Thanks to visit codestin.com
Credit goes to www.scribd.com

Scribd
Upload
64 views20 pages

Soctom Tool

Uploaded by

sinsair
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as XLSX, PDF, TXT or read online on Scribd
64 views20 pages

Soctom Tool

Uploaded by

sinsair
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as XLSX, PDF, TXT or read online on Scribd
You are on page 1/ 20

SOCTOM Design Tool

author Rob van Os


version 1.0
date 13.12.2022

Read the SOC Target Operating Model whitepaper for additional guidance on the SOCTOM tool and process

Security Operations Center Current Operating Mod


SOCCOM date: YYYY/MM/DD
Capability Maturity SOCCOM element ⓘ
Current understanding of business drivers
N/A
Current application of business drivers
Current number of customers (MSSP) ⓘ
Current diversity of stakeholders (internal SOC) ⓘ
N/A
Current understanding of customers ⓘ
Current customer intimacy state
N/A Current charter state & contents
Current governance elements
Current governance structure ⓘ
N/A
Current cost management strategy ⓘ
Current SOC assessment strategy
Current privacy & security policies
N/A
Current policy compliance level
Current FTE count (internal, external)
N/A
Current recruitment & retainment strategy
Current role model ⓘ
N/A Current hierarchy (including tiers) ⓘ
Current role documentation level
Current people management strategy
N/A
Current team management strategy
Current insight into KSAs and SPOKs ⓘ
N/A Current active management of KSA gaps
Current knowledge sharing strategy
Current training plan
N/A Current certification plan
Current aligment to roles & career progression
Current SOC management elements
Current SOC structure and type ⓘ
N/A Current SOC continuous improvement strategy
Current threat modelling approach
Current quality assurance strategy
Current technology architecture
Current technology principles
N/A N/A
Current service architecture
Current process architecture
Current facilities (physical & virtual)
Current operating hours
N/A
Current level of service standardization
N/A
Current operational shift setup
Current level of ITSM process integration
Current exercise strategy
Current reporting level
N/A Current metric types
Current communication strategy
Current Use Case Management strategy
Current application strategy of MITRE ATT&CK©
N/A Current use case measurement strategy
Current CTI integration level
Current visibility level
Current development & release process
N/A
Current testing & validation strategy ⓘ
Current SIEM architecture
N/A Current SIEM management & support level
Current SIEM documentation level
Current SIEM basic capability deployment
Current SIEM integration level
N/A
Current SIEM analytics & detection application
Current SIEM data ingestion & parsing
Current NDR architecture
N/A Current NDR management & support level
Current NDR documentation level
Current NDR basic capability deployment
Current NDR integration level
N/A
Current NDR analytics & detection capability
Current NDR response capability
Current EDR architecture
N/A Current EDR management & support level
Current EDR documentation level
Current EDR basic capability deployment
Current EDR integration level
N/A
Current EDR analytics & detection capability
Current EDR response capability
Current SOAR architecture
N/A Current SOAR management & support level
Current SOAR documentation level
Current SOAR basic capability deployment
Current SOAR integration level
N/A
Current SOAR automation capability
Current SOAR data ingestion
Current SEM service levels
Current SEM service delivery
N/A
Current SEM documentation level
Current SEM quality assurance
Current SEM monitoring capability
N/A Current SEM detection capabilities
Current SEM tuning capability ⓘ
Current SIM service levels
Current SIM service delivery
N/A
N/A
Current SIM documentation level
Current SIM quality assurance
Current SIM preparation capability
Current SIM detection & analysis capability
N/A
Current SIM containment, eradication & recovery capability
Current SIM post-incident capability
Current SAF service levels
Current SAF service delivery
N/A
Current SAF documentation level
Current SAF quality assurance
Current SAF evidence / data collection capability
N/A Current SAF analysis capability
Current SAF procedural capability
Current CTI service levels
Current CTI service delivery
N/A
Current CTI documentation level
Current CTI quality assurance
Current CTI collection capability
Current CTI processing & analysis capability
N/A
Current CTI dissemination capability
Current CTI infrastructure management capability
Current TH service levels
Current TH service delivery
N/A
Current TH documentation level
Current TH quality assurance
Current TH data collection capability
N/A Current TH pyramid of pain capability ⓘ
Current TH hypothesis generation capability
Current VuM service levels
Current VuM service delivery
N/A
Current VuM documentation level
Current VuM quality assurance
Current VuM scanning capability
N/A Current VuM analysis capability
Current VuM reporting capability
Current LM service levels
Current LM service delivery
N/A
Current LM documentation level ⓘ
Current LM quality assurance
Current LM data collection capability
N/A Current LM data storage & retention capability
Current LM data searching capability
Copyright (C) 2022 - SOC-CMM

The SOCTOM design tool is part of the SOC-CMM.

The SOC-CMM is free software, released under the CC SA-BY license: https://creativecommons.org/licenses/by-sa/4.0/

You are free to:


Share — copy and redistribute the material in any medium or format
Adapt — remix, transform, and build upon the material for any purpose, even commercially.

Under the following terms:


Attribution — You must give appropriate credit, provide a link to the license, and indicate if changes were made. You may
ShareAlike — If you remix, transform, or build upon the material, you must distribute your contributions under the same l

No additional restrictions — You may not apply legal terms or technological measures that legally restrict others from doin

This license is acceptable for Free Cultural Works. The licensor cannot revoke these freedoms as long as you follow the lice

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied war
e SOCTOM tool and process

r Current Operating Model (SOCCOM)


OM date: YYYY/MM/DD
Current state SOC-CMM aspect
Business drivers

Customers

Charter

Governance

Privacy & policy

Employees

Roles & hierarchy

People management

Knowledge management

Training & education

SOC Management

SOC Architecture

Operations & facilities


Operations & facilities

Reporting & communication

Use case management

Detection engineering & validation

SIEM tooling

NDR tooling

EDR tooling

SOAR tooling

Security monitoring
(SEM)

Security incident management


(SIM)
Security incident management
(SIM)

Security Analysis & Forensics


(SAF)

Threat intelligence
(CTI)

Threat hunting
(TH)

Vulnerability management
(VuM)

Log management
(LM)
ativecommons.org/licenses/by-sa/4.0/

mmercially.

d indicate if changes were made. You may do so in any reasonable manner, but not in any way that suggests the licensor endorses you
bute your contributions under the same license as the original.

sures that legally restrict others from doing anything the license permits.

ese freedoms as long as you follow the license terms.

WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Security Operations Center Target Op
SOC-CMM domain
SOCTOM target date: YYYY/
SOC-CMM aspect
Business drivers

Customers

Business Charter

Governance

Privacy & policy

Employees

Roles & hierarchy

People management
People
Knowledge management

Training & education

SOC Management

SOC Architecture

Operations & facilities


Process
Operations & facilities
Process

Reporting & communication

Use case management

Detection engineering & validation

SIEM tooling

NDR tooling

Technology

EDR tooling

SOAR tooling

Security monitoring
(SEM)

Security incident management


(SIM)
Security incident management
(SIM)

Security Analysis & Forensics


(SAF)

Services Threat intelligence


(CTI)

Threat hunting
(TH)

Vulnerability management
(VuM)

Log management
(LM)
y way that suggests the licensor endorses you or your use.

PARTICULAR PURPOSE.
Usage: the left side of the template can be used to define and score the current SOC state. Use maturity and capability
scores from a recent SOC-CMM assessment to accurately define the current state. Elements that are not relevant can be
removed, or replaced with other, more relevant, elements.

The right side of the template can subsequently be used to define the target state of the SOC, in terms of target maturity
and capability as well as a more granular target state for the SOCTOM elements.

Security Operations Center Target Operating Model (SOCTOM)


SOCTOM target date: YYYY/MM/DD
SOCTOM element
Target understanding of business drivers
Target application of business drivers
Target number of customers (MSSP)
Target diversity of stakeholders (internal SOC)
Target understanding of customers
Target customer intimacy state
Target charter state & contents
Target governance elements
Target governance structure
Target cost management strategy
Target SOC assessment strategy
Target privacy & security policy
Target policy compliance level
Target FTE count (internal, external)
Target recruitment & retainment strategy
Target role model
Target hierarchy (including tiers)
Target role document level
Target people management strategy
Target team management strategy
Target insight into KSAs and SPOKs
Target active management of KSA gaps
Target knowledge sharing strategy
Target training plan
Target certification plan
Target aligment to roles & career progression
Target management elements
Target SOC structure and type
Target SOC continuous improvement strategy
Target threat modelling approach
Target quality assurance strategy
Target technology architecture
Target technology principles
Target service architecture
Target process architecture
Target facilities (physical & virtual)
Target operationing hours
Target level of service standardization
Target operational shift setup
Target level of ITSM process integration
Target exercise strategy
Target reporting level
Target metric types
Target communication strategy
Target Use Case Life-Cycle Management process
Target application of MITRE ATT&CK©
Target use case measurement strategy
Target application of CTI
Target visibility level
Target development & release process
Target testing & validation strategy
Target SIEM architecture
Target SIEM management & support level
Target SIEM documentation level
Target SIEM basic capability deploymeny
Target SIEM integration level
Target SIEM analytics & detection application
Target SIEM data ingestion & parsing
Target NDR architecture
Target NDR management & support level
Target NDR documentation level
Target NDR basic capability deployment
Target NDR integration level
Target NDR analytics & detection capability
Target NDR response capability
Target EDR architecture
Target EDR management & support level
Target EDR documentation level
Target EDR basic capability deployment
Target EDR integration level
Target EDR analytics & detection capability
Target EDR response capability
Target SOAR architecture
Target SOAR management & support level
Target SOAR documentation level
Target SOAR basic capability deployment
Target SOAR integration level
Target SOAR automation capability
Target SOAR data ingestion
Target SEM service levels
Target SEM service delivery
Target SEM documentation level
Target SEM quality assurance
Target SEM monitoring capability
Target SEM detection capabilities
Target SEM tuning capability
Target SIM service levels
Target SIM service delivery
Target SIM documentation level
Target SIM quality assurance
Target SIM preparation capability
Target SIM detection & analysis capability
Target SIM containment, eradication & recovery capability
Target SIM post-incident capability
Target SAF service levels
Target SAF service delivery
Target SAF documentation level
Target SAF quality assurance
Target SAF evidence / data collection capability
Target SAF analysis capability
Target SAF procedural capability
Target CTI service levels
Target CTI service delivery
Target CTI documentation level
Target CTI quality assurance
Target CTI collection capability
Target CTI processing & analysis capability
Target CTI dissemination capability
Target CTI infrastructure management capability
Target TH service levels
Target TH service delivery
Target TH documentation level
Target TH quality assurance
Target TH data collection capability
Target TH pyramid of pain capability
Target TH hypothesis generation capability
Target VuM service levels
Target VuM service delivery
Target VuM documentation level
Target VuM quality assurance
Target VuM scanning capability
Target VuM analysis capability
Target VuM reporting capability
Target LM service levels
Target LM service delivery
Target LM documentation level
Target LM quality assurance
Target LM data collection capability
Target LM data storage & retention capability
Target LM data searching capability
define and score the current SOC state. Use maturity and capability
rately define the current state. Elements that are not relevant can be
ements.

used to define the target state of the SOC, in terms of target maturity
te for the SOCTOM elements.

et Operating Model (SOCTOM)


e: YYYY/MM/DD
Target state Capability Maturity
N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A N/A

N/A
N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A
N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

You might also like