SOC Maturity Assessment 2017-09-25T10:32:21+00:00

SOC MATURITY ASSESSMENT

The experienced team at Nettitude have created a SOC Maturity Assessment process as an approach to quantifiably measure the effectiveness of a Security Operations Centre (SOC).

Our Red Teaming exercises and Threat Intelligence led tests will help your organisation ensure the following:

  • Understand what level of maturity your SOC is currently operating at.
  • Establish what level it should be aiming for.
  • Identify what your SOC’s development roadmap should look like.
  • Measure your SOC’s assurance levels and ability to detect cyber-attacks.
  • Respond to cyber-attacks in a timely manner to prevent the impact being realised.

Request a free quote

SOC Maturity Framework

A SOC Maturity Framework is crucial to contextualise the type of SOC and objectives required by the organisation.

Nettitude has developed this model to meet a need within the industry. Other bodies have suggested models (namely Mitre, SANS and HP) and these are referenced and shown below. However, these have their downsides in that they are focused on largely the operational aspects of a SOC suited for enterprise entities.

  • SANS: Building, maturing and Rocking a Security operations Centre (reference)

  • HPE: Security Operations Maturity Model (SOMM) (reference)

Nettitude’s approach has been to blend the technical understanding of how attacks take place with a solid understanding of threat actors (and their method and actions). Ultimately, this is what a SOC should be capable of detecting and responding to. Without a fundamental understanding of what threat actors do, and how they will do it, a defensive capability will be limited in their approach.

The building blocks will in many cases be present in most SOC’s, but how they are implemented and used will determine the maturity level.

3-Stage Approach

Nettitude has developed a 3 stage approach to assess the capabilities of a SOC:

Stage One

Defining the SOC Maturity level required to detect the likely threat actors actions against the organisation.

Stage Two

Proposing the operational environment required to ensure the right log sources, alarms and detection capabilities are in place to detect.

Stage Three

Simulated Testing to gain assurance that the actual ability to detect and respond to the threat actor actions identified is real.

Use of Threat Modelling

Nettitude’s approach is built around the use of threat modelling to simulate the activities that are most likely to be used by threat actors targeting the organisation. These activities are presented in diagrammatic attack trees.

Once the attack trees are documented, it is possible to identify critical elements within their topology to establish detection and response measurement points.  For these to have maximum value, these detection points are aligned to the organisation’s infrastructure and application systems.  In addition, they are designed to leverage the organisation’s existing investment in cyber security products and solutions.

After these detection points have been configured within the organisations environment, Nettitude will deliver an additional round of technical assurance assessments, through the DARA (Detect and Response Assessment) penetration testing, to help provide visibility and confidence that the SOC is functioning effectively.

Following the successful completion of these technical detection and response assessments, the organisation will have a defined baseline of logging and alerting logic.   This will then provide the foundation for the organisation to develop future enhancements to their detection capability, as new threats evolve and emerge.

View The SOC Maturity Model

Core Capabilities

The core parts of a SOC’s operation will be around their capabilities. Some of these will be foundational (ability to collect and analysis log data, trained staff, process for incident management, etc), and some will be enhancing (data trending, threat hunting activities, etc).

Nettitude splits capabilities into both Detection and Response. The data required to alert on a breach action may be a different set to that which is required for conducting an investigation or response into where the attack started or how far spread the attacker has got.

With both detection and response functions there will be a core set of requirements that must be in place (fundamental capabilities) and additional value add elements that can be built on (enhancing capabilities).

Framework Overview

An overview of the SOC Maturity framework is presented in the diagram below. The following sections then provide further details about each of the 3 stages. The model breaks down into a further stage with over 60 areas covered.

Framework Overview