Professional Documents
Culture Documents
|
Security
Solutions All Microsoft
Products
Search
Operations & Intelligence
Sign in
Partners
February 21, 2019
Resources
Lessons learned from the Microsoft SOC—Part 1:
Organization Trust Center
We’re frequently asked how we operate our Security Operations Center (SOC) at
Microsoft (particularly as organizations are integrating cloud into their enterprise
estate). This is the first in a three part blog series designed to share our approach
and experience, so you can use what we learned to improve your SOC.
Microsoft has multiple security operations teams that each have specialized
knowledge to protect the different technical environments at Microsoft. We use a
“fusion center” model with a shared operating floor, which we call our Cyber
https://www.microsoft.com/security/blog/2019/02/21/lessons-learned-from-the-microsoft-soc-part-1-organization/ 1/9
14/04/2020 Lessons learned from the Microsoft SOC—Part 1: Organization - Microsoft Security
In this three part series, we focus on the operation of our corporate IT SOC team as
they most closely reflect the challenges and approaches of our customers—having
many users and endpoints, email attack vectors, and a hybrid of on-premises and
cloud assets. In addition, we include a few lessons learned from the other SOCs and
our Detection and Response Team (DART) that helps our customers respond to
major incidents.
This SOC operates with three tiers of analysts plus automation as seen in Figure 1
below. (We’ll provide more details in Part 2: People.)
The tooling in the SOC (Figure 2) is a mixture of centralized breadth capabilities and
specialized tools to enable high quality alerts and an end-to-end investigation and
remediation experience. (Part 3: Technology will provide more details.)
Like all things in security, our SOC has evolved considerably over the years to its
current state and will continue to evolve. We recently noticed that our SOC had
sustained a 100+ percent growth in incidents handled over the past three years
with a nearly flat staffing level. While we don’t know if we can expect this
astounding trend to continue in the future, it validates that we are on the right
https://www.microsoft.com/security/blog/2019/02/21/lessons-learned-from-the-microsoft-soc-part-1-organization/ 2/9
14/04/2020 Lessons learned from the Microsoft SOC—Part 1: Organization - Microsoft Security
The first element we cover is the value of the SOC in the context of the overall
mission and risk of the organization. Like the traditional incarnations of crime and
espionage, we don’t expect there will be a straightforward “solution” to
cyberattacks. A SOC is often a crucial risk mitigation investment for an enterprise as
it is core to limiting how much time and access attackers have in the organization.
This ultimately increases the attacker’s cost and decreases the benefit, which
damages their return on investment (ROI) and motivation for attacking your
organization. Everything in the SOC should be oriented toward limiting the time
and access attackers can gain to the organization’s assets in an attack to mitigate
business risk.
At Microsoft, our SOCs bear not just the responsibility of reducing risk to our
employees and investors, but also the weight of the trust that millions of customers
accessing our cloud services and products put in us.
We’ve learned that the SOC has four primary functional integration points with the
business:
https://www.microsoft.com/security/blog/2019/02/21/lessons-learned-from-the-microsoft-soc-part-1-organization/ 3/9
14/04/2020 Lessons learned from the Microsoft SOC—Part 1: Organization - Microsoft Security
SOC culture
If you take one thing away from this post, it’s that the SOC culture is just as
important as the individuals you hire and the tools you use. Culture guides
countless decisions each day by establishing what the right answer looks and feels
like in ambiguous situations, which are plentiful in a SOC.
https://www.microsoft.com/security/blog/2019/02/21/lessons-learned-from-the-microsoft-soc-part-1-organization/ 4/9
14/04/2020 Lessons learned from the Microsoft SOC—Part 1: Organization - Microsoft Security
Our cultural elements are very much focused on people, teamwork, and continuous
learning and include these learnings:
Use your human talent wisely—Our people are the most valuable asset
we have in the SOC and we can’t afford to waste their time on repetitive
thoughtless tasks that can be automated. To combat the human threats we
face, we need knowledgeable and well-equipped humans that can apply
expertise, judgement, and creative thinking. This human factor affects
almost every aspect of SOC operations including the role of tools and
automation to empower humans to do more (versus replacing them) and in
reducing toil on our analysts. (More on this topic in Part 2: People.)
Shift left mindset—To get and stay ahead of cybercriminals and hackers
who constantly evolve their techniques, we must continuously improve and
shift our activities “left” in the attack timeline. We focus on speed and
efficiency to try and get “faster than the speed of attack” by looking at ways
we could have detected attacks earlier and responded more quickly. This
principle is effectively an application of a continuous learning “growth
mindset” that keeps the team laser focused on reducing risk for our
organization and our customers.
SOC metrics
those metrics. We measure several indicators of success in the SOC, but we always
recognize that the SOC’s job is to manage significant variables that are out of our
direct control (attacks, attackers, etc.). We view deviations primarily as a learning
opportunity for process or tool improvement rather than a failing on the part of the
SOC to meet a goal.
Get started
https://www.microsoft.com/security/blog/2019/02/21/lessons-learned-from-the-microsoft-soc-part-1-organization/ 6/9
14/04/2020 Lessons learned from the Microsoft SOC—Part 1: Organization - Microsoft Security
Our biggest recommendation for the SOC organization is to define the culture you
want to inculcate. This will shape your team and attract the talent you want. In the
coming weeks, we’ll share our philosophy on managing people, career paths, skills,
and readiness, and what tools we use to enable our people to accomplish their
mission. In the meantime, head over to CISO series to learn more.
Lessons learned from the Microsoft SOC Part 2b: Career paths and
readiness
Filed under:
Automation, CISO series, Cybersecurity, Endpoint security, Microsoft 365,
Microsoft Cloud App Security
recruiting for
success.
Read more
Microsoft is a leader in
cybersecurity, and we embrace our
responsibility to make the world a
safer place.
LEARN MORE
https://www.microsoft.com/security/blog/2019/02/21/lessons-learned-from-the-microsoft-soc-part-1-organization/ 8/9
14/04/2020 Lessons learned from the Microsoft SOC—Part 1: Organization - Microsoft Security
Surface Pro 7 Microsoft Store Office 365 for Government Developer Privacy at
support schools Network Microsoft
Windows 10 apps Healthcare
Returns Deals for TechNet Investors
students & Manufacturing
Order tracking parents Microsoft Diversity and
Financial services developer inclusion
Store locations Microsoft Azure program
in education Retail Accessibility
Buy online, pick Channel 9
up in store Security
Office Dev
In-store events Center
Microsoft
Garage
Sitemap Contact Microsoft Privacy & cookies Terms of use Trademarks Safety & eco About our ads
© Microsoft 2020
https://www.microsoft.com/security/blog/2019/02/21/lessons-learned-from-the-microsoft-soc-part-1-organization/ 9/9