SOC-CMM v2 - input requested

[robvanos]

I’ve recently written an article called A modern monitoring and response model. I would like to take some of the insights from that article and embed them into the SOC-CMM. More concretely, I’m considering the following changes to the SOC-CMM:

• Integrating enhancements from the SOC-CMM for CERT.
  
• Extending the use case management aspect to include visibility and emphasize validation of security monitoring rules
  
• Adding EDR to the technology domain
  
• Rewriting ‘analytics’ to ‘network traffic analytics’ and consolidating the IDPS technology. Together with the previous bullet, this means the technology domain is built up from the SOC visibility triad coined by Anton Chuvakin, augmented with SOAR as a major driver for SOC efficiency.
  
• Adding purple teaming / red teaming to the services domain
  
• Simplifying security incident response, as the SOC-CMM for CERT provides a more detailed assessment.
  

I’ve become somewhat hesitant to extend the SOC-CMM much further, as it will make assessments even bigger and more time-consuming. Basically, it is big enough as it is. This is why I’m also considering removing the ‘log management’ service from the services domain, and include some of the log management aspects into the security monitoring service.


Please leave your suggestions, comments and thoughts as a reply to this post. I am planning to start the work in August, so you have until then to post your ideas.