"We need security operations."
That statement, or something like it, has launched thousands of SOC programs. Often it comes after an incident, an audit finding, or a board-level question about security monitoring.
The challenge is that "security operations" can mean vastly different things depending on your organization's size, risk profile, and resources. Building the right program requires understanding what you actually need and what's realistic to achieve.
Defining SOC Mission and Scope
Before purchasing a single tool or hiring anyone, define what your security operations program needs to accomplish:
Core Questions
What assets are you protecting?
- Cloud infrastructure (which providers?)
- On-premises data centers
- Endpoints (how many, what types?)
- Applications (web, mobile, APIs?)
- Data (customer data, intellectual property, financial?)
What threats are you most concerned about?
- Nation-state actors
- Organized cybercrime
- Hacktivists
- Insider threats
- Opportunistic attackers
What regulatory requirements apply?
- Industry regulations (PCI-DSS, HIPAA, GLBA)
- Privacy regulations (GDPR, CCPA)
- Contractual requirements (SOC 2, customer requirements)
- Internal policies
What's your risk tolerance?
- What's the acceptable mean time to detect (MTTD)?
- What response times are required?
- How much residual risk is acceptable?
SOC Functions
Typical SOC responsibilities include:
| Function | Description | Complexity |
|---|---|---|
| Alert monitoring | Review and triage security alerts | Foundational |
| Incident response | Investigate and respond to incidents | Essential |
| Threat detection | Develop and tune detection rules | Intermediate |
| Threat hunting | Proactively search for threats | Advanced |
| Vulnerability coordination | Integrate vuln findings into operations | Intermediate |
| Threat intelligence | Consume and operationalize TI | Intermediate |
Not every SOC needs every function from day one. Start with foundational capabilities and expand.
Build vs. Buy vs. Hybrid
The fundamental decision: run security operations yourself, outsource to a provider, or combine approaches.
Build: In-House SOC
Advantages:
- Deep knowledge of your environment
- Direct control over priorities
- Ability to customize to your needs
- Institutional knowledge retention
Challenges:
- Significant staffing requirements
- 24x7 coverage requires ~6-8 analysts minimum
- Technology investment
- Ongoing training and retention
Best for: Larger organizations with resources and need for customized operations.
Buy: Managed Security Services (MSSP/MDR)
Advantages:
- Faster time to coverage
- Lower initial investment
- Access to specialized expertise
- Scalable to coverage needs
Challenges:
- Less customization
- Learning your environment takes time
- Alert context may be limited
- Vendor lock-in concerns
Best for: Organizations lacking resources for in-house team or needing rapid deployment.
Hybrid: Shared Responsibility
Common models:
- MSSP handles 24x7 monitoring; internal team handles escalations
- Internal team handles day shift; MSSP covers nights/weekends
- MSSP provides tier 1 triage; internal team handles deeper investigation
Best for: Most mid-sized organizations seeking balance of coverage and control.
For organizations under 2,000 employees, a hybrid model often makes the most sense. The cost of true 24x7 staffing with retention-quality compensation typically exceeds MSSP costs until you reach significant scale.
Technology Selection Framework
Security operations requires technology, but the specific tools matter less than how well they're implemented and operated.
Core Technology Stack
SIEM/Security Data Platform The foundation that aggregates logs, enables detection and investigation.
Selection criteria:
- Ingestion capacity for your data volumes
- Query performance for investigation
- Detection rule capabilities
- Integration with your environment
- Total cost of ownership (licensing + infrastructure + operations)
Endpoint Detection and Response (EDR) Visibility and response capability on endpoints.
Selection criteria:
- Platform support (Windows, Mac, Linux)
- Detection capability
- Response capabilities (isolation, remediation)
- Integration with SIEM
- Resource footprint on endpoints
Case Management/SOAR Workflow and automation platform.
Selection criteria:
- Playbook and automation capabilities
- Integration with existing tools
- Case management for tracking investigations
- Metrics and reporting
Technology Anti-Patterns
Tool overload: More tools doesn't mean better security. Every tool requires configuration, maintenance, and expertise.
Buying ahead of capability: Advanced tools provide no value if you lack skills to operate them.
Vendor-driven architecture: Build your program based on requirements, not vendor pitches.
Ignoring integration: Tools that don't share data create visibility gaps and manual work.
Staffing Models and Organizational Structure
Staffing is typically the largest SOC expense and the biggest challenge.
Role Definitions
Tier 1 Analyst (SOC Analyst)
- Alert triage and initial investigation
- Escalation of potential incidents
- Documentation and reporting
- Typically entry-level security role
Tier 2 Analyst (Senior SOC Analyst)
- Complex investigation
- Incident response coordination
- Mentoring of Tier 1 analysts
- Typically 2-4 years experience
Tier 3/Specialist
- Threat hunting
- Detection engineering
- Malware analysis
- Forensics
- Typically 5+ years experience
SOC Manager/Lead
- Program management
- Stakeholder communication
- Staffing and development
- Metrics and reporting
Coverage Models
24x7 Coverage (In-House) Requires approximately:
- 5-6 analysts for continuous coverage (accounting for PTO, sick time)
- Plus management and specialist roles
- Minimum ~8 FTE for basic 24x7 operation
Business Hours + On-Call
- 2-3 analysts for daytime coverage
- Rotating on-call for after-hours
- MSSP or automation for overnight alerting
Hybrid with MSSP
- Internal team sized for day shift
- MSSP provides nights/weekends/holidays
- Clear escalation protocols between teams
Retention Realities
Security operations faces significant retention challenges:
- Burnout from 24x7 rotations
- Competitive market for security talent
- Limited career progression in pure operational roles
- Alert fatigue leading to disengagement
Mitigation strategies:
- Career development paths beyond analyst roles
- Rotation through different functions
- Competitive compensation
- Investment in tools that reduce tedious work
- Reasonable workload and on-call expectations
Process Development Priorities
Technology and staffing mean little without effective processes:
Critical Processes (Implement First)
Alert Handling
- How are alerts received and assigned?
- What's the triage workflow?
- When and how are alerts escalated?
- How are false positives documented and fed back?
Incident Response
- What constitutes an "incident"?
- Who declares and manages incidents?
- What are the communication protocols?
- How is post-incident review conducted?
Shift Handoff
- What information transfers between shifts?
- How are ongoing investigations tracked?
- What's the mechanism for urgent escalation?
Important Processes (Phase 2)
Detection Engineering
- How are new detections developed?
- What's the testing and deployment process?
- How is detection coverage measured?
Threat Intelligence Integration
- How is TI consumed and operationalized?
- What sources are used?
- How does TI inform detection and hunting?
Vulnerability Coordination
- How does SOC receive vulnerability information?
- What's the workflow for exploitation attempts?
- How is vulnerability context incorporated into investigations?
Mature Processes (Phase 3)
Threat Hunting
- What methodology guides hunting?
- How are hypotheses developed?
- How are findings documented and operationalized?
Metrics and Continuous Improvement
- What metrics are tracked?
- How is performance analyzed?
- What drives improvement priorities?
Measuring SOC Success
Metrics should measure what actually matters: security outcomes, not activity.
Operational Metrics
| Metric | Target Range | What It Measures |
|---|---|---|
| Mean Time to Detect (MTTD) | Under 24 hours for critical | How quickly threats are identified |
| Mean Time to Respond (MTTR) | Under 4 hours for critical | How quickly containment occurs |
| Alert-to-Incident Ratio | Over 10% | Quality of alerting |
| False Positive Rate | Under 50% | Detection tuning effectiveness |
| Dwell Time | Declining trend | Time attackers remain undetected |
Program Health Metrics
| Metric | Target | What It Measures |
|---|---|---|
| Analyst Retention | Over 80% annually | Program sustainability |
| Training Hours | Over 40 hours/year | Skill development investment |
| Detection Coverage | Over 60% of priority techniques | Detection comprehensiveness |
| Automation Rate | Increasing | Efficiency improvement |
Business Metrics
| Metric | What It Measures |
|---|---|
| Security Incidents vs. Prior Period | Trend in detected threats |
| Impact of Contained Incidents | Value of rapid response |
| Regulatory/Audit Findings | Compliance effectiveness |
| Stakeholder Satisfaction | Program perception |
Vanity metrics like "alerts handled" or "tickets closed" incentivize volume over quality. Focus on metrics that align with actual security outcomes.
Realistic Timeline
Building effective security operations takes time. A realistic timeline:
Months 1-3: Foundation
- Define mission and scope
- Make build/buy decisions
- Select and begin deploying core technology
- Hire or contract initial team
Milestone: Basic log collection and alert monitoring operational.
Months 4-6: Initial Capability
- Complete technology deployment
- Establish core processes
- Begin detection development
- Establish MSSP relationship (if hybrid)
Milestone: 24x7 monitoring coverage in place.
Months 7-12: Maturation
- Tune detections based on operational experience
- Develop playbooks for common scenarios
- Implement case management and metrics
- Establish threat hunting capability
Milestone: Measured, improving security operations.
Year 2 and Beyond
- Continuous improvement based on metrics
- Expansion of detection coverage
- Integration with broader security program
- Program optimization
Getting Started
If you're standing up security operations:
-
Define what you need before evaluating tools or providers.
-
Be realistic about resources. Understaffed, under-tooled SOCs create liability, not security.
-
Consider hybrid models. Pure in-house may not be economical at your scale.
-
Invest in process as much as technology.
-
Plan for retention. Building a team you can't keep doesn't work.
-
Measure what matters. Align metrics with security outcomes.
Security operations is a program, not a project. Initial setup is just the beginning. Ongoing investment in people, process, and technology determines whether your SOC actually reduces risk.
Related Service
Learn more about how we can help with Security Operations.
Explore Security Operations Services →