As Augusto already mentioned, our SOC paper is out. Run, not walk, to read our “How to Plan, Design, Operate and Evolve a SOC” (Gartner GTP access required). The abstract states “Technical professionals pursuing a more mature security practice may decide to centralize all or part of those activities into a SOC. This guidance presents security architects with a structured approach to plan, establish and efficiently operate a modern SOC.”
Select fun quotes follow below (check our Augusto blog for more quotes):
- “Foundational security processes (such as IR or alert triage) maturity must be in place for the SOC to function properly. If you don’t have them, build them alongside the first phase of the SOC implementation project [or suffer the consequences – A.C.].”
- “When creating a business case for SOC, plan for initial and ongoing proof of value, focusing on preventing decay of the SOC effectiveness [a sadly common occurence – A.C.] Build metrics from the start, to establish a baseline and have the ability to answer the question “are we getting better?””
- “One of the challenges that plague organizations [SOCs] that purchased many security tools is making the set of tools into a coherent whole. Having to check diverse tools in a disjointed manner saps analyst efficiency and allows threats to slip in and survive in the environment undetected.”
- “One organization treats Level 1 through Level 3 analysts not as seniority but as equally important but different skill sets (along the lines of activity detection, early triage, final triage) and rotates analysts between levels over time. They reported higher job satisfaction and effectiveness […]”
- “It often takes between 18 and 24 months to establish a full “physical” SOC of reasonable operational maturity.”
My recent webinar “Design a Modern Security Operation Center (SOC)” recording can be found here (and I will post the Q&A here soon). This is a way to get a tiny glimpse of this research without being a GTP client.
BTW, our 2016 update to the threat intelligence paper (“How to Collect, Refine, Utilize and Create Threat Intelligence”) has published as well. Read it, but keep in mind that this was a minor update with a lot of the original content left in place after review.
Blog posts related to the SOC research topic:
Other blog posts announcing paper publications:
Category: monitoring security soc
Research VP and Distinguished Analyst
5+ years with Gartner
17 years IT industry
Anton Chuvakin is a Research VP and Distinguished Analyst at Gartner's GTP Security and Risk Management group. Before Mr. Chuvakin joined Gartner, his job responsibilities included security product management, evangelist… Read Full Bio
< Previous PostNext Post >
The table below lists the schedule of topics.
Paper Summary Exercise
For each paper, we will release a set of questions that will help your critically think about what you learnt from the paper. The questions are designed to be somewhat open-ended, and may not have a single right answer. So, feel free to write your interpretation of the concepts you read. Your response is to be submitted as a paper summary.
Each paper summary is graded out of 5 points, and you are expected to submit only 6 paper summaries. Your first 6 paper summary scores are counted towards your final grade. That is, if choose to submit paper summaries for all the weeks, we will take your paper summary scores for your first 6 weeks.
Paper summaries are to be submitted before the next lecture at 9 a.m., in PDF format. Please submit it directly on IVLE in the workbin. Please include your name and matriculation number in your submission. Please name your submission PDF file in the format: "Week-<N>-<your-matriculation-number>;", where N is the week number (from the table above). For example, if your matriculation number is "A4878822" and your submission is for the paper posted in week 3, then the filename should be "Week-3-A4878822".
Please run a plaigarism check on your submission. This is available built into IVLE.