{"id":25482,"date":"2019-02-21T19:00:17","date_gmt":"2019-02-21T19:00:17","guid":{"rendered":"https:\/\/www.threatshub.org\/blog\/lessons-learned-from-the-microsoft-soc-part-1-organization\/"},"modified":"2019-02-21T19:00:17","modified_gmt":"2019-02-21T19:00:17","slug":"lessons-learned-from-the-microsoft-soc-part-1-organization","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/lessons-learned-from-the-microsoft-soc-part-1-organization\/","title":{"rendered":"Lessons learned from the Microsoft SOC\u2014Part 1: Organization"},"content":{"rendered":"

We\u2019re frequently asked how we operate our Security Operations Center (SOC) at Microsoft (particularly as organizations are integrating cloud into their enterprise estate). This is the first in a three part blog series designed to share our approach and experience, so you can use what we learned to improve your SOC.<\/p>\n

In Part 1: Organization, we start with the critical organizational aspects (organizational purpose, culture, and metrics). In Part 2: People, we cover how we manage our most valuable resource\u2014human talent. And finally Part 3: Technology, covers the technology that enables these people to accomplish their mission.<\/p>\n

Overall SOC model<\/h3>\n

Microsoft has multiple security operations teams that each have specialized knowledge to protect the different technical environments at Microsoft. We use a \u201cfusion center\u201d model with a shared operating floor, which we call our Cyber Defense Operations Center (CDOC)<\/a>, to increase collaboration and facilitate rapid communication among these teams. Each team manages to the specific needs of their environment.<\/p>\n

In this three part series, we focus on the operation of our corporate IT SOC team as they most closely reflect the challenges and approaches of our customers\u2014having many users and endpoints, email attack vectors, and a hybrid of on-premises and cloud assets. In addition, we include a few lessons learned from the other SOCs and our Detection and Response Team (DART) that helps our customers respond to major incidents.<\/p>\n

This SOC operates with three tiers of analysts plus automation as seen in Figure 1 below. (We\u2019ll provide more details in Part 2: People.)<\/p>\n

\"Figure<\/p>\n

Figure 1. SOC analyst tiers plus automation.<\/em><\/p>\n

The tooling in the SOC (Figure 2) is a mixture of centralized breadth capabilities and specialized tools to enable high quality alerts and an end-to-end investigation and remediation experience. (Part 3: Technology will provide more details.)<\/p>\n

\"Figure<\/p>\n

Figure 2. SOC tooling.<\/em><\/p>\n

Like all things in security, our SOC has evolved considerably over the years to its current state and will continue to evolve. We recently noticed that our SOC had sustained a 100+ percent growth in incidents handled over the past three years with a nearly flat staffing level. While we don\u2019t know if we can expect this astounding trend to continue in the future, it validates that we are on the right track and should share our learnings.<\/p>\n

SOC organizational purpose<\/h2>\n

The first element we cover is the value of the SOC in the context of the overall mission and risk of the organization. Like the traditional incarnations of crime and espionage, we don\u2019t expect there will be a straightforward \u201csolution\u201d to cyberattacks. A SOC is often a crucial risk mitigation investment for an enterprise as it is core to limiting how much time and access attackers have in the organization. This ultimately increases the attacker\u2019s cost and decreases the benefit, which damages their return on investment (ROI) and motivation for attacking your organization. Everything in the SOC should be oriented toward limiting the time and access attackers can gain to the organization\u2019s assets in an attack to mitigate business risk.<\/p>\n

At Microsoft, our SOCs bear not just the responsibility of reducing risk to our employees and investors, but also the weight of the trust that millions of customers accessing our cloud services and products put in us.<\/p>\n

We\u2019ve learned that the SOC has four primary functional integration points with the business:<\/p>\n