I've been working to modernize our Cyber Security Operation Center (SOC) response time service level objectives (SLOs). Like many organizations, we've seen the goal of the "1 : 10 : 60" which aims to have SOCs "detect" an event within 1 minute, "analyze" within 10 minutes, and "contain" within an hour. For a variety of reasons, we set less aggressive targets --- aiming at 15/60/240 minutes for these objectives. Might other organizations be willing to share/discuss their actual SLOs and target objectives for SOC performance?

642 views2 Comments

Sort by:

Executive Vice President, Chief Digital Officer & Head of Cybersecurity in IT Services2 years ago

For SOC services, looking at the criticality of operations, it is better to set very aggressive SLOs which are "1:5:30". This will help to contain actions against critical alerts and meet SOC performance objectives.

Chief Digital Officer in IT Services2 years ago

I have seen the “1:10:60” goal for improving SOC response times to be a popular target for many organizations. However, depending on your particular needs and resources, this target may not always be attainable. We have set less aggressive targets of 15/60/240 minutes for SOC performance, and these have worked for us in the past.

Content you might like

What do you do to recover quickly from early missteps in a new role? How can you keep initial mistakes from coloring perceptions when you’re still trying to establish your reputation at a new organization?

With the implementation of AI tools happening at breakneck speed, (or certainly seemingly so) if you could give ONE piece of advice about implementing AI Agents, what would it be?

Focus on a specific business problem12%

Start small and iterate36%

Invest in proper training and change management34%

Prioritize data quality and governance17%

Other (please specify)

View Results

What steps do you typically take when you notice a security team member becoming less and less engaged? How do you approach them to diagnose/address the issue?

Which tech conference do you intend to attend in person next year or have already participated in this year, and what motivated your choice?

Who is going to Blackhat this year ? Debating going and wondering what others may be doing

I am not going due to covid concerns27%

I am not going my organization wont allow me to go59%

I am going at my own expense7%

I am going and able to expense it to my organization5%

View Results

Sort by:

Content you might like

What do you do to recover quickly from early missteps in a new role? How can you keep initial mistakes from coloring perceptions when you’re still trying to establish your reputation at a new organization?

With the implementation of AI tools happening at breakneck speed, (or certainly seemingly so) if you could give ONE piece of advice about implementing AI Agents, what would it be?

What steps do you typically take when you notice a security team member becoming less and less engaged? How do you approach them to diagnose/address the issue?

Which tech conference do you intend to attend in person next year or have already participated in this year, and what motivated your choice?

Who is going to Blackhat this year ? Debating going and wondering what others may be doing

What sets us apart?

RELATED ONE-MINUTE INSIGHTS

How are U.S. CISOs Addressing Liability Risk?

CrowdStrike Outage: Impact And Recovery

Impact & Perceptions of A Privacy-First Digital Era

Challenges & Tools For A Privacy-First Internet Age

IT and Infosec Collaboration on Vulnerability Patching

Take Your Insights On-the-Go