Welcome to the SOC-CMM site. The SOC-CMM is a capability maturity model and self-assessment tool for Security Operations Centers (SOCs). The model is based on solid research into the characteristics of SOCs and verified with actual SOCs. This research has focused on the creation of a model, but also on the creation of a self-assessment tool that can be used to determine strengths and weaknesses of the SOC based on capability and maturity scoring.
Navigate using the tabs to learn more about the SOC-CMM. Also, you can proceed directly to the downloads section to download the self-assessment tool and start to measure and improve your Security Operations Center. Use the contact page in case of questions or comments about the SOC-CMM.
The SOC-CMM model was created by evaluating scientific and non-scientific literature to determine characteristics and features of SOCs, such as specific technologies or processes. These characteristics and features were then aggregated into respective domains. Then, a survey was held among SOCs to determine the existence of identified theoretical elements in practical situations. The outcome of that survey, combined with the initial literature review and augmented with literature review on maturity models was used to create the SOC-CMM model. The model is shown below.
The model consists of 5 domains and 21 aspects. The domains 'Business', 'People' and 'Process' are evaluated for maturity only (blue colour), the domains 'Technology' and 'Services' are evaluated for both maturity and capability (purple colour).
Maturity is defined as an "evolutionary plateau for organizational process improvement" and provides a means for an organisation to assess and organisational element and to "characterize its performance" (source: CMMI for Services).
The SOC-CMM uses several maturity stages that are loosely based on the CMMI. These stages are characterised as follows:
- Non-existent. At this level, the aspect is extremely ad-hoc or incomplete. Thus, quality or even delivery is not assured.
- Initial. The aspect is delivered in an ad-hoc fashion
- Managed. The aspect is documented and delivered consistently.
- Defined. The aspect is managed using ad-hoc feedback on the quality and timeliness of deliverables.
- Quantitatively Managed. The aspect is systematically being measured for quality, quantity and timeliness of deliverables.
- Optimizing. The aspect is continuously being optimized and improved upon.
In contrary to the CMMI, the SOC-CMM is a continuous maturity model. Thus, the maturity stages do not have the pre-requisite that all elements must be executed at a specified level before that level is formally reached. Instead, improvement is continuous and can be done on all aspects simultaneously and independently. The optimal maturity level for your SOC depends on the effort required to move towards a higher maturity level, the effort required to maintain that maturity level and the importance of moving towards that maturity level for the aspect under evaluation.
The SOC-CMM uses a continuous approach to measuring capability across the technology and services domains. These 2 domains were selected because they express capabilities as features of implementation. These can be technical features, such as the existence of certain tooling options or other features such as service artefacts or even facilities. Each capability can be scored individually using a 5-point grading system to granularly determine the exact capability level for the aspect under evaluation.
Just like with maturity scoring, capability scoring is continuous. However, where the SOC-CMM supports 6 maturity levels (including non-existent), only 4 capability levels exist. These levels are:
Capabilities can be expressed at any maturity level. Thus, capabilities do not depend on maturity levels and can be improved independently.
The methodology used to create the SOC-CMM is a scientific research approach called Design Science Research. This type of research has a focus on bridging the gap between theory and practice and works well for areas that have not been extensively (scientifically) studied and clearly defined, as is the case for SOC capability and maturity. The Design Science Research approach focuses on design and validation of design through iterative testing. For a short introduction on the methodology, see the Wikipedia page on Design Science Research.
The goal of Design Research is the creation of an artefact, which is a more or less tangible results of the research effort. In this case, two artefacts were created: the SOC-CMM model, which is an abstract representation of SOCs and the self-assessment tool based on that model to evaluate capability maturity in a SOC.
This self-assessment tool (the SOC-CMM) is available in the downloads section of this page, the thesis describing the research approach in detail can be downloaded from the LTU publication portal.
For the creation of the SOC-CMM, scientific and non-scientific literature was used to identify elements in the SOC. This information was then validated using a survey with actual SOCs. Some of the publically available resources that were used in the research are listed below for further reading and inspiration:
- Aceituno, V., Open Information Security Management Maturity Model (O-ISM3), The Open Group, 2011
- Anderson, B., Building, Maturing & Rocking a Security Operations Center, HP, 2012
- Bromberger, S., Maraschino, C., Security Logging in the Utility Sector: Roadmap to Improved Maturity, Bromberger, 2012
- Hewlett Packard Enterprise, Measure your Security Operations Center capability, HPE, 2012
- CREST, The CREST Cyber Security Incident Response Maturity Assessment Tool, CREST, 2014
- Department of Energy, Cybersecurity Capability Maturity Model, Version 1.1, DoE, 2014
- DTS Solution, Next Generation Security Operations Center, DTS Solution, 2014
- Enisa, Analysis of ICS-SCADA Cyber Security Maturity Levels in Critical Sectors, Enisa, 2015
- Enisa, CSIRT capabilities, how to assess maturity? Guidelines for national and governmental CSIRTs, Enisa, 2015
- EY, Security Operations Centers - Helping you get ahead of cybercrime, EY, 2014
- Forrester, E., Doyle, K., Considering the Case for Security Content in CMMI for Services, CMMI Institute, 2010
- Forzieri, A., Building a Cyber Defence Centre, Symantec, 2012
- Hewlett Packard Enterprise, State of Security Operations, 2016 report of capabilities and maturity of cyber defense organisations, HP, 2016
- HP Enterprise Security Business, Building a Successful Security Operations Center, HP, 2013
- HP ESP Security Intelligence and Operations Consulting Services, 5G/SOC: SOC Generations, HP, 2013
- Ibrahim, L. et al., Safety and Security Extensions for Integrated Capability Maturity Models, US Federal Aviation Administration, 2004
- Information Security Training and Rating Program, Information Security Assurance Capability Maturity Model (ISA-CMM), Version 3.2), ISATRP, 2012
- Intel Security, Creating and Maintaining a Security Operations Center, Intel Security, 2013
- ISACA, Ernst & Young, Responding to Targeted Cyberattacks, ISACA, 2013
- Kark, K., Dines, R., Security Organization 2.0: Building a Robust Security Organization, Forrester Research, 2010
- Kowtha, S. et al., An Analytical Model For Characterizing Operations Centers, unpublished, 2014
- National Institute of Standards and Technology, Framework for Improving Critical Infrastructure Cybersecurity, 2014
- National Cyber Security Center, CSIRT Maturity Kit, A step-by-step guide towards enhancing CSIRT maturity, GCCS2015, 2015
- Ozbay, E., IBM Security Services, IBM, 2015
- Rasche, G., Guidelines for Planning an Integrated Security Operations Center, EPRI, 2013
- Reply Communication Valley, Security Operations Center, Reply Communication Valley, 2011
- RSA, Building an Intelligence-Driven Security Operations Center, RSA Technology Brief, 2014
- RSA, The Critical Incident Response Maturity Journey, RSA, 2016
- Software Engineering Institute, CMMI for Services, Version 1.3. Improving processes for providing better services, SEI, 2010
- Stamp, P. Building A World-Class Security Operations Function, Forrester Research, 2008
- Stikvoort, D., SIM3: Security Incident Management Maturity Model, S-CURE; PRESECURE, 2010
- The Open Group, The Open Group Service Integration Maturity Model (OSIMM), Version 2, The Open Group, 2011
- Torres, A., Building a World-Class Security Operations Center: A Roadmap, SANS Institute, 2015
- Veerappa Srinivas, B., Security Operations Centre (SOC) In A Utility Organisation, SANS Institute, 2014
- Zimmerman, C., Ten Strategies of a World-Class Cybersecurity Operations Center, Mitre, 2014