SOC maturity - setting standards for your SOC

Every organization that either builds a security operations center or subscribes to the services of a managed security services provider (MSSP) hopes that the SOC is able to prevent, detect and respond to cyber related attacks. However, there is huge amounts of variability in SOC services, and it is very common for organizations to build or leverage SOC services that are mismatched to the threats that they face.

We have been working with industry bodies such as CREST, with other leading SOC providers and with our clients to build a SOC maturity model for organizations to measure their SOC against. This model is also useful tool to drive improvement and maturity in the level of services that a SOC is able to deliver.

We have built our maturity model around 4 levels, ranging from level 1 which is best efforts, up to level 4 which is high capable. Key Elements of the Maturity Models are as follows:

Maturity Level 1 - Best Efforts	Understanding of Threat Landscape Blind to attackers and their methods Mind-Set: Not expecting it to happen to them Capabilities Best Efforts, no structured planning Basic Log sources – however no understanding of what logs or why No dedicated staff. Assumed to be ab add on function to staff’s other duties No defined Incident Response capability Risk Profile Focused on achieving compliance. Risk is measured in terms of non-compliance Likely to be compromised if targeted
Maturity Level 2 - Limited Maturity	Understanding of Threat Landscape Limited Understanding about common threat actors methods Mind Set: Preventative Capabilities Effective Log Management Assigned Individuals in a SOC Basic Incident Response Capability Risk Profile Compliance Requirements achieved Able to detect regular attacks on Internet facing equipment (North-South) Unable to identify sophisticated attacks
Maturity Level 3 - Moderate Maturity	Understanding of Threat Landscape Detect & Respond to external, insider and organized crime Endpoint & Network log sources including flow data and forensic level artifacts Some aspects of threat and vulnerability intelligence Log Sources covering the majority of the kill chain Risk Profile Detect and Respond to organized crime Vulnerable to highly sophisticated attacks
Maturity Level 4 - High Capable	Understanding of Threat Landscape Knowledge of the current and historic attacks Knowledge and understanding of basic threats all the way up to sophisticated attacks Mind Set: Expect to be targeted by sophisticated adversaries daily Capabilities Detect and Respond to sophisticated attacks Proactive Threat and Vulnerability intelligence Well-developed cyber range Log Sources covering all aspects of the kill chain Network traffic analysis Proactive Hunt teams Risk Profile Able to prevent, detect and respond to sophisticated attacks

Using the right building blocks to run your SOC

Many organizations aspire to run a security operations center that is at the highest level of maturity. However, this can only ever be possible if the correct building blocks have been deployed and the right kind of log, traffic, behavior and threat intelligence is being collected. For instance, a SOC provider that has the capability to operate at level 4, can only deliver level 4 services to clients if their clients estates have been configured to generate logs from all aspects of the kill chain. If the client only captures logs on core servers, and perimeter devices, the MSSP will only be able to deliver SOC services to that client that are at level 2 or level 3.

LRQA has an extensive suite of services designed to help organizations develop and enhance their security operations centers. We have in depth methodologies and development programs designed to help organizations detect and respond to sophisticated cyber threats. To find out more about how we can help measure the effectiveness of your current SOC solution, or support you enhance and develop your SOC to the next level, please get in touch.