Demystifying the SOC, Part 4: The Old SOC Maturity Model based on Speeds and Feeds

The SOC as the evolution of the NOC

Tracking the Threat Detection, Investigation and Response Lifecycle as discrete phases

  • Preparation and Collection. In this phase, the organization makes sure that all the required content is available, e.g. log, event and content collection, detection rules, response playbooks.
  • Detection. In this phase, one or more of the detection engines trigger an alert.
  • Triage and assignment. In this phase, the alert is enriched and the determination is made — is this a false positive, or a true positive? If a true positive, who will work on this incident?
  • Initial response. In this phase, the initial response will take place so as to mitigate further damage from the incident, e.g. a host will be put in quarantine, a rogue process will be suspended, credentials or authorizations will be temporarily revoked for a user.
  • Incident diagnostic and investigation. In this phase, the organization will try to understand the full scope of what happened (e.g. the blast radius for the attack) and determine the intent for this incident — the what and the why.
  • Incident closure. Once root cause is understood, the organization brings the environment back to a normal, known good state, e.g. an insider threat is permanently fired, or a server broken beyond repair is re-imaged.
  • Post Mortem & Root Cause Analysis and continuous improvement. In this phase, the organization draws bigger lessons from this episode with the goal of continuous improvement. For example, do we have a hole in our technology stack that we need to plug, do we need to make configuration changes in our firewall which require change control, do we have the right skillsets to address this situation, are we running the proper processes for efficient InfoSec. These improvements are iterative in nature.

Older SOC maturity model based on Speeds and Feeds

The Result: Wrong Incentives That Are Burning People and Money

  • The best way to improve MTTD is to generate a bunch of alerts “just in case one of them is good”. But this will lead to many false positives.
  • The best way to improve MTTR is to close incidents as soon as possible. But this will lead to missing key information for the MTTA and the Post Mortem.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Gorka Sadowski

Gorka Sadowski

Cybersecurity expert and Chief Strategy Officer at Exabeam. Former Gartner analyst driving SIEM and SOC research and builder of the Splunk security ecosystem.