As Augusto already announced awhile ago, we have updated our “how to SOC” paper for 2018. His post even includes our main guidance visual (!), made that much more awesome by our new co-author, Anna. The paper is still titled “How to Plan, Design, Operate and Evolve a SOC.”
Some of my fave quotes (there are a lot more in the paper):
- “For the scope of this document, SOC refers to the group of people and processes delivering security operations functions under a single organizational structure. In essence, the SOC is a team, not a facility.”
- “Outsourcing some SOC capabilities is nearly universal. Many hybrid SOC models have emerged that mix and match services with internally delivered SOC functions.” <- this is what we called informally “every SOC is a hybrid SOC” today.
- “Gartner clients with successful SOCs put the premium on people rather than process and technology. People and process overshadow technology as predictors for SOC success or failure.”
- “Building a SOC can take many months, if not years. In fact, achieving high maturity and effectiveness levels will unquestionably take years. SOC build-out is a marathon, not a sprint, and you must be prepared to have the patience to execute iteratively and consistently over these kinds of time frames.”
- “Note that loss of such [executive] support after several years of SOC operation has led to “SOC decay” and decrease in capability maturity, detection effectiveness and, in some widely publicly reported cases, damaging data breaches.”
- “Building a SOC is a big commitment of resources, effort and focus — both initial and ongoing. It is the ongoing part that determines whether you’ll still have a SOC in three years!”
- “One of the challenges that plague organizations that purchased many security tools [for SOC] is making the set of tools into a coherent whole. Having to check diverse tools in a disjointed manner saps analyst efficiency and allows threats to slip in and survive in the environment undetected.”
Blog posts related to SOC research:
- SOAR-native SOC, Can This Work?
- Hybrid SOC Scenarios
- Can You Do a SIEM-less SOC?
- Next Research: SOC, SIEM, and Again Overall Detection and Response
- SOC Webinar Questions Answered
Posts related to paper publication:
- The “How To Build a SOC” Paper Update is OUT! (by Augusto)
- New Paper Published: “How to Start Your Threat Detection and Response Practice”
- Our Threat Testing and BAS Papers Are Out!
- Our Security Orchestration and Automation (SOAR) Paper Publishes
- Our Updated MSSP and MDR Guidance Publishes
- Security Monitoring Use Cases, the UPDATE! (our updated security use cases paper publishes)
- Our 2017 SIEM Research Papers Publish
- All My Research Published in 2017