SOC overview
Palo Alto’s Elements of Security Operations emphasizes the importance of understanding the primary motivators of other organizational departments. Their approach begins with recognizing that each business function has unique goals and motivations, often distinct from those of the SOC. This disparity can lead to frustrations among teams working toward different objectives. By understanding these motivations, the SecOps team can better align its requests and communications to support business-wide success.
Palo Alto outlines key motivators for various departments, which can help foster collaboration and strengthen relationships by supporting each team’s objectives.
Cyber Magazine. Cybersecurity Industry Associations. Retrieved December 6, 2020 from https://cybersecurityventures.com/cybersecurity-associations/
Palo Alto. Elements of Security Operations. (Nov, 2020). Retrieved December 6, 2020 from https://start.paloaltonetworks.com/elements-of-security-operations.htmlLinks to an external site.
I also think that depending upon the type of business the organization does there could also be other relationships that are very important to cultivate. For example:
If your organization holds sensitive information and if that information belongs to customers.
• Relationships with Database engineering/administration team
• Relationships with customer database compliance teams.
If your organization operates technology enabled equipment.
• Relationships with operations leaders related to that technology (e.g. SCADA, etc)
If your organization provides technology services to customers.
• Relationships to customer technology and security leaders.
If your organization provides industry leadership.
• External relationships to industry organizations:
o Auto-ISAC - Automotive Information Sharing and Analysis Center
o Aviation ISAC - Aviation Information Sharing and Analysis Center
o E-ISAC - Electricity Information Sharing and Analysis Center
o FS-ISAC - Financial Services Information Sharing and Analysis Center
o H-ISAC - Health Information Sharing and Analysis Center
SOC shifts
There are many nuances to running a SOC which include, responsibilities and authorities within the organization, interactions with other business units, day-to-day work, etc. One of the straightforward areas of building a SOC is SOC shift schedules. I have worked with many different SOC shift schedules in 24/7 SOCs over the years, and this blog post will try to explain the pros and cons of each.
A 24-hour day can be divided into shift coverage many different ways:
3 or 4 – 12-hour SOC shifts
4 - 10-hour overlapping SOC shifts
5 – 8-hour SOC shifts
To reach the 40-hour work week, the work week can be divided several different ways
4-day work week (10-hour shifts)
5-day work week (8-hour shifts)
Alternate 3-day and 4-day work week (12-hour shifts) - For hourly employees they will have overtime every other week.
3 1/2 work week (3 days 12-hours and 4th day 6-hours)
Note: you will also have to factor in at least 30-minute break. this becomes especially critical for longer shifts.
12 Hour shifts
Pros:
Who wouldn’t want a three-day work week every other week.
The organization can have the same shift coverage with 1/3 less employees.
Cons:
When you add an hour commute each way, lunch break, and getting ready for work each day; these workers don’t do anything besides work and sleep on their workdays.
There is no shift overlap between shifts each day for briefings and to exchange information.
If the shifts are hourly, they will get overtime pay on their long 4-day work week.
10 Hour shifts
Pros:
In my experience this is the most popular shift. Worker hours are not excessive plus they get an extra day off each week.
The shift schedules can be designed with a few hours of overlap which helps with team training, communications and continuity of incidents.
Cons:
Requires the addition of a 3rd shift each day so theoretically there needs to be a 1/3 increase in staff from a 12-hour shift.
When you add an hour commute each way, lunch break, and getting ready for work each day it can be a long day for workers.
8 Hour shifts
Pros:
This is also a popular shift because many people don't want to work weekends or long days.
Cons:
There isn't inherent overlap of shifts shift schedules which makes which makes team training, communications and continuity of incidents. Staggered shifts can be implemented to help with this, but managing staggered shifts is difficult.
Covering Weekends
Splitting weekends
With the 12-hour 3-day/4-day work week or 12 3-day + 1/2-day work week and the 4 10-hour work week you can simply split the week in half to cover weekend hours. For example, one group works Sun through Wednesday, and the other group works Wednesday through Saturday. The drawback is that workers need to be regularly scheduled to work weekend hours.
Having dedicated weekend shifts
In this type of schedule weekends are treated separately from weekdays. A few workers regularly work weekend plus two or three weekdays, or dedicated staff only works weekends.
In my experience I have found it effective to hire part time staff to cover weekends. This allows you to hire more experienced engineers who are looking for extra work and/or extra experiences. It also allows you to bring a wider range of experiences to the team.
Other Important Shift Points
Non-Busy hours
Non-busy hours are typically nights and weekends. You don't have to have the same number of workers per shift. In one job I came into, I inherited a shift schedule that had equal workers per shift. I switched the shifts to have more workers during busy times during the day and less workers during quiet times at night.
Floater
The floater is also an important concept. The floater is someone that may regularly work 9-5 but is also flexible to work most all shifts. When workers can't work a shift, the floater can quickly be tasked with adjusting their schedule to provide the necessary fill in for the work shift.
Kommentare