types of incidents faced by the SOC, e.g. phishing, malware, data
leakage, cyber-attacks, will determine the level of complexity involved.
A proven method for capacity planning in an SOC team is calculating and quantifying the
number of incidents occurring through the network per day, in order to gain an
understanding of the incident flow. Based on the incident flow, resources can be
effectively allocated, from assessing an alert, to escalation, and through to resolution.
As you begin building a new SOC, staffing your team appropriately will lead to a smooth startup
and build-out over time. This, in turn, should ensure a quick return on investment.
About the Author
Slavik Markovich is co-founder and CEO of Demisto. Prior to co-founding
Demisto, he was VP & CTO of database technologies at McAfee (Intel
Security). He got to McAfee via the acquisition of Sentrigo, a database
security startup, where he was co-founder and CTO. Slavik has over 20 years
of experience in infrastructure, security and software development.
Previously, Slavik was vice president of R&D and chief architect at DB@net, a
leading IT architecture consultancy firm.
Slavik is a renowned authority on Oracle and Java/JavaEE technologies, and
has contributed to open-source projects such as Spring Framework Toplink integration (later
incorporated by Oracle). He is a regular speaker at industry conferences. He holds a BS degree
in Computer Science.
10 Cyber Warnings E-Magazine – May 2016 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide