In the new reality, we need to begin planning for a “return to normal”, which includes re-thinking our workspaces. This offers an opportunity to re-examine the security operation (SOC) and to identify opportunities for improvement. The physical SOC layout not only influences the effectiveness in how it facilitates team knowledge sharing, collaboration, and productivity, it can also aide in the overall health and well-being of the team.
There are both physical and technology elements that need to be considered, such as floor/space planning, physical equipment/layout, and supporting technology that encourages collaboration and efficiency of SOC teams. The path to success includes proper space planning, technology selection and integration, and designing and building the SOC in a way that builds with a purpose in mind.
The first decision point is whether the SOC will be physical, virtual, or some hybrid. An organization’s ability to leverage a remote workforce will drive this decision, as well as location of current and future/available talent to support the mission of the SOC. Most organizations will lean towards physical or hybrid models due to the nature of the work and the need to physically collaborate during incident and breach response activities where real-time feedback and communication are often needed.
While the virtual or hybrid models will introduce additional technology requirements, most of the requirements overlap with the needs of a single physical location SOC or follow-the-sun physical SOC.
A SOC should be built for purpose, and by answering the following “big” questions:
- Is the space being used for tours, will outsiders “see” the SOC and are we using it as an example of our commitment to security?
- Are we utilizing existing space, renovating existing SOC, or is this a net new build?
- Do we have adequate space to build, and is this space near those the SOC team will likely interact with (Network operations center, IT, executive teams, legal/communications, HR)?
- Are we going to use a central SOC with a one-to-many additional “sister” SOCs?
- Can our space flex from day-to-day operations into a “all hands- on-deck” during a response – is the space flexible or able to support both modes of operation?
In addition to the needs of the team for both individual work and team collaboration, space planning for a SOC is based on the teams and the number of resources that will utilize the space,
Teams that should be included in the SOC (space permitting) are:
- The SOC level 1-3 analysts
- SOC managers and directors
- Threat intelligence
- Incident response and forensics
- Fraud/AML and insider threat
- Vulnerability management
SOC space planning also needs to be completed by a certified architect/space planner so that power/electrical, ventilation/HVAC, and ADA requirements are met and in compliance with local building codes.
The typical SOC physical layout includes:
- Cluster workstation/open floor plan w/office spaces as needed for privacy
- Workstation layout that includes space for multiple monitors (2-3 large monitors) per person, phone, keyboard, and secure individual storage
- Break-out rooms/war rooms for collaboration
- Large modular front display panels that display relevant dashboards and content & news broadcasts
- Windows and lighting. The SOC does not need to be “inside” the building and “dark”. SOCs should consider utilizing natural light as much as possible – needs to be balanced to not interfere w/displays, but I’m not sure it is healthy to put people in dark rooms for hours on end
Workspace & other considerations:
- SOC analysts and team members often utilize multiple monitors for their work – space needs to be designed to support “larger than average workstations” in comparison to open office workspaces
- Ergonomic options – analysts often work in the same “spot” for hours on end, as such options should be included such as sit-stand desks and ergonomic chairs
- Ambient noise control – given the openness of the SOC spaces, noise control needs to be considered to limit ambient noise from equipment and conversations
- Appropriate number/amount of break-our rooms, spaces/whiteboard/tech, phone rooms, and conference rooms – use a certified space planner to design for improved/maximum collaboration
Technology plays a critical role in supporting the SOC teams and analysts in their daily activities. Technology planning will help drive the requirements; however, the general technology requirements include:
- High quality/resolution monitor technology (think blue light block super high- resolution monitors) of considerable size 24” plus
- Multiple systems per analyst – such as a standard corporate system connected to corporate network for standard activities such as email, app access, etc. Other systems isolated in a “lab” or off-network connection to the internet (sandbox)
- Large front modular displays – able to split screens, generally shows monitoring dashboards but with the ability to broadcast any analyst screen as needed
- Access to news feeds, cable news, etc.
- Access to corporate phone systems
- Goes without saying, but most SOC analysts need access to all the necessary security tools and information (at a minimum read access)
- HD/high quality video conference system that support the general SOC room and individual break-out rooms/war rooms – especially important if the SOCs are distributed and/or hybrid model is being used
- Secure backup/dark channel communication solution – off-net, off-corp phone and email access to be used in the event of wide-scale breach of systems (consult legal/OGC on options to ensure we don’t run afoul of any compliance/legal requirements on retention)
To conclude, it’s important to remember that in the new reality, we need to re-think our SOC workspaces given how it can impact a team’s knowledge sharing, collaboration, productivity and overall health and well-being. We need to consider both the physical and technology components of a SOC as a successful plan is built for specific purposes.