A CTO’s Take on Building a SOC Framework: The Security Operations Maturity Model

When we set out to redefine what security information and event management (SIEM) needed to be, our mission was quite simple — help organizations better detect and defend themselves from threats flying under the radar. Since then, the industry has certainly come a long way on the technology side of the equation. We have harnessed big data, we are leveraging machine learning, and we are automating tedious tasks.

However, even with great strides in technology, organizations continue to be savagely compromised. A look at just a sample of the data breaches in 2018 tells a sobering story — billions in losses and costs!


Figure 1. Sample of 2018 data breaches

So with all the amazing strides in technology, why aren’t we doing better?

Well unfortunately, the technological advancements that create opportunity, have also caused chaos when it comes to securing ever-evolving IT and operational technology (OT) infrastructures. And of course, the threat landscape hasn’t gotten any tamer. But even so, why are attackers left to dwell undetected for months after initial compromise? Shouldn’t organizations be able to do better?

A 2018 MANDIANT report indicates that threat actors were present on victim’s networks for a median of 101 days before being detected.

Yes, they can and must. But to get there, organizations must acknowledge that technology, without effective alignment of people and process, won’t realize the desired result. Simply put, there is no silver bullet to cybersecurity, nor will there be anytime soon. Organizations must invest the time and resources required to meaningfully reduce their mean time to detect (MTTD) and mean time to responds (MTTR) to cyberthreats.

To help organizations understand what is required, we developed our Threat Lifecycle Management (TLM) framework a few years ago.


Figure 2. The Threat Lifecycle Management framework

The intent of this SOC framework is to describe the technological capabilities and interrelated workflow processes security operations teams must realize to deliver the four foundational programs of the security operations center (SOC) — the effectiveness of which dictate enterprise MTTD/MTTR:


Figure 3. The foundation of an effective security operations center program

The good news is that more organizations than ever are invested in SOCs and their related programs. LogRhythm has helped organizations create and modernize their SOC frameworks over the past decade. We have unique experience and insight into what makes a SOC successful. Technology is paramount, and we certainly recommend organizations invest in a modern NextGen SIEM platform. We know success will not be determined by technology and product alone. The reality is that adopting technology and realizing improved security operations capabilities takes time, and people are still the most important ingredient.

For most organizations, seeing meaningful reduction (e.g., 2x–3x) in threat MTTD/MTTR, at an enterprise-wide level, can take years. To continue helping organizations best navigate this journey, we created the Security Operations Maturity Model (SOMM). Our model provides a logical progression of technology and process improvements that, when followed, will best empower people toward accelerated reductions in MTTD and MTTR. While this model draws on the combined experience of the authors, more importantly, it draws on a decade of organizational experience serving enterprise SOCs across the globe.

In the SOMM white paper, you will learn the following:

  • How attacks typically unfold, and the benefit of detecting/mitigating threats early
  • An overview of LogRhythm’s Threat Lifecycle Management (TLM) framework
  • An overview of key operational metrics organizations should measure and monitor
  • A five-level maturity model, with technological and operational capabilities described for each level, that build on each other to drive down MTTD/MTTR and related cyber-incident risk.


Figure 4. Security operations maturity results in faster MTTD/MTTR and cyberthreat resilience

Whether or not you decide to partner with LogRhythm on your own journey, we hope our Security Operations Maturity Model will help you on your path to success.