Demystifying the SOC, Part 5: The New SOC Maturity Model based on Outcomes

Tracking the Threat Detection, Investigation and Response Lifecycle as a single continuum

Over time, it has become evident that the effectiveness and efficiency of a SOC should not be measured by the volume of activity at each phase in the Threat Detection, Investigation and Response (TDIR) workflow. This will lead to the SOC focusing on the wrong metrics and will promote a “garbage in — garbage out” syndrome at each of the internal phases. If the focus at each phase is quantity, not quality, accuracy problems will just be pushed to subsequent phases.

New SOC maturity model based on Outcomes

Rather than rating SOC maturity by functions mastered, SOC Maturity Model 2.0 focuses on outcomes, and on what use cases the SOC is able to deliver consistently and efficiently with minimal manual intervention. This approach unifies the SOC’s TDIR phases into one holistic, integrated workflow that can be performed at scale. The more mature SOCs are capable of consistently delivering outcomes across more sophisticated use cases, whereas less mature SOCs can only tackle simpler and easier use cases. In our next blog installment, we will dive into more details on what a use case entails, and what tools can do in order to help analysts with the delivery of these use cases.

Benefits of this outcome-based approach

The advantage of this outcome-based approach is that it focuses on the fundamental mission of a SOC, which is to bring the environment back to a known, good, secure operating state after being hit, or to prevent a security incident from developing into a breach while trying to learn the lessons of the attack and engage in a continuous improvement cycle. This approach provides a more relevant set of goals and progressions for the SOC which can focus resources on the most common threats first, then address use cases of growing sophistication and complexity.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Gorka Sadowski

Gorka Sadowski

Cybersecurity expert and Chief Strategy Officer at Exabeam. Former Gartner analyst driving SIEM and SOC research and builder of the Splunk security ecosystem.