We are trying to help a large customer customer to implement E-W or micro segmentation solution and one of the questions is how many more SOC analysts are needed to be staffed to monitor this new solution. Generally any guidance on number people of that are needed to monitor SOC alerts would be a good starting point. Basically I am looking for benchmark on how many people are needed in SOC based on any parameters etc.
First, I think that prioritizing roles is critical towards your path to success. When building out an intelligence driven SOC surrounding yourself with combined expertise in strategic planning, operations, threat intelligence and incident response is all necessary. Secondly, what are the hours of operation and how many alerts is your team expected to monitor or remediate ? Having a firm grasp on this is one of the most crucial elements when ensuring that appropriate coverage is provided. In my experience, if the customer is wanting full 356 x 24 x 7 you will need at least two people per shift and that is running an extremely lean team with a high turn over rate due to burn out.
However, if you are able to implement calculated automation you have the opportunity to maximize the investment you’ve made on your team. Part of the challenge security operations are facing today is simply keeping up with the increasing number of new attack vectors such as, IT, IoT and Physical security controls, as well as disseminating the deluge of data ingested into meaningful incident reports, all within a timely efficient manner. Security automation can help fill this void by drilling down into the large amount of data allowing your analysts to focus on the most pertinent threats. Automate where you can, but don’t lose sight of the importance of the human element and at the end of the day remember, a one size fits all approach won’t work when building an effective team of analysts.
I concur with @rebek_w on the guidance of a minimum of 2 analysts per shift and this will lead to higher than desired turnover rates which has consequences over time related to training, tribal knowledge, etc…
I would start with MITRE’s Top 10 Strategies for a World Class SOC and take some of the lessons from that text as a guide for analysts handling alerts, people running the solution(s), etc… There are some sizing recommendations but in the end it leaves it to what it right for what the organization can support.
Thank you for that excellent reference.