Professional Documents
Culture Documents
Security Operations Maturity Model
Security Operations Maturity Model
Security Operations Maturity Model
Maturity Model
A Practical Guide to Assessing and Improving
the Maturity of Your Security Operations
Contents
Introduction 3
Conclusion 9
About LogRhythm 10
Through constant monitoring and measuring mean time to detect (MTTD) and the
mean time to respond (MTTR) — the primary metrics that indicate the maturity of
a security operations program — you will be materially closer to your goal to reduce
your organization’s cyber-incident risk.
Months
MTTD & MTTR
Weeks
Days
Hours
Minutes
3 4
2
1
0
Minimally Securely
Initial Vigilant Resilient
Compliant Compliant
Benchmark and Gain Visibility Achieve Compliance Combine People, Full Visibility and Defense
Set Goals and Reporting Process, and Technology Against Even Most
for Effective Security Extreme Threats
0
persistent threats (APTs)
• Indicators of threat and
compromise exist, they are not • Potentially stolen IP (if of
visible and threat hunting is not interest to nation-states
Initial
occurring to surface them or cybercriminals)
1
monitoring and response
or may not exist • Unaware of APTs
• Targeted log data and security • Moving beyond minimal, • Extremely resilient and highly
event centralization “check box” compliance, effective compliance posture
seeking efficiencies and
• Targeted server and endpoint forensics • Good visibility to insider threats,
improved assurance
with some blind spots
• Targeted environmental risk characterization
• Have recognized organization
• Good visibility to external
• Reactive and manual vulnerability is effectively unaware of most
threats, with some blind spots
intelligence workflow threats; striving toward a
• Mostly unaware of APTs, but
LEVEL • Reactive and manual threat material improvement that
works to detect and respond more likely to detect indicators
2
intelligence workflow
to potential high-impact threats, and evidence of APTs
• Basic machine analytics for correlation focused on areas of highest risk • More resilient to cybercriminals,
and alarm prioritization
Securely • Have established formal except those leveraging
• Basic monitoring and response processes and assigned APT-type attacks or
Compliant
processes established responsibilities for monitoring targeting blind spots
and high-risk alarms • Highly vulnerable to
• Have established basic, nation-states
yet formal process for
incident response
• Holistic log data and security event centralization • Have recognized organization is • Extremely resilient
unaware of many high-impact threats and highly effective
• Holistic server and endpoint forensics
compliance posture
• Have invested in the organizational
• Targeted network forensics
processes and headcount to • Great visibility into, and
• IOC-based threat intelligence integrated significantly improve ability to detect quickly responding to
into analytics and workflow and respond to all classes of threats insider threats
• Holistic vulnerability integration with basic • Have invested in and established • Great visibility into, and
correlation and workflow integration a formal security operations and quickly responding to
incident response center (SOC) external threats
LEVEL • Advanced machine analytics for IOC- and TTP-based
that is running effectively with
3
scenario analytics for known threat detection • Good visibility to APTs,
trained staff
but have blind spots
• Targeted machine analytics for anomaly
• Are effectively monitoring
detection (e.g., via behavioral analytics) • Very resilient to
Vigilant alarms and have progressed
cybercriminals, except
• Formal and mature monitoring and response process into proactive threat hunting
those leveraging
with standard playbooks for most common threats
• Are leveraging automation APT-type attacks that
• Functional physical or virtual SOC to improve the efficiency and target blind spots
speed of threat investigation
• Case management for threat investigation workflow • Still vulnerable to
and incident response processes
nation-states, but much
• Targeted automation of investigation
more likely to detect early
and mitigation workflow
and respond quickly
• Basic MTTD/MTTR operational metrics
• Holistic log data and security event centralization • Are a high-value target for • Extremely resilient
nation-states, cyber terrorists, and highly efficient
• Holistic server and endpoint forensics
and organized crime compliance posture
• Holistic network forensics
• Are continuously being attacked • Seeing and quickly
• Industry specific IOC- and TTP-based threat across all potential vectors: responding to all
intelligence integrated into analytics and workflows physical, logical, social classes of threats
• Holistic vulnerability intelligence with advanced • A disruption of service or • Seeing evidence of APTs
correlation and automation workflow integration breach is intolerable and early in the Cyberattack
represents organizational Lifecycle and can strategically
• Advanced IOC- and TTP-based scenario machine
failure at the highest level manage their activities
analytics for known threat detection
• Takes a proactive stance toward • Extremely resilient to all
• Advanced machine analytics for holistic
LEVEL anomaly detection (e.g., via multi-vector
threat management and security class of cybercriminals
in general
4
AI/ML-based behavioral analytics) • Can withstand and defend
• Invests in best-in-class people, against the most extreme
• Established, documented, and mature
technology, and processes nation-state-level adversary
response processes with standard
Resilient playbooks for advanced threats (e.g., APTs) • Have 24/7 alarm monitoring with
organizational and operational
• Established, functional 24/7 physical or virtual SOC
redundancies in place
• Cross-organizational case management
• Have extensive proactive
collaboration and automation
capabilities for threat prediction
• Extensive automation of investigation and threat hunting
and mitigation workflow
• Have automated threat qualification,
• Fully autonomous automation, from qualification investigation, and response
to mitigation, for common threats processes wherever possible
• Advanced MTTD/MTTR operational
metrics and historical trending
Expert tip:
Determine your organization’s current level of security operations maturity. Complete
the self-assessment and learn how to build a use case for a stronger investment.