As Augusto already announced awhile ago, we have updated our “how to SOC” paper for 2018. His post even includes our main guidance visual (!), made that much more awesome by our new co-author, Anna. The paper is still titled “How to Plan, Design, Operate and Evolve a SOC.”
Some of my fave quotes (there are a lot more in the paper):
- “For the scope of this document, SOC refers to the group of people and processes delivering security operations functions under a single organizational structure. In essence, the SOC is a team, not a facility.”
- “Outsourcing some SOC capabilities is nearly universal. Many hybrid SOC models have emerged that mix and match services with internally delivered SOC functions.” <- this is what we called informally “every SOC is a hybrid SOC” today.
- “Gartner clients with successful SOCs put the premium on people rather than process and technology. People and process overshadow technology as predictors for SOC success or failure.”
- “Building a SOC can take many months, if not years. In fact, achieving high maturity and effectiveness levels will unquestionably take years. SOC build-out is a marathon, not a sprint, and you must be prepared to have the patience to execute iteratively and consistently over these kinds of time frames.”
- “Note that loss of such [executive] support after several years of SOC operation has led to “SOC decay” and decrease in capability maturity, detection effectiveness and, in some widely publicly reported cases, damaging data breaches.”
- “Building a SOC is a big commitment of resources, effort and focus — both initial and ongoing. It is the ongoing part that determines whether you’ll still have a SOC in three years!”
- “One of the challenges that plague organizations that purchased many security tools [for SOC] is making the set of tools into a coherent whole. Having to check diverse tools in a disjointed manner saps analyst efficiency and allows threats to slip in and survive in the environment undetected.”
Blog posts related to SOC research:
- SOAR-native SOC, Can This Work?
- Hybrid SOC Scenarios
- Can You Do a SIEM-less SOC?
- Next Research: SOC, SIEM, and Again Overall Detection and Response
- SOC Webinar Questions Answered
Posts related to paper publication:
- The “How To Build a SOC” Paper Update is OUT! (by Augusto)
- New Paper Published: “How to Start Your Threat Detection and Response Practice”
- Our Threat Testing and BAS Papers Are Out!
- Our Security Orchestration and Automation (SOAR) Paper Publishes
- Our Updated MSSP and MDR Guidance Publishes
- Security Monitoring Use Cases, the UPDATE! (our updated security use cases paper publishes)
- Our 2017 SIEM Research Papers Publish
- All My Research Published in 2017
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.