This forum uses cookies
This forum makes use of cookies to store your login information if you are registered, and your last visit if you are not. Cookies are small text documents stored on your computer; the cookies set by this forum can only be used on this website and pose no security risk. Cookies on this forum also track the specific topics you have read and when you last read them. Please confirm whether you accept or reject these cookies being set.

A cookie will be stored in your browser regardless of choice to prevent you being asked this question again. You will be able to change your cookie settings at any time using the link in the footer.

Welcome, Guest
You have to register before you can post on our site.



Search Forums

(Advanced Search)

Forum Statistics
» Members: 805
» Latest member: kubetonline
» Forum threads: 32
» Forum posts: 86

Full Statistics

Latest Threads
Supporting the SOC-CMM
Forum: SOC-CMM development
Last Post: robvanos
06-01-2022, 08:22 AM
» Replies: 0
» Views: 133
Question Version 2.2
Forum: SOC-CMM community forum
Last Post: YesseBustos
03-29-2022, 03:38 AM
» Replies: 0
» Views: 451
Reports/Papers to show SO...
Forum: SOC-CMM community forum
Last Post: robvanos
03-09-2022, 01:07 PM
» Replies: 1
» Views: 981
SOC-CMM v2.2 (beta releas...
Forum: SOC-CMM development
Last Post: robvanos
02-26-2022, 08:55 AM
» Replies: 4
» Views: 4,988
SOC-CMM: Business Domain ...
Forum: SOC-CMM community forum
Last Post: ViliusBenetis
02-21-2022, 06:16 AM
» Replies: 2
» Views: 1,041
Which extensions should b...
Forum: SOC-CMM development
Last Post: robvanos
02-16-2022, 09:10 AM
» Replies: 3
» Views: 7,088
Benchmarking results for ...
Forum: SOC-CMM community forum
Last Post: mohammedjeelani
01-27-2022, 09:05 AM
» Replies: 0
» Views: 726
How to set maturity and c...
Forum: SOC-CMM community forum
Last Post: robvanos
09-16-2021, 01:41 PM
» Replies: 3
» Views: 2,893
SOC Tools
Forum: SOC-CMM community forum
Last Post: robvanos
09-09-2021, 01:19 PM
» Replies: 1
» Views: 1,901
Extract results with ques...
Forum: SOC-CMM community forum
Last Post: Keoxes
03-08-2021, 11:20 AM
» Replies: 2
» Views: 3,717

  SOC Assessment report deliverable for a customer
Posted by: amilanc - 11-20-2020, 03:27 PM - Forum: SOC-CMM community forum - Replies (1)

I am conducting a SOC assessment for customer and SOC-CMM is a great help in asking right questions. Do you have any report/deliverable templates that I can use to craft a report ?

Print this item

Posted by: Trustconsulting - 11-12-2020, 10:31 AM - Forum: SOC-CMM community forum - Replies (1)

Dear Community, 

Good Day, 

Could any one share usefull ressources templates and considerations during SOC RFP and SOC Building, 



Print this item

  ICS/OT -SOC-CMM Development
Posted by: Trustconsulting - 11-12-2020, 10:27 AM - Forum: SOC-CMM development - No Replies

Dear Community, 

I hope all is well and you are staying Safe and Healthy, 

I want to know if there are intrests to collaborate and develope a SOC-CMM tool adopted to OT/ICS Security operations center

Please let us know your feedback


Print this item

  SOC-CMM v2 - input requested
Posted by: robvanos - 06-24-2020, 02:56 PM - Forum: SOC-CMM development - Replies (6)

I’ve recently written an article called A modern monitoring and response model. I would like to take some of the insights from that article and embed them into the SOC-CMM. More concretely, I’m considering the following changes to the SOC-CMM:

  • Integrating enhancements from the SOC-CMM for CERT.
  • Extending the use case management aspect to include visibility and emphasize validation of security monitoring rules
  • Adding EDR to the technology domain
  • Rewriting ‘analytics’ to ‘network traffic analytics’ and consolidating the IDPS technology. Together with the previous bullet, this means the technology domain is built up from the SOC visibility triad coined by Anton Chuvakin, augmented with SOAR as a major driver for SOC efficiency.
  • Adding purple teaming / red teaming to the services domain
  • Simplifying security incident response, as the SOC-CMM for CERT provides a more detailed assessment.
I’ve become somewhat hesitant to extend the SOC-CMM much further, as it will make assessments even bigger and more time-consuming. Basically, it is big enough as it is. This is why I’m also considering removing the ‘log management’ service from the services domain, and include some of the log management aspects into the security monitoring service.

Please leave your suggestions, comments and thoughts as a reply to this post. I am planning to start the work in August, so you have until then to post your ideas.

Print this item

  What is practical difference between KPIs and Quality indicators?
Posted by: sigitas.rokas - 03-30-2020, 10:21 AM - Forum: SOC-CMM community forum - Replies (3)

Hi all,

Could somebody provide insights on what is the practical difference between KPIs and Quality indicators? 
With some examples and references to methodological background if possible.

For me these terms are similar from practical perspective. For example, TTR (Time To React) is a KPI (which shows how well I am performing) as well as quality indicator for Security Incident Management service (show how well I am delivering service against agreed parameters (a quality means degree of compliance to the applicable requirements)).

Print this item

Posted by: Trustconsulting - 01-20-2020, 10:36 AM - Forum: SOC-CMM community forum - Replies (4)

Hi Rob & Community, 

I want to perform a SOC assessment using SOC MM,

Can you provide more details about business drivers, because as i know the SOC is combination of People Process and technology, ?


Hemza | SOC Analyst

Print this item

  SOC-CMM for CERT (beta version)
Posted by: robvanos - 09-06-2019, 08:06 AM - Forum: SOC-CMM development - Replies (3)

I'm happy to announce the release of the SOC-CMM for CERT, a version of the SOC-CMM specific for incident response teams. Earlier this year, I did a presentation at FIRST.ORG TC on the SOC-CMM. FIRST has expressed interest in the SOC-CMM, especially if it could be made more specific for CERT teams. I have been working on a version of the SOC-CMM that aims at measuring capability maturity in CERT teams. I've used the original SOC-CMM (version 2.1) as a starting point, and combined it with information from various other sources such as NIST SP800-61r2, the CREST incident response handbook, the SIM3 model and the GMU CSIRT social maturity handbook. The result is an assessment tool that allows for in-depth analysis of your CERT team. Some of the improvements made will eventually be integrated into the SOC-CMM.

Some of the major differences between the regular SOC-CMM and this version are:

- General: All questions rephrased to focus on CERT
- Business: 'privacy' updated to more generic 'laws and regulations'
- Process: use cases changed to scenarios
- People: different set of roles, added team and multi-team management
- Technology: added incident tracking system, removed SIEM, IDPS and big data analytics
- Service: removed all services, execpt for security incident management. Added many capabilities to the list and grouped these capabilities in logical groups

Suggestions for improvement can be made as replies to this post or via any other way. I will make it an official release towards the end of the year after I've processed your comments and suggestions. I'm looking forward hearing your opinion.

Attached Files
.xlsx   soc-cmm for CERT.xlsx (Size: 1,012.03 KB / Downloads: 1593)
Print this item

  Security Monitoring - Use Case Frameworks
Posted by: robvanos - 06-05-2019, 01:52 PM - Forum: SOC-CMM community forum - Replies (1)

Security monitoring use cases are the beating heart of any security monitoring system. Even when a system is equipped with ‘out-of-the-box’ detection capabilities, there’s still use cases running underneath the hood. This is true for SIEM systems with default content packs as well as intrusion detection systems and more advanced network traffic analysis systems.

The only exception here would be systems that apply unsupervised machine learning. This is because there is no true use case, only statistics and thresholds that are applied to differentiate ‘normal’ from ‘abnormal’ behavior. The lack of a use case in these systems is, in my opinion, exactly the reason why such detection capabilities often provide little added value.

Back to use cases. An important question to ask is: what exactly is a use case? In security monitoring context, I believe that a use case is “a security monitoring scenario that is aimed at the manifestation of a cyber threat”. This is the definition that we created as a working group of the Dutch FI-ISAC when we created the MaGMa use case framework ( I know that this is highly simplified (there are many elements to consider), but I think it captures the essence of use cases. To break down a use case into useable parts, it is worth looking at use cases from different levels:

  • A high level that explains the use case in terms of risk. Use this level to talk to stakeholders and business.
  • An intermediate level that explains how the high-level risk could be exploited by cyber criminals. Use this level to integrate with threat intelligence TTPs.
  • A low level that shows how detection of that exploitation is implemented in detection technology
These levels correspond to the MaGMa L1, L2 and L3 levels respectively. The MaGMa use case framework can be used to structure use cases, document them and, most importantly, measure their performance through 3 metrics.
Using the MaGMa framework has brought us 4 important benefits:
  1. It has provided us with insight into which areas of security monitoring require improvement: low level use cases with low scores.
  2. It has provided us with insight into gaps in security monitoring: intermediate level use cases that have no or insufficient coverage in the
  3. It has provided us with guidance for replacing security components in the network. These security components are tied to use cases. The framework has helped us identify which use cases and the current shortcomings.
  4. It has helped us show how detection use cases reduce high-level risks.

Does anyone have any experiences with a security monitoring use case framework? Which one do you use, what are it’s core features and how has it helped you to evolve your security monitoring service?

Print this item

  SOC Certification Body
Posted by: darren.bnm - 05-16-2019, 06:43 AM - Forum: SOC-CMM community forum - Replies (2)

Hi Rob, 
Do you know of any SOC Certification Body?
For example, Head of Cybersecurity wants to prove that its SOC is an advanced SOC with all the top-notch technologies, processes, and people.
Is there any well-known third party that can certify this?

Best regards,

Print this item

  NIST 800-62r2 Not Available Yet
Posted by: darren.bnm - 04-16-2019, 08:17 AM - Forum: SOC-CMM bugs and issues - Replies (1)

Hi Rob,

Did u mean NIST 800-61r2?

Because there is no 800-62r2 available yet.


Attached Files Thumbnail(s)
Print this item