This talk will discuss the task most critical to improving SOC capability: development of appropriate scenarios of inspection. This is typically referred to as a use case. To be successful It must blend: technical knowledge of deployed systems, knowledge of threat capability and common behavior, understanding of the organization's information assets, and data collection.
As a background for this use case discussion, the functional areas required for a SOC will be identified. Since people are necessary to be effective at analysis which produces use cases, a discussion of analysis and developing strategies for ongoing development will also be presented.