Introduction

This book is intended for anyone who is considering building a security operations center (SOC), already has a SOC, and wants to improve the operations or increase the scope, or simply wants to learn more about what a SOC does and why they are critical to not just the security posture of the organization they support, but when done properly, they also become the hub, which all nonoperational information moves.
Before we dive in, we want to emphasize a point we just made. A SOC is not intended to directly support the day-to-day operations of whatever organization you have. We started this journey at Northern States Power, based in Minneapolis, Minnesota. A few years after we were hired, it became Xcel
Energy. As an electric utility, they have an operations center that monitors and controls the flow of electricity across the portion of the grid they support. The SOC has nothing to do with their daily operations, nor should it.
For a utility, generating, transmitting, and delivering electricity to customers is their core mission and they do an outstanding job.
The SOC only exists because it supports that core mission. They do this primarily through the monitoring of burglar (burg) or intrusion alarms, fire alarms, panic alarms, camera activity, environmental alarms, card access activity, and anything else that is determined to be important to the operations of the organization. This is accomplished by hiring and training security console operators (SCOs) and giving them clear instructions and solid training and feedback.
Building a world-class SOC is a process. The most important thing to realize going on is that mistakes will be made and things will happen that were never planned for. What is critical to continuous improvement is to focus on fixing the problems and not focusing on the failures.