As Augusto already mentioned, our SOC paper is out. Run, not walk, to read our “How to Plan, Design, Operate and Evolve a SOC” (Gartner GTP access required). The abstract states “Technical professionals pursuing a more mature security practice may decide to centralize all or part of those activities into a SOC. This guidance presents security architects with a structured approach to plan, establish and efficiently operate a modern SOC.”
Select fun quotes follow below (check our Augusto blog for more quotes):
- “Foundational security processes (such as IR or alert triage) maturity must be in place for the SOC to function properly. If you don’t have them, build them alongside the first phase of the SOC implementation project [or suffer the consequences – A.C.].”
- “When creating a business case for SOC, plan for initial and ongoing proof of value, focusing on preventing decay of the SOC effectiveness [a sadly common occurence – A.C.] Build metrics from the start, to establish a baseline and have the ability to answer the question “are we getting better?””
- “One of the challenges that plague organizations [SOCs] that purchased many security tools is making the set of tools into a coherent whole. Having to check diverse tools in a disjointed manner saps analyst efficiency and allows threats to slip in and survive in the environment undetected.”
- “One organization treats Level 1 through Level 3 analysts not as seniority but as equally important but different skill sets (along the lines of activity detection, early triage, final triage) and rotates analysts between levels over time. They reported higher job satisfaction and effectiveness […]”
- “It often takes between 18 and 24 months to establish a full “physical” SOC of reasonable operational maturity.”
My recent webinar “Design a Modern Security Operation Center (SOC)” recording can be found here (and I will post the Q&A here soon). This is a way to get a tiny glimpse of this research without being a GTP client.
BTW, our 2016 update to the threat intelligence paper (“How to Collect, Refine, Utilize and Create Threat Intelligence”) has published as well. Read it, but keep in mind that this was a minor update with a lot of the original content left in place after review.
Blog posts related to the SOC research topic:
- Upcoming Webinar: Design a Modern Security Operation Center (SOC)
- About The Tri-Team Model of SOC, CIRT, “Threat Something”
- New Research Starting Soon: Threat Intel, SOC, etc
- Your SOC Nuclear Triad
Other blog posts announcing paper publications:
- Our “Comparison of Endpoint Detection and Response Technologies and Solutions” Paper Publishes
- Our Paper “Endpoint Detection and Response Tool Architecture and Operations Practices” Publishes
- Our “Understanding Insider Threats” Paper Publishes
- Our New Paper on Security Monitoring Use Cases Publishes
- Our 2016 SIEM Papers Are Out!
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.