This guidance framework on how to build a security operations center (SOC) is laid out for security and risk management technical professionals to follow each step in order. From the plan phase, through design, implement, operationalize and report, each step builds on the previous one and includes the dependencies for project completion.

Key findings

  • An SOC will lose its ability to perform over time unless it has a built-in growth plan that keeps its people, process and technology aligned with the ever-changing threat landscape.
  • A modern SOC must include detection capabilities that, instead of relying solely on alerts, can leverage advanced analytics across a large and wide range of telemetry to detect threats.
  • A modern SOC must include capabilities to analyze data to detect attacks, rather than just rely on alerts from reporting technologies.
  • Using service providers with maturity in security operations and tools integrations can be a fast path to a better performing SOC with mature capabilities.
  • It isn’t possible to build an SOC solely based on automation, and those that try are disappointed.