SOC Manager’s

MINI
Handbook
14 Steps to Start your SOC Manager Journey

JUNE 2024
Prepared By
 Riadh Brinsi. June 2024

Document History
This document is publicly shared with no restrictions. The original author of
this document is acknowledged and credited for their work.

This document is written under the CC BY licence:

This license enables reusers to distribute, remix, adapt, and build upon the
material in any medium or format, so long as attribution is given to the creator.
The license allows for commercial use. CC BY includes the following elements:
BY: credit must be given to the creator.

https://creativecommons.org/licenses/by/4.0/

Revision /
DATE Version Author Notes
Section

19/05/2024 V-0.1 Riadh Brinsi Creation

03/06/2024 V-1.0 Riadh Brinsi Final

I
SOC Manager Handbook V-1.0
 Riadh Brinsi. June 2024

Overview
Introduction 01
1: Initial Assessment and Introductions 02
2: Understand SOC Mission and Structure 03
3: Detailed Process Review 04
4: Stakeholder Engagement and Feedback 05
5: Analyze Tools and Technologies 06
6: Develop Improvement Plan 07
7: Launch Improvement Initiatives 07
8: Threat Analysis and Intelligence 08
9: Vulnerability Management 09
10: Post incident Analysis and lessons learned 10
11: Security Awareness and Training 10
12: Risk Assessment and Management 11
13: Business Continuity and Disaster Recovery 11
14: Performance Metrics and Reporting 11
15: Important Notes 12
16: References 13

I
SOC Manager Handbook V-1.0
 Riadh Brinsi. June 2024

Introduction
I wrote this document to help SOC managers get started on their
journey. It includes a step-by-step plan based on my experience and
the best practices from NIST, ISO, ENISA, and the "11 Strategies of a
World-Class Cybersecurity Operations Center." It is also inspired by
Prabh Nair’s "CISO 90 Days Plan. - practical and easy"

Follow these 14 easy steps to customize for your own plan and start or
enhance your journey as a SOC Manager.

PURPOSE OF THE DOCUMENT

This document outlines a plan that a SOC manager can follow for a
successful start. Here are the steps:
1. Initial Assessment and Introductions: Meet the team and
understand the current state of the SOC.
2. Understand SOC Mission and Structure: Learn about the SOC’s
goals and how it is organized.
3. Detailed Process Review: Examine the existing processes in detail.
4. Stakeholder Engagement and Feedback: Talk to stakeholders and
get their input.
5. Analyze Tools and Technologies: Review the tools and technologies
being used.
6. Develop Improvement Plan.
7. Launch Improvement Initiatives: Start implementing the
improvement plan.
8. Threat Analysis and Intelligence.
9. Vulnerability Management.
10. Post-Incident Analysis and Lessons Learned: Learn from past
incidents and improve.
11. Security Awareness and Training: Train the team and raise security
awareness.
12. Risk Assessment and Management: Identify and manage risks.
13. Business Continuity and Disaster Recovery: Plan for business
continuity and disaster recovery.
14. Performance Metrics and Reporting: Measure performance and
report on it.

This guide aims to make your journey as a SOC manager smoother

and more effective.

If you have any further questions feel free to contact me

01
SOC Manager Handbook V-1.0
 RIADH BRINSI. JUNE 2024

1: Initial Assessment and Introductions

TASKS AND RESPONSIBILITIES:

- Meet the team and stakeholders to understand their roles, responsibilities, and
perspectives.
- Establish open communication channels and build relationships with key personnel.
- Begin assessing team strengths and areas for development.
Key Deliverables:

- INITIAL MEETING NOTES - COMMUNICATION PLAN

Date: To establish clear and effective communication
Attendees: channels within the SOC team and with key
Key Points Discussed: stakeholders.
1. Introduction and Overview Communication Channels:
- Introduction of SOC Manager 1. Email:
- Overview of meeting agenda - Primary method for formal communication
2. Team Member Introductions - Response time expectation: within 24 hours
Team Overview: 2. Meetings: (Example)
- Total Number of Team Members: - Weekly team meetings: Every Monday at 10 AM
- SOC Structure and Hierarchy: - Monthly stakeholder updates: 1st Tuesday of each
month
Name
Role and
Current tasks 3. Instant Messaging:
responsibilities
- For quick queries and informal communication
- Preferred platform (e.g., Slack, Microsoft Teams)
Key Contacts:
Name role Phone email
3. Discussion Topics:
- Key challenges faced by the team
- Current team dynamics key contact 1
- Immediate support needed
4. Next Steps:
Key contact 2
- Action items
- Follow-up meetings scheduled
Notes:
- Detailed notes on each discussion point
- Specific notes or important remarks Communication Guidelines:
Action Items: - Meeting Agendas:
- To be shared 24 hours before meetings
Name
Role and
Current tasks
- Meeting Minutes:
responsibilities
- To be documented and shared within 24 hours
post-meeting
- Reporting:
- Weekly status reports due every Friday
Escalation Procedures:
Additional Comments and next steps: - Steps for escalating urgent issues
- Overview of skills and expertise within the team - Contact points for escalation
- Areas for development and potential role adjustments Review and Adjustments:
- Recommendations for role clarity and alignment - Plan to review communication effectiveness
- Plans for further assessment and development quarterly
- Process for updating communication plan

KPIS:
- Introductory meetings with 90% of the team
- Initial assessment of team dynamics
- Established communication channels
02
SOC Manager Handbook V-1.0
 RIADH BRINSI. JUNE 2024

2: Understand SOC Mission and Structure

TASKS AND RESPONSIBILITIES:

- Review the SOC’s mission statement, organizational structure, and key documentation.
- Understand current strategic plans, budgets, and resource allocations.
It is important to understand the SOC and its three main pillars: People, Process, and
Technology. Each pillar plays a big role in making sure the SOC works well.
KEY DELIVERABLES:

- SUMMARY OF SOC MISSION AND - INITIAL REVIEW OF STRATEGIC PLANS

STRUCTURE AND BUDGETS
SOC Mission Statement: - Current strategic plans in place
- It is important to figure out why the SOC was built. - Budget allocation for the SOC
Strategic Plans:
Organizational Structure:
- Overview of the SOC hierarchy Objectiv Key
Timeline owner
- Key roles and reporting lines e initiatives

Key Functions and Responsibilities: Strategic plan 1

- List of primary SOC functions (e.g., incident
response, threat analysis, threat intelligence,
vulnerability scan ...) Strategic plan 2

- Description of each function

Current Objectives: Budget Review:

- Short-term goals: they are you quick wins as a SOC Regardless of where the SOC is organizationally located,
manager you have to know the fast goals with high it must have integrated budgetary, logistical, and
impact engineering support in place to serve sustained
- Long-term goals: tactical and strategic plans operations.

- Total budget allocated to SOC:

Key Stakeholders:
- Breakdown of budget by category (e.g., tools, training,
- Internal stakeholders (e.g., IT, compliance)
staffing):
-External stakeholders (e.g., third-party vendors, - Tools:
regulatory bodies) - Training:
We talked about key contacts in the first week. Now - Staffing:
it is time to prepare your stakeholders register - Other expenses:

Next Steps: Key Observations:

- Recommendations for aligning with business goals: - Alignment of strategic plans with SOC goals
Talk with GRC leaders to learn how to better align the - Adequacy of budget allocation
SOC's mission with the organization's goals. Next Steps:
- Plans for further strategic assessment: - Recommendations for budget adjustments
- Proposals for new strategic initiatives

KPIS:
- Understanding of SOC mission and structure
- Initial familiarity with strategic plans and budgets

03
SOC Manager Handbook V-1.0
 RIADH BRINSI. JUNE 2024

3: Detailed Process Review

TASKS AND RESPONSIBILITIES:
- Review detailed documentation of the SOC’s processes, including incident response
procedures, monitoring, and triage workflows.
- Participate in shift handovers and daily stand-ups to observe team dynamics and
workflows.
KEY DELIVERABLES:
- PROCESS REVIEW REPORT
To review and assess the SOC’s existing processes
and workflows.
To efficiently review process you have to refer to
standards and frameworks: ISO 27001:2022, ISO
27035, iso 27041, NIST sp 800-61r2
Processes Reviewed: (Examples)
1. Incident Response:
- Description:
- Current workflow:
- Tools used:
2. Threat Monitoring:
- Description:
- Current workflow:
- Tools used:
3. Vulnerability Management:
- Description:
- Current workflow:
- Tools used:
4- Threat intelligence:
- Description:
- Current workflow:
- Tools used:
5- Evidence preservation and investigation:
- Description:
- Current workflow:
- Tools used:
6- Escalation to higher Tiers:
- Description:
- Current workflow:
- Tools used:
Key Findings:
Focus on strengths and areas for improvement:
Recommendations:
- Suggested improvements for each process
- Immediate action items
Next Steps:
- Implementation plan for process improvements
- Timeline for follow-up reviews
- List of observed workflows and processes

KPIS:
- Detailed process documentation review
- Participation in at least three shift handovers

04
SOC Manager Handbook V-1.0
 RIADH BRINSI. JUNE 2024

4: Stakeholder Engagement and Feedback

TASKS AND RESPONSIBILITIES:

- Hold meetings with key internal stakeholders to gather feedback on SOC performance
and areas where support could be improved.
- Understand compliance and governance requirements (always refer to GRC team)
KEY DELIVERABLES:

- FEEDBACK SUMMARY REPORT - LIST OF COMPLIANCE AND GOVERNANCE

To summarize feedback received from stakeholders REQUIREMENTS
and SOC staff on current SOC performance. Standards and Regulations:
Stakeholder Feedback: 1. Regulation 1: GDPR
- Description and scope:
Role Feedback - Key requirements:
- Relevant SOC processes: data privacy process
2. Regulation 2: PCI-DSS
Stakeholder 1
- Description and scope:
- Key requirements:
Stakeholder 2 - Relevant SOC processes: retention process
Internal Policies:
SOC Staff Feedback: 1. Policy 1:
- Description:
- Key requirements:
Role Feedback
- Relevant SOC processes:
2. Policy 2:
Staff Member 1 - Description:
- Key requirements:
- Relevant SOC processes:
Staff Member 2 Key Observations:
- Compliance gaps identified
- Areas requiring immediate attention
Feedback collection and analysis:
Next Steps:
- Common feedback points
- Major areas of concern - Recommendations for compliance improvements
- Positive feedback - Plan for regular compliance and audit reports
reviews
Next Steps: - Refer to the organization DPO for processes
- Action plan to address feedback improvement
- Follow-up meetings and progress updates

KPIS:
- Meetings with at least 70% of key stakeholders
- Collection of feedback from at least 80% of SOC staff

05
SOC Manager Handbook V-1.0
 RIADH BRINSI. JUNE 2024

5: Analyze Tools and Technologies

TASKS AND RESPONSIBILITIES:

- Review the current state of SOC tools and technologies, focusing on their usage,
integration, and any pain points.
- Meet with tool administrators and power users to understand tool capabilities and
limitations.
KEY DELIVERABLES:
- TOOLS AND TECHNOLOGIES REVIEW
REPORT
Objective:
To review and assess the current state of SOC tools
and technologies.

Tools Reviewed:
1. SIEM:
- Functionality:
- Integration with other tools:
- User feedback:
- Limitations:
2. SOAR:
- Functionality:
- Integration with other tools:
- User feedback:
3. Ticketing System:
- Functionality:
- Integration with other tools:
- User feedback:
- Limitations:
4. OSINT Platforms:
- Functionality:
- Integration with other tools:
- User feedback:
- Limitations:
5. EDR/XDR:
- Functionality:
- Integration with other tools:
- User feedback:
- Limitations:

Key Findings:
Focus on strengths and areas for improvement:
Recommendations:
- Suggested improvements for each tool
- Integration report and automation possibilities
_ EOL and EOS tools and licensing plans

Next Steps:
- Implementation plan for tool optimizations
- Timeline for follow-up reviews
- Licensing follow up
KPIS:
- Tools and technology review
- Identification of at least three optimization and automation opportunities

06
SOC Manager Handbook V-1.0
 Riadh Brinsi. June 2024

6: Develop Improvement Plan

TASKS AND RESPONSIBILITIES:
- Synthesize findings from the initial assessment, process review, stakeholder feedback, and
tool analysis.
- Develop a prioritized list of improvement initiatives, including policy updates and
enforcement strategies.

KEY DELIVERABLES:
- Synthesized findings report: the scope here is the processes and policies
- Prioritized list of improvement initiatives and start action as soon as possible
- Draft policies for review: suggest new policies to enhance the security posture of the SOC

KPIS:
- Completion of synthesized findings report
- Approval of improvement plan by steering committee or key stakeholders

7: Launch Improvement Initiatives

TASKS AND RESPONSIBILITIES:
- Begin implementing the first improvement initiatives, focusing on incident management
enhancements.
- Develop incident response playbooks and standard operating procedures (SOPs).

KEY DELIVERABLES:

- LAUNCH OF INITIAL IMPROVEMENT INITIATIVES:

- Launch the first improvement initiatives focusing on high-impact areas.
- Ongoing monitoring and adjustments
- Plans for subsequent initiatives
UPDATED INCIDENT RESPONSE PLAYBOOKS AND SOPS
- Update and enhance incident response playbooks and standard operating procedures
(SOPs).
- Improvements made
- Expected impact on incident response

KPIS:
- Successful launch of first initiatives
- Documentation of incident management procedures

07
SOC Manager Handbook V-1.0
 RIADH BRINSI. JUNE 2024

8: Threat Analysis and Intelligence

TASKS AND RESPONSIBILITIES:

- Establish and enhance threat intelligence capabilities.
- Integrate threat intelligence into existing SOC workflows and tools.

KEY DELIVERABLES:

- THREAT INTELLIGENCE INTEGRATION - ENHANCED THREAT INTELLIGENCE

PLAN REPORTS

Integration Plan: Report Structure:

1. Current State Assessment: 1. Executive Summary:
- Existing threat intelligence capabilities - Key findings
- Gaps analysis and action plan - Strategic implications
2. Integration Strategy:
- Key actions: 2. Detailed Analysis:
- Tools and technologies: - Threat actors:
- Responsible persons: - Tactics, Techniques, and Procedures (TTPs): Refer to
3. Implementation Timeline: Mitre att&ck
- Phase 1: selection and validation of TI sources - Indicators of Compromise (IOCs):
- Phase 2: Implementation and test with existing
solutions 3. Recommendations:
- Phase 3: Integration and monitoring for any side - Mitigation strategies
effect - Response actions
- Regular production schedule
Key Observations: - Continuous improvement process
- Potential challenges and mitigation strategies
- Expected benefits Key Observations:
- Enhanced threat intelligence feeds - Relevance to current threats
- Actionable insights

KPIS:
- % of threat intelligence integrations
- Regular production of threat intelligence reports

08
SOC Manager Handbook V-1.0
 Riadh Brinsi. June 2024

9: Vulnerability Management

TASKS AND RESPONSIBILITIES:

- Review and optimize the vulnerability management program.
- Ensure regular vulnerability scanning and timely remediation processes.
- Ensure complete alignement with Change management and try to send a request of
change (RFC) when needed
KEY DELIVERABLES:
- Vulnerability Management Program Review
1. Vulnerability Scanning:
- Tools used
- Frequency of scans
2. Patch Management:
- Process overview
- Key metrics
3. Reporting and Remediation:
- Reporting structure
- Remediation timelines

- LIST OF VULNERABILITIES AND REMEDIATION PLANS

Document identified vulnerabilities and corresponding remediation plans.
KEY OBSERVATIONS:
- Remediation progress
- Challenges encountered
NEXT STEPS:
- Monitoring and verification plan
- Regular updates to stakeholders

KPIS:
- % of Vulnerability management review
- Timely remediation of identified vulnerabilities

09
Tech-Draft001/2024
 Riadh Brinsi. June 2024

10: Post incident Analysis and lessons

learned
TASKS AND RESPONSIBILITIES:
- Conduct lessons learned analysis of recent incidents to identify areas for improvement.
- Develop a process for regular incident reviews and knowledge sharing.

KEY DELIVERABLES:
- Post incident analysis reports
- Incident review process documentation

KPIS:
- Number of the post incident reports
- Establishment of a regular incident review process
- Improvement of incidents response process

11: Security Awareness and Training

TASKS AND RESPONSIBILITIES:

- Develop and deliver security awareness and training programs for SOC staff and
stakeholders.
- Assess training needs and schedule regular training sessions.

KEY DELIVERABLES:
- Security awareness training materials
- Training schedule and completion records

KPIS:
- Delivery of initial training sessions
- Feedback from training participants
- Updated material

10
SOC Manager Handbook V-1.0
 Riadh Brinsi. June 2024

12: Risk Assessment and Management

The SOC must be a strong link in the security chain. It is time to review existing
risks and perform assessments
Tasks and Responsibilities:
- Conduct a comprehensive risk assessment to identify potential threats and
vulnerabilities.
- Develop risk mitigation strategies and integrate them into SOC operations.
- The SOC must first secure itself: it needs to manage risks and have strict controls.
Key Deliverables:
- Risk assessment report
- Risk treatement plan
KPIS:
- Comprehensive risk assessment
- Implementation of risk mitigation strategies

13: Business Continuity and Disaster

Recovery
Tasks and Responsibilities:
- Review and update the SOC’s business continuity and disaster recovery plans.
- Conduct drills and tabletop exercises to test and improve these plans.
Key Deliverables:
- Updated business continuity and disaster recovery plans
- Drill and exercise reports
KPIS:
- Business continuity and disaster recovery plan updates
- Successful execution of drills and exercises

14: Performance Metrics and Reporting

It is time to prepare your reporting and presentation of all results to stakeholders.
You have to focus on performance metrics and continuous improvement.
Tasks and Responsibilities:
- Develop and implement performance metrics and reporting mechanisms to monitor
SOC effectiveness.
- Regularly review and report on SOC performance to stakeholders.
Key Deliverables:
- Performance metrics and KPIs
- Regular performance reports
KPIS:
- Establishment of performance metrics and reporting mechanisms
- Regular review and improvement of SOC performance based on metrics

11
SOC Manager Handbook V-1.0
 Riadh Brinsi. June 2024

15: Important Notes

1. SPECIFIC REQUIREMENTS FOR SIEM/SOAR
Integration
Custom Use Cases
Automation
Dashboards
Ticketing system
2. Compliance Requirements
The SOC must ensure that their services comply with relevant
regulations and standards, including but not limited to:
GDPR: General Data Protection Regulation
PCI-DSS: Payment Card Industry Data Security Standard
ISO 27001
Data Privacy and Protection Requirements
Data Encryption: Use of encryption to protect data in transit and at rest.
Access Controls: Implementation of strict access controls to ensure
that only authorized personnel can access sensitive data.
3. Service Level Agreements (SLAs)
4. Response Time Metrics
5. Resolution Time Metrics
6. Availability and Uptime Requirements
7. Performance Metrics
8. Reporting and Documentation
9. Regular Reporting Requirements: Daily Reports - Weekly Reports -
Monthly Reports
10. Incident Reports and Post-Incident Analysis
Compliance Reports: Regulatory Compliance Reports and Audit
Support

12
SOC Manager Handbook V-1.0
 Riadh Brinsi. June 2024

16: References
DOCUMENTS AND WEBSITES USED :
MITRE
ENISA BEST PRATICES
ISO 27001
ISO 27005
ISO 22301
ISO 27035
ISO 27041
NIST SPECIAL PUBLICATIONS
ENISA DOCUMENTS
ANSSI DOCUMENTATION
FIRST.ORG
PRABH NAIR’S CISO 90 DAYS PLAN - PRACTICLE AND
EASY

13
SOC Manager Handbook V-1.0