Reviewing the SOC Architecture

The InfoSec Consulting Series #8

By Jay Pope


Guarding an enterprise against today’s range of cyber threats requires a good deal of effort, expense and expertise. To ensure that these resources are used effectively when reviewing the SOC Architecture, there needs to be a plan. In this article I take some lessons learnt from my previous Consulting assignments to discuss how a new in role CISO can approach a review of the organisation’s SOC Architecture by starting at the ‘Cyber Hierarchy of Needs Model’.


The Cyber Hierarchy of Needs Model

Any new in role CISO could find themselves in a situation where reviewing the SOC Architecture could be a priority for their organisation. This could be a review for a tech refresh of an existing capability, it could be a brand-new SOC capability, or an evaluation of cloud based managed security service offerings. If you are a new CISO who doesn’t have a network security background then a good place to start are the principles of the ‘Cyber Security Hierarchy of Needs’, represented here by the pyramid, and the key principles of start at the bottom, the (foundation) layer:



The Cyber Hierarchy of Needs Model

Alignment of Business & IT Strategy

Before getting to Detection, Prevention, & Response, it is recommended that the new CISO reviews how the organisation IT strategy supports the business strategy, and to check any pending orders for cyber security detection, analysis and forensics tooling. This is important because unless the fundamentals are there then it doesn’t matter how shiny the latest silver bullets are, a lack of technology and process orchestration, will impact on the overall effectiveness of security. It is also important to remember that some SIEM products and related tools are easier to integrate and are more intuitive to use than others, some also have significant overheads such as staff training, or acquiring new staff who are trained in your chosen cyber tooling suite, and these points should have been identified in strategy documents, and business cases.


A Dedication to Recruiting & Training Staff

Technology is not a substitute for people; organisations can only maximise technology when it has staffed teams with skilled and trained resources. Organisations must come up with creative ways to find, develop, and retain talent. When reviewing the SOC architecture, consideration of ‘people’ and ‘process’ impacts arising from technology selection is important, also when advertising a cyber security position, the job description is critical. Candidates draw inferences about the employer’s cyber security awareness from the job description. An ISC2 survey conducted in 2018, found that more than half (52%) of Information Security professionals say lack of clarity in a description implies the organisation doesn’t understand security. Vague language and descriptions that don’t seem to accurately reflect the job only serve to deter the best candidates. Employers and recruiters, therefore, must have a sense of what the job entails, the skills required, and the skills cybersecurity professionals are likely to bring. The survey also found the most commonly requested skills areas amongst survey respondents to be:

  1. Cybersecurity Strategy
  2. Cybersecurity Management
  3. User Education
  4. Risk Assessment
  5. Security Operations


A Focus on the Fundamentals

Before investing in single source vendor proposals, it’s best to focus on the fundamentals first. Coherent technical strategies, well defined targets of assurance, Technical Design Authority(TDA) ownership and Influence, and appropriate control selection for managing hardware, software, access controls, and identity incorporated within the system designs are fundamental.

Managing hardware. It’s only possible to effectively protect a device if you know it’s there. So, an inventory is essential and this needs to include any BYOD equipment too. If you’re using endpoint management tools, these can provide much of the information you need to keep track of devices and to render mobile devices inert if they’re lost or stolen. They can also be used to push out security tools and ensure patches are up to date. Configuration and management tools such as System Centre Configuration Manager (SCCM) are not really a part of security, but they do play a part in ensuring that security policies and tools can be properly applied. In the event of an attack, a lack of proper infrastructure knowledge can hinder investigations and make it much harder to mitigate the consequences.

Managing software. Cyber-attacks frequently leverage vulnerabilities in software. Once a vulnerability is made public, therefore, it’s essential that it gets patched quickly before it can be exploited. As the WannaCry attacks of 2017 demonstrated, running software that is no longer supported and doesn’t receive updates increases the risk of compromise. Good practice requires that businesses establish a regular patch cycle for all devices. For critical systems, such as servers, and router firmware, there needs to be a provision to apply patches on an accelerated basis to protect against new and severe vulnerabilities. Choosing to delay security updates creates a higher level of risk.

Managing identity. Once device and software management are taken care of, the spotlight falls on identity management. Stealing credentials is one of the most common hacking techniques and there are some essential rules that all companies should follow. Firstly, don’t share accounts, you must ensure that each user is individually identifiable. Anonymous and guest accounts should be avoided or at least kept to a minimum. Administrator accounts are a particular weak point. These should be protected by strong authentication, and local admin accounts on endpoints should be disabled where domain accounts can be used in preference. Password policies need to be reviewed too. Look at length, complexity and expiry of passwords compared to industry best practice. For particularly sensitive systems, you may want to look at multi-factor authentication using biometrics, physical tokens or trusted mobile devices. Passwords at rest on servers need to be protected too using encryption and hashing to ensure that even if the file containing them is compromised, they are useless to an attacker. If an account does get compromised, it is important to have measures in place to prevent problems spreading. Preventing lateral movement through the enterprise is a key goal here.

Managing Access. You might think that this is the same as managing identity, but access control goes much further. The key principle is one of ‘least privilege’; the fewer people that have access to something, the less chance there is of it being stolen or compromised. The first step is not to use local admin accounts on endpoints. Software seldom needs to run in administrator mode and running a user account makes it harder for malware to gain a foothold, even if an employee clicks a phishing link, for example.

Network Segregation. When reviewing the SOC architecture, consider how the critical systems will influence the design – those holding financial information or intellectual property – it’s a good idea to divide the network into compartments. Domain administrators for the accounts system, for example, don’t necessarily need access to the sales system too. If there’s a need to have sensitive information available for users in different locations to collaborate on, it should be on servers where access is limited, not on the everyday file server. You might also consider having dedicated workstations where tasks such as administering the network are carried out, ensuring that these are not used for other activities including accessing the internet.


An Integrated Technology Portfolio that Enables Orchestration

When reviewing the SOC Architecture, the organisation will need solutions that will help build all four pillars of its breach detection stack to deliver an effective cyber defence capability. If there are serious issues, gaps, or inherited ‘tooling sprawl’ within an existing SOC Architecture then the need to re-architect should be high on the CISO’s agenda.


No organisation wants to be focusing on nuisance threats while skilled attackers are exfiltrating precious data. At a minimum, prevention eliminates noise. Prevention can be innovative without negatively affecting the user experience, it should be operationally effective and scalable, and must always be part of a response.


Detection & Response

Consider that if you can’t respond correctly as a CISO then it may be a career ender, or even worse a company killer. Without a rational architecture and mature processes then it will all wash away in the next storm as if it were a house built on sand. The latest cyber threats have become more sophisticated and seek to evade detection by techniques including fileless malware. They’re also increasingly using automation to carry out basic reconnaissance tasks before opening the way for human hackers to steal data. The longer an attack remains active on your systems, the more damage it can do. Intrusion detection as early as possible is essential. Of course, a detection system is more valuable if you have taken all of the above steps to secure your hardware, software, identities and access.

Detection strategy comes in two flavours. Passive detection involves logging information which can be used to aid in the investigation of attacks. The major challenge here is collecting useful information while filtering out the mass of low-level alerts to make storing the data practicable. Otherwise, you end up with a huge volume of data that you need to store. Active detection includes anti-virus software and intrusion detection. Increasingly, this involves using third-party intelligence to understand the nature of attacks and spot the signs early. Doing this in-house can be costly and requires specialist skills, which is why recent years have seen a rise in the number of managed detection providers with remote experts on hand.



It’s now generally accepted that cyber attacks are almost impossible to prevent and it’s a matter of when not if you will suffer one. The focus of security, therefore, has shifted from preventing an attack to detecting it quickly and minimising damage. However, this can only work if the basics are in place. When reviewing the SOC Architecture, If you haven’t taken care of all elements in the above hierarchy, then you may end up spending on sophisticated detection systems without gaining the full benefit from them as inadequate delivery lower down the pyramid will lead to compromise.


Does Your Organisation Need Top Cyber Security Consultants?

We are a team of experts with extensive knowledge and experience of helping organisations improve business performance. Our highly qualified consultancy team can deliver cyber security capability at all levels of your organisation and are on hand to help ensure your projects deliver solutions that are appropriately aligned to your cyber security risk position, and meet technical, business and ethics due diligence requirements. Schedule a call above to learn more about how we can help.