11 STRATEGIES OF A WORLD-CLASS

CYBERSECURITY
OPERATIONS
CENTER
HIGHLIGHTS
 HIGHLIGHTS: 11 STRATEGIES OF A WORLD-CLASS CYBERSECURITY OPERATIONS CENTER

About MITRE
Protecting the digital enterprise against sophisticated cyber adversaries requires
strategy, timely information, and 24/7 vigilance. As a not-for-profit company pioneering
in the public interest, MITRE works in partnership with an innovation ecosystem of
government, private sector, and academia to secure cyber systems. In our 60+ years
of catalyzing change through partnership, we never lose sight of the human factor
behind every complex system and innovative solution. MITRE draws from a wealth
of deep technical expertise to address the ever-evolving challenges in cybersecurity.
We know that working in partnership to protect organizations is crucial to national
security, critical infrastructure, economic stability, and personal privacy. The guidance
we share with the cyber defender community continues to advance the field’s science
and practice. Operating without commercial conflicts of interest, we’re working to
arm a worldwide community of cyber defenders with vital information to thwart
network intruders.
As part of our cybersecurity research in the public interest, MITRE has a long history
of developing standards and tools used by the broad cybersecurity community, such
as STIX,™ TAXII,™ and CVE.® Our MITRE ATT&CK® framework, which provides a free
online knowledge base of cyber adversary behavior, is used worldwide.
Our expert staff continues to partner and collaborate on many cybersecurity resources
and innovations. The 11 Strategies of a World-Class Cybersecurity Operations Center is
a practical guide to enhancing digital defense for SOC operators—and an embodiment
of MITRE’s mission of solving problems for a safer world.

-2-
 HIGHLIGHTS: 11 STRATEGIES OF A WORLD-CLASS CYBERSECURITY OPERATIONS CENTER

What is the SOC and why is it important?

This booklet provides a brief overview of the 11 Strategies of a World-Class
Cybersecurity Operations Center. It offers a window into the 11 strategies discussed in
the book, with the hope that the reader will be enticed to download the freely available
full version of the book or to acquire the e-book or a print version.
Ensuring the confidentiality, integrity, and availability of the modern digital enterprise
is a big job. It encompasses many parallel and related efforts, from robust systems
engineering to effective cybersecurity policy and comprehensive workforce training.
One essential element is cybersecurity operations: monitoring, detecting, analyzing,
responding, and recovering from all measures of cyber attack. The operational focal
point for incident detection, analysis, and response is the cybersecurity operations
center (CSOC, or simply SOC).

Who is this book for?

If you are part of, support, frequently work with, manage, or are trying to stand up
a SOC, this book is for you. Its audience includes SOC managers, technical leads,
engineers, and analysts. Portions of 11 Strategies can also be used as a reference by
those who interface with SOCs on a routine basis to better understand and support
security operations. Students and individuals transitioning into cybersecurity operations
from other fields may also find it useful.

-3-
 HIGHLIGHTS: 11 STRATEGIES OF A WORLD-CLASS CYBERSECURITY OPERATIONS CENTER

Table of Contents
SOC Fundamentals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
STRATEGY 1: Know What You Are Protecting and Why . . . . . . . . . . . . . . 7
STRATEGY 2: Give the SOC the Authority to Do Its Job . . . . . . . . . . . . . . 8
STRATEGY 3: Build a SOC Structure to Match Your Organizational Needs . . . . . 9
STRATEGY 4: Hire and Grow Quality Staff . . . . . . . . . . . . . . . . . . . . 11
STRATEGY 5: Prioritize Incident Response . . . . . . . . . . . . . . . . . . . .12
STRATEGY 6: Illuminate Adversaries with Cyber Threat Intelligence . . . . . . . 13
STRATEGY 7: Select and Collect the Right Data . . . . . . . . . . . . . . . . .14
STRATEGY 8: Leverage Tools to Support Analyst Workflow . . . . . . . . . . . . 15
STRATEGY 9: Communicate Clearly, Collaborate Often, Share Generously . . . . .16
STRATEGY 10: Measure Performance to Improve Performance . . . . . . . . . . 17
STRATEGY 11: Turn up the Volume by Expanding SOC Functionality . . . . . . . .18
About the Authors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19

-4-
 HIGHLIGHTS: 11 STRATEGIES OF A WORLD-CLASS CYBERSECURITY OPERATIONS CENTER

SOC Fundamentals
ƒ The operational focal point for incident detection, analysis, and response is
the cybersecurity operations center (CSOC, or simply SOC). A SOC satisfies
the constituency’s cyber monitoring and defense needs by performing a set
of functions for its constituency.

SOC FUNCTIONAL CATEGORIES AND FUNCTIONAL AREAS

• Incident Triage, Analysis, and Response

• Cyber Threat Intelligence, Hunting, and Analytics

• Expanded SOC Operations

• Vulnerability Management

• SOC Tools, Architecture, and Engineering

• Situational Awareness, Communications, and Training

• Leadership and Management

- SOCs accomplish their mission in large part by being purveyors and curators
of copious amounts of security-relevant data.
- They must be able to collect and understand the right data at the right time
in the right context.
- Virtually every mature SOC employs several different technologies, along
with automation processes, to generate, collect, enrich, analyze, store, and
present tremendous amounts of security-relevant data to SOC members.

-5-
HIGHLIGHTS: 11 STRATEGIES OF A WORLD-CLASS CYBERSECURITY OPERATIONS CENTER

TYPICAL SOC DATA AND TOOLS

-6-
 HIGHLIGHTS: 11 STRATEGIES OF A WORLD-CLASS CYBERSECURITY OPERATIONS CENTER

CHALLENGE: Cybersecurity operations exist to support their organizations’ missions,

so they need context for the data that they see and the action they take.

STRATEGY 1: Know What You Are Protecting and Why

ƒ Develop situational awareness across five areas over time:
- Business/mission: This area is focused on understanding a constituency’s reason
for being and how it operates.
- Legal and regulatory environment: This area includes government laws and
industry regulations that are pertinent to cybersecurity operations such as
reporting requirements or privacy regulations.
- Technical and data environment: This area includes understanding the number,
type, location, and network connectivity of IT and OT assets along with the
status of those assets (e.g., patch status, vulnerability status, or up/down status).
This also includes knowing the constituency’s critical systems and data, the
connection and value of that data to the business, and the location of that data
(on-prem systems, cloud, partner IT, etc.).
- Users, user behaviors, and service interactions: This area includes
understanding typical patterns of behavior, including user-to-service and
service-to-service interactions.
- Threat: This includes understanding the various types of threats (hacktivists,
criminal, nation state, etc.) likely to be of particular concern to the constituency.

SOC OPERATING CONTEXT

-7-
 HIGHLIGHTS: 11 STRATEGIES OF A WORLD-CLASS CYBERSECURITY OPERATIONS CENTER

CHALLENGE: SOCs are on the front line in defending a constituency’s cyber assets.
Where they are in the organizational structure, and how they are funded, directly
impacts their ability to fulfill their mission.

STRATEGY 2: Give the SOC the Authority to Do Its Job

ƒ A SOC charter—written guidance that grants a SOC the authority to exist,
procure resources, and enact change—is an important component of building
and operating a SOC.
- Elements should include the SOC’s function, scope, and authorities along
with expectations for partnering with other parts of the constituency.
ƒ The SOC requires support and enablement through other cybersecurity
and IT governance.
- The SOC should take an active role in developing and reviewing other
existing constituency policies that support execution of their functions.
ƒ The SOC draws its authorities, budget, and mission focus from the
organization to which it belongs.
- The SOC can be housed in many places within an organization, each
with its own pros and cons.
- The most common placement is under the Chief Information Officer (CIO)
or Chief Information Security Officer (CISO). Other options include under the
Chief Operations Officer (COO), under the Chief Security Officer (CSO), under
IT operations, or inside a specific business unit.

An effective SOC has a charter and set of authorities,

signed by constituency executive(s), which enable it to advocate
for needed resources and gain cooperation to execute its mission.

-8-
 HIGHLIGHTS: 11 STRATEGIES OF A WORLD-CLASS CYBERSECURITY OPERATIONS CENTER

CHALLENGE: There are thousands of SOCs around the world and no two are organized
exactly alike. What’s appropriate for one organization may not work for another; there
are many models to build from.

STRATEGY 3: Build a SOC Structure to Match Your

Organizational Needs
ƒ Structure SOCs by considering the constituency, SOC functions and
responsibilities, service availability, and any operational efficiencies gained by
selecting one construct over another.
- The size of the constituency is a key driver in determining the appropriate type
of SOC organizational structure.
ƒ Dimensions of a SOC organizational model include both the internal SOC structure
(mapping of functions to roles) and the overarching model of how the SOC is
placed within the constituency and its overall objectives.
ƒ SOCs will incorporate some or all of the SOC Functional Areas described in the
Fundamentals section according to their constituency needs.

NOTIONAL CENTRALIZED SOC

-9-
 HIGHLIGHTS: 11 STRATEGIES OF A WORLD-CLASS CYBERSECURITY OPERATIONS CENTER

Different SOC organizational models help the SOC support consistencies of dramatically
different sizes and shapes. The primary SOC organizational models include:

Organizational Model Example Organizations Remarks

No standing incident detection or
Ad Hoc Security Response Small businesses
response capability exists.
No formal SOC organization.
Small businesses, small colleges,
Security as Additional Duty However, SOC-like duties are
or local governments
part of other duties.
Small to medium-sized A decentralized pool of
Distributed SOC businesses, small to medium resources housed in various
colleges, and local governments parts of the constituency.
Wide range of organizations
including medium to large- Resources for security
sized businesses, educational operations are consolidated
Centralized SOC
institutions (such as a under one authority and
university), or state/province/ organization.
federal government agencies
A SOC that shares a parent
Organizations with distinct
organization with one or more
Federated SOC operating units that function
other SOCs, but generally
independently of one another
operates independently.
A SOC responsible for
Large businesses or
Coordinating SOC coordinating the activities of
government institutions
other SOCs underneath it.
Similar to the Coordinating
Large businesses or government SOC structure; however, the
Hierarchical SOC
institutions parent organization plays
a more active role.
Responsible for strengthening
National SOC Country-level governments the cybersecurity posture
of an entire nation.
Provides SOC services to external
Managed Security/SOC
Organizations of all sizes organizations via a business/fee-
Service Provider
for-services type relationship.

- 10 -
 HIGHLIGHTS: 11 STRATEGIES OF A WORLD-CLASS CYBERSECURITY OPERATIONS CENTER

CHALLENGE: People are the most important aspect of operating a world-class SOC.
Ensuring you have qualified staff—through training and recruitment—is key.

STRATEGY 4: Hire AND Grow Quality Staff

ƒ Staffing is one of the biggest challenges for a SOC; it is also one of the most
important factors in the success of the SOC mission.
- When hiring, passion for the role is a key indicator of success.
ƒ There are not enough cybersecurity professionals available. Each SOC must also
grow talent internally, and support career progression.
ƒ SOCs must also create an environment that encourages staff to stay by paying fair
market value, creating a sense of belonging through communication and sharing
among the SOC team, and supporting a diverse and inclusive work environment.
ƒ Staff turnover is a reality for most SOCs.
- Pre-plan for departures by formally capturing institutional knowledge to help
address this issue and support overall SOC process execution.

SOC CAREER PATHS

- 11 -
 HIGHLIGHTS: 11 STRATEGIES OF A WORLD-CLASS CYBERSECURITY OPERATIONS CENTER

CHALLENGE: As long as there have been computers and networks, there have been cyber
incidents. Typically, a SOC’s effectiveness is determined by how and when it responds.

STRATEGY 5: Prioritize Incident Response

ƒ Prepare for handling incidents by defining incident categories, response steps,
and escalation paths, and codifying those into Standard Operating Procedure
(SOP) and playbooks.
ƒ Determine the priorities of incidents for the organization and allocate the
resources to respond.
ƒ Team members must be given enough structure to ensure that expectations such as
consistency, timeliness, and the removal of analytic bias are met, while also being
given the freedom to act on their intuition and experienc.
ƒ Execute response with precision and care toward constituency mission and business.

NIST INCIDENT RESPONSE LIFECYCLE

- 12 -
 HIGHLIGHTS: 11 STRATEGIES OF A WORLD-CLASS CYBERSECURITY OPERATIONS CENTER

CHALLENGE: Finding malicious activity and other traces of adversaries can be

challenging. SOCs need to be proactive and identify threats before they enter their
constituency’s environment.

STRATEGY 6: Illuminate Adversaries with Cyber

Threat Intelligence
ƒ Tailor the collection and use of cyber threat intelligence by analyzing the
intersection of adversary information, organization relevancy, and the technical
environment to prioritize defenses, monitoring, and other actions.
ƒ Consider using MITRE ATT&CK to help inform and categorize adversary tactics,
techniques, and procedures (TTPs).
ƒ Actionable Cyber Threat Intelligence (CTI) requires integrated analysis of adversary
information, the constituency technical environment, and the business or mission
context.
ƒ SOCs cannot predict attacks without adversary association. Adversary association
is defined as the action of linking malicious activities to likely adversaries, or
known groups of behavior, for defensive purposes without requiring absolute
certainty that a specific person or group perpetrated the activity.
ƒ Using CTI effectively is an iterative
process and evolves as more information
is understood. The process includes
understanding the context of events,
performing analysis, and
taking action.

CTI KEY COMPONENTS

- 13 -
 HIGHLIGHTS: 11 STRATEGIES OF A WORLD-CLASS CYBERSECURITY OPERATIONS CENTER

CHALLENGE: Most constituencies generate more digital data than an SOC can possibly
process and act upon.

STRATEGY 7: Select and Collect the Right Data

ƒ Choose data by considering the relative value of different data types such as
sensor and log data collected by network and host systems, cloud resources,
applications, and sensors.
ƒ Consider the trade-offs of too little data (and therefore not having the relevant
information available) and too much data (such that tools and analysts become
overwhelmed).
ƒ For both detecting and confirming intrusions, data and instrumentation from
endpoints are generally considered more informative and provide more clarity
than data from network traffic.
ƒ SOCs should collect data from all relevant environments including on-site data
centers, cloud environments, mobile infrastructure, and operational technologies.

BALANCING DATA VOLUME WITH VALUE

- 14 -
 HIGHLIGHTS: 11 STRATEGIES OF A WORLD-CLASS CYBERSECURITY OPERATIONS CENTER

CHALLENGE: SOCs bring vast amounts of disparate data together into an information
architecture. Analysts need to be able to quickly evaluate the data, turn the data into
information, and use the information to fulfill their mission.

STRATEGY 8: Leverage Tools to Support

Analyst Workflow
ƒ Consolidate and harmonize views into tools and data and integrate them to
maximize SOC workflow.
ƒ Consider how the many SOC tools, including Security Information and Event
Management (SIEM), User and Entity Behavior Analytics (UEBA), Security
Orchestration, Automation and Response (SOAR), and others fit in with the
organization’s technical landscape, to include cloud and operational technology
environments.
ƒ Each SOC brings to bear a different set of tools, capabilities, and integrations
in support of their analysts. This figure shows one example architecture.

SOC TOOL INTEGRATION AND PIVOTING

- 15 -
 HIGHLIGHTS: 11 STRATEGIES OF A WORLD-CLASS CYBERSECURITY OPERATIONS CENTER

CHALLENGE: No matter how well-funded or well-staffed a SOC is, it can never

know everything about the cyber threat and vulnerabilities the organization faces.
Collaborations—both internal and external—can provide valuable insight.

STRATEGY 9: Communicate Clearly, Collaborate

Often, Share Generously
ƒ Engage within the SOC, with stakeholders and constituents, and with the
broader cyber community to evolve capabilities and contribute to the larger
cybersecurity ecosystem.
ƒ Improving communication, collaboration, and sharing should begin within the
SOC itself.
- Everyone in the SOC should be given the opportunity to be an active participant
in these areas, as only then can the SOC fully leverage its most valuable
resource, its people.
ƒ Being able to express clearly and succinctly what the SOC is doing and what the
SOC needs will go a long way toward building strong relationships with the SOC
constituency and maximizing the SOC’s effectiveness within the organization.

EXAMPLES OF COMMUNICATING, COLLABORATING, AND SHARING WITH DIFFERENT GROUPS

Inform and be informed Collaborate Share
Bring together incident
Pass information from one
Within the SOC responders and the CTI team Mentor a colleague.
shift to another.
to create a new analytic.
Hold a lunch and learn
With Provide risk summaries
Pre-plan with constituents about the latest
Stakeholders and recommendations
how to respond to incidents cyber threats and
and to stakeholders and
and jointly publish guidance. how they might impact
Constituents executives.
the business.
Provide incident TTPs, Hold cross training with
With the Compare best practices,
IOCs, detection tactics to other SOCs; incorporate
Broader Cyber chosen joint activities
other SOCs, and receive and hold lessons
Community such as hunt.
some back. learned sessions.

Partnering and sharing with others creates a stronger

cyber defense community for everyone.

- 16 -
 HIGHLIGHTS: 11 STRATEGIES OF A WORLD-CLASS CYBERSECURITY OPERATIONS CENTER

CHALLENGE: SOCs succeed when they fulfil their mission and protect the
constituency’s cyber assets. As technology changes and new threats emerge, SOCs need
to understand what is working well and where improvements would be most beneficial.

STRATEGY 10: Measure Performance

to Improve Performance
ƒ Determine qualitative and quantitative measures to know what is working well
and where to improve. A SOC metrics program includes business objectives, data
sources and collection, data synthesis, reporting, and decision-making and action.
ƒ Metrics can be broken up into three groups:
- Those that are meant for internal SOC consumption.
- Those that describe the SOC’s value and operating status to stakeholders.
- Other things the SOC learns about the constituency’s cybersecurity status
that fall outside the SOC mission.
ƒ Not all measures result in positive outcomes. Choosing and monitoring the
“wrong” measures can lead to wasted time or worse, a focus on harmful practices.
Seek team consensus, compensating quality checks, and balance in metrics to
emphasize not only basic service delivery, but growth in capabilities and a culture
of transparency.

SOC METRICS PROGRAM

- 17 -
 HIGHLIGHTS: 11 STRATEGIES OF A WORLD-CLASS CYBERSECURITY OPERATIONS CENTER

CHALLENGE: Cyber adversaries are continually evolving, and technology changes

rapidly. SOCs need to keep pace.

STRATEGY 11: Turn up the Volume by Expanding

SOC Functionality
ƒ Once incident response is mature, amp up a SOC’s ability to detect and defend
against more sophisticated attackers who often hide and quietly move in a
constituency.
ƒ These additional functions include:
- Looking for the adversary in new ways through threat hunting.
- Testing and enhancing the SOC’s ability to detect the adversary through
red teaming, purple teaming, and breach and attack simulation.
- Concealing networks and assets, creating uncertainty and confusion,
and/or influencing and misdirecting adversary perceptions and decisions
through deception.
- Advancing the SOC’s knowledge of adversary actions, techniques, and tools
through malware and digital forensic analysis.
- Improving SOC operations through the use of tabletop exercises.

Threat hunting is one of the best ways for a SOC to find adversaries
that elude ordinary, routine detections and alerting.

- 18 -
 HIGHLIGHTS: 11 STRATEGIES OF A WORLD-CLASS CYBERSECURITY OPERATIONS CENTER

About the Authors

Kathryn Knerler
Kathryn has served in many cybersecurity roles over the
past two decades, specializing in front-line cyber analysis
and incident response, and designing, installing, and
monitoring network security devices. She leads MITRE’s
Cyber Assessments and Automation department.

Ingrid Parker
Ingrid has worked in cybersecurity roles spanning from
operational hands-on analysis through engaging with
CISOs of large federal departments and agencies.
She is currently the chief engineer for MITRE’s
Homeland Security Enterprise division.

Carson Zimmerman
Carson has been working in cybersecurity in the
commercial and not-for-profit sectors for nearly 20 years,
first at MITRE and now at Microsoft. He is a subject
matter expert on cybersecurity operations center
architectures, consulting, and engineering.

- 19 -
 SCAN THE QR CODE ABOVE TO DOWNLOAD THE FULL E-BOOK VERSION OF
11 STRATEGIES OF A WORLD-CLASS CYBERSECURITY OPERATIONS CENTER

THE PRINT VERSION IS ALSO AVAILABLE AT

WWW.MITRE.ORG/11STRATEGIES

MITRE’s mission-driven teams are dedicated to solving problems for a safer world. Through our public-private partnerships and federally funded R&D centers, we work across
government and in partnership with industry to tackle challenges to the safety, stability, and well-being of our nation.
© 2022 The MITRE Corporation. All rights reserved. Approved for Public Release. Distribution unlimited. #21-3946.