PEOPLE PROCESSAlert Analyst
Subject Matter Expert/Hunter
SOC Manager
Incident Responder
Preparation
Identification
Containment
Eradication
Recovery
Lessons Learned
R o a d m a p t o C R e a t i n g a
World-Class Security Operations Center
TECHNOLOGYThese sources provide data
for analysis in the SOC.
VisibilityCentrally collecting these data enables the SoC to see what’s going on in the enterprise.
ActionBased on the analysis, responders are able to respond effectively to security incidents and reduce the risk to the enterprise and the probability of future success of the attack technique.
Analysisanalysts detect and investigate a wide range of threats, enabling
them to understand the potential impact on the organization.
sponsored by
Visit the SANS Analyst Reading Room, www.sans.org/reading-room/whitepapers/analyst,
and search for “Building a World-Class Security Operations Center: A Roadmap”
A security operations center (SOC) is a centralized enterprise security monitoring team organized around the goal of improving the organization’s risk posture
through the use of technology and processes for incident detection, isolation, analysis and mitigation.
(SanS, 2015)
30%
say no budget allocated to incident detection,
investigation and response. (SanS 2014 incident Response Survey)
52%
report little visibility into endpoint/system configurations and vulnerabilities as an obstacle to incident response efficiency.
(SanS 2014 incident Response Survey)
58%
have a dedicated incident response team,
but 61% still call onsurge staff to handle
critical incidents. (SanS 2014 incident Response Survey)
27%
find the inability to discern normal from
suspicious traffic to be a key concern.
(SanS 2014 Log management Survey)
69%
have fully or partially embraced the use of
cyberthreat intelligence in monitoring and incident response. (SanS 2015 Cyberthreat
intelligence Survey)
False malware alerts can drain an
organization’s resources … with an average of
$1.27 million spentannually in response to ‘inaccurate and
erroneous intelligence.’ Organizations
waste approximately 395 hours per week
‘chasing erroneous alerts.’
(SC magazine, January 20, 2015)