Our 2018 Update to “How to Plan, Design, Operate and Evolve a SOC” Publishes

As Augusto already announced awhile ago, we have updated our “how to SOC” paper for 2018. His post even includes our main guidance visual (!), made that much more awesome by our new co-author, Anna. The paper is still titled “How to Plan, Design, Operate and Evolve a SOC.”

In any case, I wanted to provide some of my favorite quotes from the paper, and of course entice you [well, those of you who are Gartner GTP subscribers, that is] to read it.

Some of my fave quotes (there are a lot more in the paper):

• “For the scope of this document, SOC refers to the group of people and processes delivering security operations functions under a single organizational structure. In essence, the SOC is a team, not a facility.”
• “Outsourcing some SOC capabilities is nearly universal. Many hybrid SOC models have emerged that mix and match services with internally delivered SOC functions.” <- this is what we called informally “every SOC is a hybrid SOC” today.
• “Gartner clients with successful SOCs put the premium on people rather than process and technology. People and process overshadow technology as predictors for SOC success or failure.”
• “Building a SOC can take many months, if not years. In fact, achieving high maturity and effectiveness levels will unquestionably take years. SOC build-out is a marathon, not a sprint, and you must be prepared to have the patience to execute iteratively and consistently over these kinds of time frames.”
• “Note that loss of such [executive] support after several years of SOC operation has led to “SOC decay” and decrease in capability maturity, detection effectiveness and, in some widely publicly reported cases, damaging data breaches.”
• “Building a SOC is a big commitment of resources, effort and focus — both initial and ongoing. It is the ongoing part that determines whether you’ll still have a SOC in three years!”
• “One of the challenges that plague organizations that purchased many security tools [for SOC] is making the set of tools into a coherent whole. Having to check diverse tools in a disjointed manner saps analyst efficiency and allows threats to slip in and survive in the environment undetected.”

Enjoy the paper! [Gartner GTP access required]. If you read it, please provide feedback at https://surveys.gartner.com/s/gtppaperfeedback

Blog posts related to SOC research:

• SOAR-native SOC, Can This Work?
• Hybrid SOC Scenarios
• Can You Do a SIEM-less SOC?
• Next Research: SOC, SIEM, and Again Overall Detection and Response
• SOC Webinar Questions Answered

Posts related to paper publication:

• The “How To Build a SOC” Paper Update is OUT! (by Augusto)
• New Paper Published: “How to Start Your Threat Detection and Response Practice”
• Our Threat Testing and BAS Papers Are Out!
• Our Security Orchestration and Automation (SOAR) Paper Publishes
• Our Updated MSSP and MDR Guidance Publishes
• Security Monitoring Use Cases, the UPDATE! (our updated security use cases paper publishes)
• Our 2017 SIEM Research Papers Publish
• All My Research Published in 2017

*** This is a Security Bloggers Network syndicated blog from Anton Chuvakin authored by Anton Chuvakin. Read the original post at: https://blogs.gartner.com/anton-chuvakin/2018/09/17/our-2018-update-to-how-to-plan-design-operate-and-evolve-a-soc-publishes/