The Security Operations Centre (SOC) processes

In order to carry out its responsibilities, the SOC needs to have a set of processes that are fit for purpose.

These processes are designed to help the SOC achieve its objectives and will be dependent on the precise nature of the activities undertaken. The processes will be informed by other parts of the organisation, in particular by the IT governance system, and the IT management frameworks in use.

The PDCA loop is used in the SOC, as it is in many aspects of IT operations, to help improve the running of the SOC and ensure that the services the SOC provides to the business are always improving.

In particular, a variant of the PDCA loop, the OPDCA loop, can be particularly useful for helping to improve the running of the SOC. In OPDCA, the O stands for Observation, and similarly to the OODA loop, it emphasises the necessity of having a complete as possible understanding of the current situation to help guide the actions undertaken.

The OODA loop

The OODA loop was developed by John Boyd of the United States Air Force to help deal with complex and rapidly changing combat situations (Boyd 1987). It has subsequently made its way into many other environments that deal with engaging other entities in combative situations and has been found to be particularly useful in cyber security.

The OODA loop as described in detail below

Moran (2008). Licensed under CC BY 3.0
The OODA loop is expandable

The key aim of the OODA loop is to help provide mental tools that facilitate a rapid response to a situation, and to aid this it divides the process into four key stages which are themselves continuously looping processes.

The observation stage This is the first of these stages. It’s during this stage that we bring together all the observations about the current situation. In a cyber security environment, this will include information such as our current system state, network traffic, active users, etc. Ideally, it should also include information about the threat intelligence we have gathered.
The orientation stage This is where we consider our own biases, background knowledge, experience, and strengths and weaknesses. If possible, we should also consider the same for our attacker, although in practice the knowledge of our attacker is often lacking. In a cyber security environment, the policies, procedures and processes in our organisation will play a big part here.
The decision stage This stage can be the hardest. It’s here we bring together what we see (the observation stage) and what we know (the orientation stage) and decide what our action should be. In a team environment, such as is normally found in a SOC, this can be challenging as different people have different ideas about what is the appropriate thing to do. This is made more difficult by the extremely rapid rate at which cyber attacks can be carried out.
The act stage This is the final stage. Here we put our decision into practice. Again, this is where the organisation’s policies, processes and procedures can be very helpful in giving us set ways to react to situations. In a combat situation, this uniformity of action can be an issue, but in a cyber security situation, the uniformity makes it less likely that we will miss anything.

All of the stages add to the amount of information we have and they all feed back into the observation stage. This feedback can be immediate and help us deal with an ongoing security incident, or can be more long term and help us refine our threat intelligence, and our policies, processes, and procedures.

The PDCA loop

The PDCA loop is designed to help businesses improve their operations, and was originally put forward by Walter Shewhart and later refined and popularised by Edwards Deming (2000). Unlike the OODA loop, which is designed to help deal with rapidly changing and complex environments, the PDCA loop is designed to promote improvements in processes. Like the OODA loop, the PDCA loop is a four-part loop with the following key stages:

Plan Here we work out what it is we need to do and the processes we need to get there.
Do This stage is concerned with carrying out the actual work. Small changes are generally preferable as we can evaluate after each change and ensure that we are going in the right direction.
Check/study Originally, this stage was called the check stage as it’s the stage where we check to see if what we have done in the do stage is appropriate. Deming later changed it to the study stage to emphasise the idea that this is not just a simple check box exercise, but that we should evaluate how well the do stage achieved its goal and study its results.
Act/adjust The final stage is the act or adjust stage. In this stage, we make changes based on what we found needed improvement in the check/study stage. These could be changes to the information we are using, changes to our project management, changes to out process or any other similar activities.

After the act/adjust stage has been completed, we start again at the plan stage, ready for our next change to the system.

The PDCA loop can also be used as a method of managing projects, although in many cases other methodologies such as PRINCE2 are more suitable.


References

Boyd, J. R. (1987) A discourse on winning and losing. Maxwell Air Force Base. AL: Air University Library Document No. M-U 43947

Edwards Deming, W. (2000) Out of the Crisis. Cambridge, MA: MIT Press. 88

Moran, P. E. (2008) ‘OODA.Boyd’. Wikimedia Commons [online] available from http://commons.wikimedia.org/wiki/File:OODA.Boyd.svg#/media/File:OODA.Boyd.svg [30 July 2019]

Share this article:

This article is from the free online course:

Security Operations

Coventry University