sans: roadmap to creating a world-class security operations center - infographic

PEOPLE PROCESSAlert Analyst

Subject Matter Expert/Hunter

SOC Manager

Incident Responder

Preparation

Identification

Containment

Eradication

Recovery

Lessons Learned

R o a d m a p t o C R e a t i n g a

World-Class Security Operations Center

TECHNOLOGYThese sources provide data

for analysis in the SOC.

VisibilityCentrally collecting these data enables the SoC to see what’s going on in the enterprise.

ActionBased on the analysis, responders are able to respond effectively to security incidents and reduce the risk to the enterprise and the probability of future success of the attack technique.

Analysisanalysts detect and investigate a wide range of threats, enabling

them to understand the potential impact on the organization.

sponsored by

Visit the SANS Analyst Reading Room, www.sans.org/reading-room/whitepapers/analyst,

and search for “Building a World-Class Security Operations Center: A Roadmap”

A security operations center (SOC) is a centralized enterprise security monitoring team organized around the goal of improving the organization’s risk posture

through the use of technology and processes for incident detection, isolation, analysis and mitigation.

(SanS, 2015)

30%

say no budget allocated to incident detection,

investigation and response. (SanS 2014 incident Response Survey)

52%

report little visibility into endpoint/system configurations and vulnerabilities as an obstacle to incident response efficiency.

(SanS 2014 incident Response Survey)

58%

have a dedicated incident response team,

but 61% still call on surge staff to handle

critical incidents. (SanS 2014 incident Response Survey)

27%

find the inability to discern normal from

suspicious traffic to be a key concern.

(SanS 2014 Log management Survey)

69%

have fully or partially embraced the use of

cyberthreat intelligence in monitoring and incident response. (SanS 2015 Cyberthreat

intelligence Survey)

False malware alerts can drain an

organization’s resources … with an average of

$1.27 million spent annually in response to ‘inaccurate and

erroneous intelligence.’ Organizations

waste approximately 395 hours per week

‘chasing erroneous alerts.’

(SC magazine, January 20, 2015)