Once you’ve established your security operations center (SOC), the challenge is to iteratively improve to stay ahead of the evolving cyber threat landscape. Several strategies can help, including those focusing on industry frameworks, technologies, and personnel.
Every SOC needs formal security policies and procedures to be written, enforced, and regularly reviewed. You don’t need to start from scratch. You can use the NIST Security Operations Center Framework (CSF) and MITRE ATT&CK knowledge base. NIST continuously refines and updates these standards as your peers in the industry explore new use cases.
NIST introduced CSF 2.0 in February of 2024. This latest version broadens its scope beyond critical infrastructure to apply to all organizations, regardless of size, sector, or complexity. The most substantial change is the introduction of a new core function, Govern, which elevates cybersecurity to a key enterprise-level risk management concern.
This expands the core functions from five to six, including Govern, Identify, Protect, Detect, Respond, and Recover.
The Govern function focuses on how an organization makes and executes its own decisions to support its cybersecurity strategy. It underscores that cybersecurity is a major source of enterprise risk, on par with financial and reputational risks. Key areas within Govern include organizational context, risk management strategy, and cybersecurity supply chain risk management.
CSF 2.0 also places more emphasis on continuous improvement for cybersecurity practices with the Govern function. And the revised structure for categories and subcategories within all functions provides more clarity for logical and effective implementation.
Since its creation in 2013, security operations professionals have relied on the MITRE ATT&CK framework as a reference architecture. This knowledge base is a powerful tool for anyone seeking to better understand adversary tactics and techniques based on real-world observations.
The MITRE ATT&CK® framework, a critical resource for cybersecurity professionals, has undergone significant evolution in the past year, with a focus on expanding coverage for virtualized environments, cloud services, and enhancing defensive tooling.
Like NIST’s CSF, MITRE ATT&CK is a living and breathing framework. Today’s security teams are building on this foundation by experimenting with new use cases to derive even greater benefits.
The latest refinements to MITRE ATT&CK include:
Next, let’s look at the technology aspect of the next-generation SOC.
The three key technologies within a typical SOC are associated with:
Even with the evolution of cyber technologies, including endpoint detection and response (EDR) and security incident event management (SIEM), the lack of seamless data integration between these tools creates data silos. These silos hinder security analysts who must now manually correlate data to assess threats. This makes it difficult to gain a holistic view of an attack chain and understand the full context of a security event.
You’re likely aware that the sheer volume of threats without the proper context to determine their true priority and potential impact result in alert fatigue. How sure are you that your analysts are detecting the true threats to your environment?
Security teams hoped automation would alleviate the gaps that remain, but meaningful automation is still a challenge. The development and maintenance of effective automation playbooks require specialized skills and significant upfront investment. As a result, repetitive and time-sensitive tasks, such as initial alert triage, evidence gathering, and basic response actions, remain manual processes.
While you can’t understate the importance of the correct SOC technology. Making sure you staff your SOC with top-notch human expertise is equally, if not more important.
This brings us to our third element of a future-ready SOC – people.
Even with all the technology, optimization of your SOC still relies on people and expertise. However, SOC specialists are expensive and in short supply.
Here are the roles you’ll need to staff an optimal SOC—and the type of security expertise we keep on staff in our security operations center:
Level 1 Security Monitoring: Level 1 analysts utilize industry-standard SIEM tools and best practices, such as the MITRE ATT&CK framework, to detect suspicious activities and anomalies in real time.
Level 2 Advanced Analysis: Level 2 analysts utilize techniques such as behavioral analytics, anomaly detection, and threat correlation to reveal the scope and impact of security incidents.
Level 3 Threat Hunting and Incident Analysis: In addition to regular playbook-driven monitoring, analysts conduct custom-designed threat hunting sweeps and campaigns to identify and neutralize advanced persistent threats (APTs) before they manifest into full-blown incidents.
Detection Engineering: The team continuously updates detection rules and logic based on the latest threat intelligence feeds and TTPs (tactics, techniques, and procedures) from sources such as the MITRE ATT&CK framework.
Threat Intelligence: Using feeds from open-source intelligence (OSINT), commercial, and proprietary sources, we prime your security systems for emerging threats.
Enterprise SOCs are well-known for high staff turnover rates – the average employee spends an average of just 26 months with an organization. This short employment average often prevents SOC teams from acquiring the organizational-specific knowledge they need to manage discovered incidents without dedicated third-party support and/or guidance from more senior colleagues.
The trend toward outsourcing SOC responsibilities to specialist managed security services providers (MSSPs) has spawned what’s known as SoC-as-a-Service (SOCaaS).
In SOCaaS arrangements, the MSSP typically takes responsibility for some or all elements of the enterprise SOC. Some organizations are initially a little reticent to go this route, fearing they’ll lose control of their overall security plan. However, that’s an unlikely outcome, and most see the opposite happen – they reap the benefits of having an expert step them through the process of developing, honing, and improving their SOC strategy. Rather than losing control, they feel even more confident and in control of their operations than before.
When entering into a SOCaaS arrangement, you usually sign up for a fixed-price contract that comes with a monthly or annual fee. Your provider will commit to specific service level agreements (SLAs) that govern the terms of the contract, making them a more efficient and cost-effective alternative to an all-in-house SOC.
A managed service SOC can also help address any potential skills gap challenges in your security team and free up existing IT experts to focus on other business-critical issues. This ensures a reliable SOC is operational around the clock.
Midsize and enterprise companies that choose outsourcing report the total cost of their third-party SOC services to be significantly lower than the cost of purchasing, installing, and maintaining the same technology and services in-house. This strategy also eliminates many upfront CapEx expenditures, not to mention the cost of hiring, managing, and retaining scarce and highly sought-after SOC specialists.
SOCs play a business-critical role in protecting organizations from insider and external threats. As we move through 2025, we can expect SOCs – whether in-house, outsourced, or a hybrid models – to take their rightful place at the top of the business agenda.