I think we can all agree that one of the primary responsibilities of a SOC is to efficiently bring the organization back to a known good state after being hit by an attack.

And yes, that includes detecting that an incident took place and responding to that incident. The proverbial “threat detection and response (TDR)”. But is that enough?

No!! Investigation is equally — if not more — important than detection and response. …


In a previous blog, I described why following the XDR newsfeed felt like watching a telenovela with always a more dramatic episode around the corner. This might be fun for the casual observer, but it is really hurting CISOs and security teams, and ultimately it is detrimental to organizations’ security posture. It is time to reboot the XDR telenovela.

Introducing the XDR Alliance!

XDR Alliance — why?

Why did Exabeam drive the creation of this alliance with key security technology providers Armis, Expel, ExtraHop, Google Cloud Security, Mimecast, Netskope, and SentinelOne? Simple, it’s because:

  • We cannot lose the battle to the adversaries, and we…


Confusing drama? Intrigue? Passion? Cliffhangers? Look no further than the XDR Telenovela and its never-ending stream of episodes.

New episodes — the plot thickens

If you are a technology buyer for the SOC I bet the XDR Telenovela is programming you could do without. Every day, there seems to be a new dramatic episode. Yet another definition for what XDR is, needs to be, should be, could be, and would like to be. And with them, new characters, and story lines for viewers to chew on.

If you are looking at an XDR solution, this is a tough spot to be in. …


Photo by Brett Jordan on Unsplash

A couple of months back, I wrote about traditional SIEMs not being adequate threat detection, investigation, and response (TDIR) tools for our new world, and how that forced the marketplace to adapt, creating a vacuum for two types of TDIR tools, namely 1) XDRs and 2) emerging SIEMs. After several posts on XDR tools (mainly open XDRs), and another post on the differences between SIEM and open XDR, today I’ll spend some time describing a few differences between several generations of SIEMs.

Not all SIEMs are created equal. SIEMs from 2005 have little to do with the SIEMs of today


“Automated SOCs” is a fun topic that is sure to get people’s juices flowing. I am referring to what some of us (several former analysts from Gartner and current analyst from Forrester) have recently been discussing. Examples include:

- Allie Mellen from Forrester wrote, “Stop trying to take humans out of security operations

- Anton Chuvakin, ex-analyst from Gartner wrote, “Stop trying to take humans out of security operations… except… wait… wait… wait…

- Augusto Barros, ex-analyst from Gartner wrote, “The robots are coming

- I wrote (drawing from my Gartner days and other experiences) a series of blogs on…


In our last blog post, we described the legacy SOC maturity model based on speeds and feeds tracking activity volume, mean time to detect (MTTD) and mean time to respond (MTTR). We demonstrated why SOCs that try to improve these metrics are not as effective or efficient as they could be. While these metrics are prevalent in the industry, and legacy maturity models are based on them, they have typically yielded approaches that try to be as complete as possible but are instead too complex and expensive, and lead to staff burnout.

Tracking the Threat Detection, Investigation and Response Lifecycle as a single continuum

Over time, it has become evident that the…


So far in this series on the security operations center (SOC), we’ve discussed why you need a SOC, why threat prevention alone is not good enough, and why you already have a SOC, whether you know it or not.

The next topic: Do you have the right approach as you think about your SOC? Is your SOC operating under the right maturity model? You may think that the older SOC maturity model and older metrics based on speeds and feeds are still fine, but the truth is that this model based on such metrics as MTTD and MTTR are plain…


Demystifying the SOC, Part 3: Whether You Know It or Not, You Have a SOC

In our previous posts, we discussed why every organization, including yours, needs a security operations center (SOC) and why prevention is not enough. Here we’ll discuss why, whether you know it or not, you already have a SOC. And if you look around and there is nobody else in the security team, then you — are — the SOC!!

SOCs are about keeping the organization in a known good state

As previously discussed, the SOC’s mission is to keep the organization’s infrastructure operating securely in a known clean state. Today it ’s assumed that it’s only…


In our previous post, we discussed why every organization, including yours, needs a Security Operations Center (SOC) to detect and address security breaches and maintain the infrastructure in a known good state. SOCs are part of a longstanding shift in cybersecurity from prevention to a blend of prevention and threat detection, investigation and response (TDIR), the latter of which is the mission of the SOC.

It wasn’t long ago that the industry was focused almost exclusively on prevention via firewalls and network proxies aiming to create the so-called “network perimeter.” Inside the perimeter was the “trusted zone” of the corporate…


This is the first in a series of a dozen or so blog posts entitled “Demystifying the SOC” covering several topics on security operations centers (SOCs). My goal is to help dispel many of the myths and answer many of the questions that I heard over thousands of conversations with clients while I was a technology analyst at Gartner covering SOCs.

When I was at Gartner covering Security Operations Centers (SOCs), I had hundreds of discussions with organizations looking reluctantly to build a SOC after a breach was declared, or to buy a security information and event management (SIEM) solution…

Gorka Sadowski

Cybersecurity expert and Chief Strategy Officer at Exabeam. Former Gartner analyst driving SIEM and SOC research and builder of the Splunk security ecosystem.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store