{"id":89307,"date":"2019-04-23T09:00:23","date_gmt":"2019-04-23T16:00:23","guid":{"rendered":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\/?p=89307"},"modified":"2023-05-15T22:59:26","modified_gmt":"2023-05-16T05:59:26","slug":"lessons-learned-microsoft-soc-part-2-organizing-people","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/04\/23\/lessons-learned-microsoft-soc-part-2-organizing-people\/","title":{"rendered":"CISO Series: Lessons learned from the Microsoft SOC\u2014Part 2a: Organizing people"},"content":{"rendered":"<p>In the second post in our series, we focus on the most valuable resource in the security operations center (SOC)\u2014our people. This series is designed to share our approach and experience with operations, so you can use what we learned to improve your SOC. In <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/02\/21\/lessons-learned-from-the-microsoft-soc-part-1-organization\/\" target=\"_blank\" rel=\"noopener noreferrer\">Part 1: Organization<\/a>, we covered the SOC\u2019s organizational role and mission, culture, and metrics.<\/p>\n<p>The lessons in the series come primarily from Microsoft\u2019s corporate IT security operation team, one of several specialized teams in the <a href=\"https:\/\/www.microsoft.com\/en-us\/msrc\/cdoc\" target=\"_blank\" rel=\"noopener noreferrer\">Microsoft Cyber Defense Operations Center (CDOC<\/a>). We also include lessons our <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/03\/25\/dart-the-microsoft-cybersecurity-team-we-hope-you-never-meet\/\" target=\"_blank\" rel=\"noopener noreferrer\">Detection and Response Team (DART)<\/a> have learned helping our customers respond to major incidents.<\/p>\n<p>People are the most valuable asset in the SOC\u2014their experience, skill, insight, creativity, and resourcefulness are what makes our SOC effective. Our SOC management team spends a lot of time thinking about how to ensure our people are set up with what they need to succeed and stay engaged. As we\u2019ve improved our processes, we\u2019ve been able to decrease the time it takes to ramp people up and increase employee enjoyment of their jobs.<\/p>\n<p>Today, we cover the first two aspects of how to set up people in the SOC for success:<\/p>\n<ul>\n<li>Empower humans with automation.<\/li>\n<li>Microsoft SOC teams and tiers model.<\/li>\n<\/ul>\n<h3>Empower humans with automation<\/h3>\n<p>Rapidly sorting out the signal (real detections) from the noise (false positives) in the SOC requires investing in both humans and automation. We strongly believe in the power of automation and technology to reduce human toil, but ultimately, we\u2019re dealing with human attack operators and human judgement is critical to the process.<\/p>\n<p>In our SOC, automation is not about using efficiency to remove humans from the process\u2014it is about empowering humans. We continuously think about how we can automate repetitive tasks from the analyst\u2019s job, so they can focus on the complex problems that people are uniquely able to solve.<\/p>\n<p>Automation empowers humans to do more in the SOC by increasing response speed and capturing human expertise. The toil our staff experiences comes mostly from repetitive tasks and repetitive tasks come from either attackers or defenders doing the same things over and over. Repetitive tasks are ideal candidates for automation.<\/p>\n<p>We also found that we need to constantly refine the automation because attackers are creative and persistent, constantly innovating to avoid detections and preventive controls. When an effective attack method is identified (like phishing), they exploit it until it stops working. But they also continually innovate new tactics to evade defenses introduced by the cybersecurity community. Given the profit potential of attacks, we expect the challenges of evolving attacks to continue for the foreseeable future.<\/p>\n<p>When repetitive and boring work is automated, analysts can apply more of their creative minds and energy to solving the new problems that attackers present to them and proactively hunting for attackers that got past the first lines of defense. We\u2019ll discuss areas where we use automation and machine learning in &#8220;Part 3: Technology.&#8221;<\/p>\n<h3>Microsoft SOC teams and tiers model<\/h3>\n<p>At Microsoft, we organized our SOC into specialized teams, allowing them to better develop and apply deep expertise, which supports the overall goals of reducing time to acknowledge and remediate.<\/p>\n<p>This diagram represents the key SOC functions: threat intelligence, incident management, and SOC analyst tiers:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-89308 size-full\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\/wp-content\/uploads\/2019\/04\/Lessons-learned-from-the-Microsoft-SOC-Part-2-Organizing-people-1.png\" alt=\"Image showing key SOC functions: threat intelligence, incident management, and SOC analysts (tiers 1, 2, and 3).\" width=\"1280\" height=\"720\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/04\/Lessons-learned-from-the-Microsoft-SOC-Part-2-Organizing-people-1.png 1280w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/04\/Lessons-learned-from-the-Microsoft-SOC-Part-2-Organizing-people-1-300x169.png 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/04\/Lessons-learned-from-the-Microsoft-SOC-Part-2-Organizing-people-1-768x432.png 768w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/04\/Lessons-learned-from-the-Microsoft-SOC-Part-2-Organizing-people-1-1024x576.png 1024w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/04\/Lessons-learned-from-the-Microsoft-SOC-Part-2-Organizing-people-1-687x385.png 687w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/04\/Lessons-learned-from-the-Microsoft-SOC-Part-2-Organizing-people-1-1083x609.png 1083w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/04\/Lessons-learned-from-the-Microsoft-SOC-Part-2-Organizing-people-1-767x431.png 767w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/04\/Lessons-learned-from-the-Microsoft-SOC-Part-2-Organizing-people-1-539x303.png 539w\" sizes=\"(max-width: 1280px) 100vw, 1280px\" \/><\/p>\n<p><strong>Threat intelligence<\/strong>\u2014We have several threat intelligence teams at Microsoft that support the SOC and other business functions. Their role is to both inform business stakeholders of risk and provide technical support for incident investigations, hunting operations, and defensive measures for known threats. These strategic (business) and tactical (technical) intelligence goals are related but distinctly different from each other. We task different teams for each goal and ensure processes are in place (such as daily standup meetings) to keep them in close contact.<\/p>\n<p><strong>Incident management<\/strong>\u2014Enterprise-wide coordination of incidents, impact assessment, and related tasks are handled by dedicated personnel separate from technical analyst teams. At Microsoft, these incident response teams work with the SOC and business stakeholders to coordinate actions that may impact services or business units. Additionally, this team brings in legal, compliance, and privacy experts as needed to consult and advise on actions regarding regulatory aspects of incidents. This is particularly important at Microsoft because we\u2019re compliant with a large number of international standards and regulations.<\/p>\n<p><strong>SOC analyst tiers<\/strong>\u2014This three-tier model for SOC analysts will probably look familiar to seasoned SOC professionals, though there are some subtleties in our model we don\u2019t see widely in the industry.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-89309 size-full\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\/wp-content\/uploads\/2019\/04\/Lessons-learned-from-the-Microsoft-SOC-Part-2-Organizing-people-2.png\" alt=\"Image showing Microsoft's Corporate IT SOC tiers and tools: alert queue (hot path), proactive hunt (cold path), tiers 3, 2, and 1, and finally, automation.\" width=\"1147\" height=\"649\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/04\/Lessons-learned-from-the-Microsoft-SOC-Part-2-Organizing-people-2.png 1147w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/04\/Lessons-learned-from-the-Microsoft-SOC-Part-2-Organizing-people-2-300x170.png 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/04\/Lessons-learned-from-the-Microsoft-SOC-Part-2-Organizing-people-2-768x435.png 768w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/04\/Lessons-learned-from-the-Microsoft-SOC-Part-2-Organizing-people-2-1024x579.png 1024w\" sizes=\"(max-width: 1147px) 100vw, 1147px\" \/><\/p>\n<p>Our organization uses the term <strong>hot path<\/strong> and <strong>cold path <\/strong>to describe how we discover adversaries and optimize processes to handle them.<\/p>\n<ul>\n<li><strong>Hot path<\/strong>\u2014Reflects detection of confirmed active attack activity that must be investigated and remediated as soon as possible. Managing and remediating these incidents are primarily handled by Tier 1 and Tier 2, though a small percentage (about 4 percent) are escalated to Tier 3. Automation of investigations and remediations are also beginning to help reduce hot path workloads.<\/li>\n<li><strong>Cold path<\/strong>\u2014Refers to all other activities including proactively hunting for adversary campaigns that haven\u2019t triggered a hot path alert.<\/li>\n<\/ul>\n<h3>Roles and functions of the SOC analyst tiers<\/h3>\n<p><strong>Tier 1<\/strong>\u2014This team is the primary front line for and focuses on <strong>high-speed remediation<\/strong> over a large volume of incidents. Tier 1 analysts respond to a very specific set of alert sources and follow prescriptive instructions to investigate, remediate, and document the incidents. The rule of thumb for alerts that Tier 1 handles is that it can be typically remediated within seconds to minutes. The incidents will be escalated to Tier 2 if the incident isn\u2019t covered by a documented Tier 1 procedure or it requires involved\/advanced remediation (for example, device isolation and cleanup).<\/p>\n<p>In addition:<\/p>\n<ul>\n<li>The Tier 1 function is currently performed by full-time employees in our corporate IT SOC. In the past and in other teams at Microsoft, we staffed contracted employees or managed service agreements for Tier 1 functions.<\/li>\n<li>A current initiative for the full-time employee Tier 1 team is to increase the use of automated investigation and remediation for these incidents. One goal of this initiative is to grow the skills of our current Tier 1 employees, so they can shift to proactive work in other security assignments in SOC or across the company.<\/li>\n<li>Tier 1 (and Tier 2) SOC analysts may stay involved with an escalated incident until it is remediated. This helps preserve context during and after transferring ownership of an incident and also accelerates their learning and skills growth.<\/li>\n<li>The typical ratio of alert volumes is noted in the Tiers and Tools diagram above. (We\u2019ll share more details in &#8220;Part 3: Technology.&#8221;)<\/li>\n<\/ul>\n<p><strong>Tier 2<\/strong>\u2014This team is focused on incidents that require<strong> deeper analysis and remediation<\/strong>. Many Tier 2 incidents have been escalated from Tier 1 analysts, but Tier 2 also directly monitors alerts for sensitive assets and known attacker campaigns. These incidents are usually more complex and require an approach that is still structured, but much more flexible than Tier 1 procedures. Additionally, some Tier 2 analysts also proactively hunt for adversaries (typically using lower priority alerts from the same <a href=\"https:\/\/docs.microsoft.com\/en-us\/enterprise-mobility-security\/mtptrial\" target=\"_blank\" rel=\"noopener noreferrer\">Microsoft Threat Protection<\/a> tools they use to manage reactive incidents).<\/p>\n<p><strong>Tier 3<\/strong>\u2014This team is focused primarily on <strong>advanced hunting<\/strong> and sophisticated analysis to\u00a0identify anomalies that may indicate advanced adversaries.\u00a0Most incidents are remediated at Tiers 1 and 2 (96 percent) and only unprecedented findings or deviations from norms are escalated to Tier 3 teams. Tier 3 team members have a high degree of freedom to bring their different skills, backgrounds, and approaches to the goal of ferreting out red team\/hidden adversaries. Tier 3 team members have backgrounds as security professionals, data scientists, intelligence analysts, and more. These teams use different tools (Microsoft, custom, and third-party) to sift through a number of different datasets to uncover hidden adversary activity. A favorite of many analysts is the use of Kusto Query Language (KQL) queries across Microsoft Threat Protection tool datasets.<\/p>\n<p>The structure of Tier 3 has changed over time, but has recently gravitated to four different functions:<\/p>\n<ul>\n<li><strong>Major incident engineering<\/strong>\u2014Handles escalation of incidents from Tier 2. These virtual teams are created as needed to support the duration of the incident and often include both reactive investigations, as well as proactive hunting for additional adversary presence.<\/li>\n<li><strong>External adversary research and threat analysis<\/strong>\u2014Focuses on hunting for adversaries using existing tools and data sources, as well as signals from various external intelligence sources. The team is focused on both hunting for undiscovered adversaries as well as creating and refining alerts and automation.<\/li>\n<li><strong>Purple team operations<\/strong>\u2014A temporary duty assignment where Tier 3 analysts (blue team) are paired with our in-house attack team members (red team) as they perform authorized attacks. We found this purple (red+blue) activity results in high-value learning by both teams, strengthening our overall security posture and resilience. This team is also responsible for the critical task of coordinating with red team to deconflict whether a detection is an authorized red team or a live attacker. At customer organizations, we\u2019ve seen failure to deconflict red team activity result in our DART teams flying onsite to respond to a false alarm (an avoidable, expensive, and embarrassing mistake).<\/li>\n<li><strong>Future operations team<\/strong>\u2014Focuses on future-proofing our technology and processes by building and testing new capabilities.<\/li>\n<\/ul>\n<h3>Learn more<\/h3>\n<p>For more insights into Microsoft\u2019s approach to using technology to empower people, watch <a href=\"https:\/\/www.rsaconference.com\/events\/us19\/agenda\/sessions\/17632-The-Power-of-People-Amplifying-Our-Human-Capacity-through-Technology-and-Community\" target=\"_blank\" rel=\"noopener noreferrer\">Ann Johnson\u2019s keynote at RSA 2019<\/a> and download our <a href=\"https:\/\/aka.ms\/minutesmatter\" target=\"_blank\" rel=\"noopener noreferrer\">poster<\/a>. For information on organizational culture and goals, read <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/02\/21\/lessons-learned-from-the-microsoft-soc-part-1-organization\/\" target=\"_blank\" rel=\"noopener noreferrer\">Lessons learned from the Microsoft SOC\u2014Part 1: Organization<\/a>. In addition, see our <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/ciso-series\/\" target=\"_blank\" rel=\"noopener noreferrer\">CISO series<\/a> to learn more.<\/p>\n<p>Stayed tuned for the second segment in \u201cLessons learned from the Microsoft SOC\u2014Part 2,\u201d where we\u2019ll cover career paths and readiness programs for people in our SOC. And finally, we\u2019ll wrap up this series with \u201cPart 3: Technology,\u201d where we\u2019ll discuss the technology that enables our people to accomplish their mission.<\/p>\n<p>For more discussion on some of these topics, see John and Kristina\u2019s session (starting at 1:05:48) at Microsoft\u2019s recent <a href=\"https:\/\/info.microsoft.com\/US-SCRTY-WBNR-FY19-04Apr-16-01MasterTheVirtualSecuritySummit-MCW0012180_02OnDemandRegistration-ForminBody.html\" target=\"_blank\" rel=\"noopener noreferrer\">Virtual Security Summit<\/a>.<\/p>\n<h3>Read more from this series<\/h3>\n<ul>\n<li><a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/02\/21\/lessons-learned-from-the-microsoft-soc-part-1-organization\/\" target=\"_blank\" rel=\"noopener noreferrer\">Lessons learned from the Microsoft SOC\u2014Part 1: Organization<\/a><\/li>\n<li><a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/06\/06\/lessons-learned-from-the-microsoft-soc-part-2b-career-paths-and-readiness\/\" target=\"_blank\" rel=\"noopener noreferrer\">Lessons learned from the Microsoft SOC Part 2b: Career paths and readiness<\/a><\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>In the second of our three-part series, we focus on the most valuable resource in the SOC\u2014our people.<\/p>\n","protected":false},"author":96,"featured_media":87994,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"ep_exclude_from_search":false,"_classifai_error":"","footnotes":""},"content-type":[3659],"topic":[3683],"products":[],"threat-intelligence":[],"tags":[3822],"coauthors":[1906,1978,1977],"class_list":["post-89307","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","content-type-best-practices","topic-security-management","tag-microsoft-security-insights"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v23.9 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>CISO Series: Lessons learned from the Microsoft SOC\u2014Part 2a: Organizing people<\/title>\n<meta name=\"description\" content=\"In the second of our three-part series, we focus on the most valuable resource in the SOC\u2014our people.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/04\/23\/lessons-learned-microsoft-soc-part-2-organizing-people\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"CISO Series: Lessons learned from the Microsoft SOC\u2014Part 2a: Organizing people\" \/>\n<meta property=\"og:description\" content=\"In the second of our three-part series, we focus on the most valuable resource in the SOC\u2014our people.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/04\/23\/lessons-learned-microsoft-soc-part-2-organizing-people\/\" \/>\n<meta property=\"og:site_name\" content=\"Microsoft Security Blog\" \/>\n<meta property=\"article:published_time\" content=\"2019-04-23T16:00:23+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2023-05-16T05:59:26+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/01\/OfficeNews_20190110_CISOSeries_2_Small.png\" \/>\n\t<meta property=\"og:image:width\" content=\"740\" \/>\n\t<meta property=\"og:image:height\" content=\"420\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Mark Simos, Kristina, John Dellinger\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:image\" content=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/01\/OfficeNews_20190110_CISOSeries_2_Small.png\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Mark Simos, Kristina, John Dellinger\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"7 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/04\/23\/lessons-learned-microsoft-soc-part-2-organizing-people\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/04\/23\/lessons-learned-microsoft-soc-part-2-organizing-people\/\"},\"author\":[{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/author\/mark-simos\/\",\"@type\":\"Person\",\"@name\":\"Mark Simos\"},{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/author\/kristina-laidler\/\",\"@type\":\"Person\",\"@name\":\"Kristina\"},{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/author\/john-dellinger\/\",\"@type\":\"Person\",\"@name\":\"John Dellinger\"}],\"headline\":\"CISO Series: Lessons learned from the Microsoft SOC\u2014Part 2a: Organizing people\",\"datePublished\":\"2019-04-23T16:00:23+00:00\",\"dateModified\":\"2023-05-16T05:59:26+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/04\/23\/lessons-learned-microsoft-soc-part-2-organizing-people\/\"},\"wordCount\":1691,\"publisher\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/04\/23\/lessons-learned-microsoft-soc-part-2-organizing-people\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/01\/OfficeNews_20190110_CISOSeries_1_Small.png\",\"keywords\":[\"Microsoft Security Insights\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/04\/23\/lessons-learned-microsoft-soc-part-2-organizing-people\/\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/04\/23\/lessons-learned-microsoft-soc-part-2-organizing-people\/\",\"name\":\"CISO Series: Lessons learned from the Microsoft SOC\u2014Part 2a: Organizing people\",\"isPartOf\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/04\/23\/lessons-learned-microsoft-soc-part-2-organizing-people\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/04\/23\/lessons-learned-microsoft-soc-part-2-organizing-people\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/01\/OfficeNews_20190110_CISOSeries_1_Small.png\",\"datePublished\":\"2019-04-23T16:00:23+00:00\",\"dateModified\":\"2023-05-16T05:59:26+00:00\",\"description\":\"In the second of our three-part series, we focus on the most valuable resource in the SOC\u2014our people.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/04\/23\/lessons-learned-microsoft-soc-part-2-organizing-people\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/04\/23\/lessons-learned-microsoft-soc-part-2-organizing-people\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/04\/23\/lessons-learned-microsoft-soc-part-2-organizing-people\/#primaryimage\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/01\/OfficeNews_20190110_CISOSeries_1_Small.png\",\"contentUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/01\/OfficeNews_20190110_CISOSeries_1_Small.png\",\"width\":740,\"height\":420,\"caption\":\"CISO Series icon.\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/04\/23\/lessons-learned-microsoft-soc-part-2-organizing-people\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"CISO Series: Lessons learned from the Microsoft SOC\u2014Part 2a: Organizing people\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\",\"name\":\"Microsoft Security Blog\",\"description\":\"Expert coverage of cybersecurity topics\",\"publisher\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization\",\"name\":\"Microsoft Security Blog\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png\",\"contentUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png\",\"width\":512,\"height\":512,\"caption\":\"Microsoft Security Blog\"},\"image\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"CISO Series: Lessons learned from the Microsoft SOC\u2014Part 2a: Organizing people","description":"In the second of our three-part series, we focus on the most valuable resource in the SOC\u2014our people.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/04\/23\/lessons-learned-microsoft-soc-part-2-organizing-people\/","og_locale":"en_US","og_type":"article","og_title":"CISO Series: Lessons learned from the Microsoft SOC\u2014Part 2a: Organizing people","og_description":"In the second of our three-part series, we focus on the most valuable resource in the SOC\u2014our people.","og_url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/04\/23\/lessons-learned-microsoft-soc-part-2-organizing-people\/","og_site_name":"Microsoft Security Blog","article_published_time":"2019-04-23T16:00:23+00:00","article_modified_time":"2023-05-16T05:59:26+00:00","og_image":[{"width":740,"height":420,"url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/01\/OfficeNews_20190110_CISOSeries_2_Small.png","type":"image\/png"}],"author":"Mark Simos, Kristina, John Dellinger","twitter_card":"summary_large_image","twitter_image":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/01\/OfficeNews_20190110_CISOSeries_2_Small.png","twitter_misc":{"Written by":"Mark Simos, Kristina, John Dellinger","Est. reading time":"7 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/04\/23\/lessons-learned-microsoft-soc-part-2-organizing-people\/#article","isPartOf":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/04\/23\/lessons-learned-microsoft-soc-part-2-organizing-people\/"},"author":[{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/author\/mark-simos\/","@type":"Person","@name":"Mark Simos"},{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/author\/kristina-laidler\/","@type":"Person","@name":"Kristina"},{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/author\/john-dellinger\/","@type":"Person","@name":"John Dellinger"}],"headline":"CISO Series: Lessons learned from the Microsoft SOC\u2014Part 2a: Organizing people","datePublished":"2019-04-23T16:00:23+00:00","dateModified":"2023-05-16T05:59:26+00:00","mainEntityOfPage":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/04\/23\/lessons-learned-microsoft-soc-part-2-organizing-people\/"},"wordCount":1691,"publisher":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization"},"image":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/04\/23\/lessons-learned-microsoft-soc-part-2-organizing-people\/#primaryimage"},"thumbnailUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/01\/OfficeNews_20190110_CISOSeries_1_Small.png","keywords":["Microsoft Security Insights"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/04\/23\/lessons-learned-microsoft-soc-part-2-organizing-people\/","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/04\/23\/lessons-learned-microsoft-soc-part-2-organizing-people\/","name":"CISO Series: Lessons learned from the Microsoft SOC\u2014Part 2a: Organizing people","isPartOf":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/04\/23\/lessons-learned-microsoft-soc-part-2-organizing-people\/#primaryimage"},"image":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/04\/23\/lessons-learned-microsoft-soc-part-2-organizing-people\/#primaryimage"},"thumbnailUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/01\/OfficeNews_20190110_CISOSeries_1_Small.png","datePublished":"2019-04-23T16:00:23+00:00","dateModified":"2023-05-16T05:59:26+00:00","description":"In the second of our three-part series, we focus on the most valuable resource in the SOC\u2014our people.","breadcrumb":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/04\/23\/lessons-learned-microsoft-soc-part-2-organizing-people\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/04\/23\/lessons-learned-microsoft-soc-part-2-organizing-people\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/04\/23\/lessons-learned-microsoft-soc-part-2-organizing-people\/#primaryimage","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/01\/OfficeNews_20190110_CISOSeries_1_Small.png","contentUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2019\/01\/OfficeNews_20190110_CISOSeries_1_Small.png","width":740,"height":420,"caption":"CISO Series icon."},{"@type":"BreadcrumbList","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/04\/23\/lessons-learned-microsoft-soc-part-2-organizing-people\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/"},{"@type":"ListItem","position":2,"name":"CISO Series: Lessons learned from the Microsoft SOC\u2014Part 2a: Organizing people"}]},{"@type":"WebSite","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/","name":"Microsoft Security Blog","description":"Expert coverage of cybersecurity topics","publisher":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization","name":"Microsoft Security Blog","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png","contentUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png","width":512,"height":512,"caption":"Microsoft Security Blog"},"image":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/"}}]}},"msxcm_display_generated_audio":false,"distributor_meta":false,"distributor_terms":false,"distributor_media":false,"distributor_original_site_name":"Microsoft Security Blog","distributor_original_site_url":"https:\/\/www.microsoft.com\/en-us\/security\/blog","push-errors":false,"_links":{"self":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/posts\/89307"}],"collection":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/users\/96"}],"replies":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/comments?post=89307"}],"version-history":[{"count":0,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/posts\/89307\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/media\/87994"}],"wp:attachment":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/media?parent=89307"}],"wp:term":[{"taxonomy":"content-type","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/content-type?post=89307"},{"taxonomy":"topic","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/topic?post=89307"},{"taxonomy":"products","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/products?post=89307"},{"taxonomy":"threat-intelligence","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/threat-intelligence?post=89307"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/tags?post=89307"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/coauthors?post=89307"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}