pdf

SANS - building world class security operations center roadmap.pdf
Sans Building World Class Security Operations Center Roadmap

Resource covering SOC titled 'Sans Building World Class Security Operations Center Roadmap'.

This page contains AI generated content. Errors or omissions may be present. Use human level critical thinking.
  • Q: According to the roadmap, what is the very first step in building a SOC?
    A: Defining the SOC's Charter and Scope, including its authority and constituency.
  • Q: What is the 'Triad' model referenced for SOC maturity?
    A: People, Process, and Technology, with an emphasis that Technology should support the other two, not drive them.
  • Q: What specific 'Staffing Model' issue is highlighted as a common failure?
    A: Underestimating the headcount required for 24/7 coverage, leading to analyst burnout.
  • Q: How does the roadmap suggest handling 'Tier 1' analysis?
    A: By focusing on triage and validation to filter out false positives before escalating to deeper investigation.
  • Q: What is the recommended 'Technology Stack' hierarchy?
    A: Log Collection -> SIEM/Analytics -> Incident Response Platform -> Threat Intelligence Platform.
  • Q: What is the role of 'Playbooks' in the maturity roadmap?
    A: They are essential for ensuring consistent, repeatable responses to common alerts and for enabling future automation.
  • Q: How should a SOC measure 'Success' in the early stages?
    A: By focusing on 'Visibility' (coverage of assets) and 'Process Adherence' rather than just 'Mean Time to Detect'.
  • Q: What is the 'Continuous Improvement' loop?
    A: A post-incident review process that feeds lessons learned back into the detection logic and response procedures.
  • Q: What capability distinguishes a 'World Class' SOC from an average one?
    A: The ability to perform 'Threat Hunting' and 'Proactive Intelligence' rather than just reacting to alerts.
  • Q: What is the advice regarding 'Outsourcing' in the roadmap?
    A: Outsource commodity tasks (like 24/7 eyes-on-glass) but keep strategic capabilities (like incident response and threat intel) in-house.

Ask a question

Have a doubt or need clarification?



I’m here to help. Share your question, and I’ll get back to you with the guidance you need regarding the course.

Thank you!

I have received your message and I shall get back to you shortly.