WIXLIB

requirements such as guaranteed recovery and nonrepudiation. This could be both real-time, as well as potentialthreats and vulnerabilities which need to be escalatedand corrective pro-active measures taken to mitigate.The latter will not necessarily be classified asincidents. This is as opposed to reactive behavior tomitigate virus outbreaks or attacks in progress whichis already an incident. Low capability services willhave no in-house research and external threat feedcapability, and a highly capable service will have aresearch contingent with automated, subscribed threatand vulnerability feeds from multiple externalproviders.Log AnalysisRefers to the capability of the SOC to analyse rawdata and present the result as usable, actionable andunderstandable information and metrics. A lowcapability service will be able to present only raw dataand logs from a limited amount and type of devices inlimited formats, and a high capability service will beable to provide metrics and dashboards from a widerange of formats and type of devices. Monitoring of Security Environments for SecurityEvents.According to the ITIL glossary and abbreviations of2011 [24], monitoring is “Repeated observation of aconfiguration item, IT service or process to detectevents and to ensure that the current status is known.”A Service with a low capability will provide basicmonitoring during office hours with no guaranteedresponse levels in place. A highly capable monitoringservice will provide guaranteed services on a 24x7follow the sun principle and can prove improvementin security posture. Threat IdentificationRefers to the capability of a SOC to identify threatsand vulnerabilities either in real time and as part of aresearch capability. A low capability service will havelimited threat identification capabilities, while ahighly capable service will have a research capability,as well as real time querying of integrated 3rd partythreat management systems. ReportingThis refers to the capability of providing securityrelated reports to clients. A Service with a lowcapability will provide out of the box reports inlimited format and platforms, whereas a highlycapable service provides on-demand, ad-hoc, analysedreports to clients in different formats and via differentplatforms.Diversity of devices integratedRefers to the type of devices and vendors which canbe integrated and managed from the SOC. It alsoincludes concepts such as available skillsets within theSOC. A Low capability service will be able tomonitor limited device types from limited vendors,and also have a limited capability to understand andinterpret the vulnerabilities against those device types.A Highly capable service will experience little or norestrictions on the type of devices and vendors tomonitor, and will have the expertise to understandvulnerabilities and threats seen against those devices.Reaction to threats.Secondary aspects are functions which are offered over andabove the primary SOC services. Secondary services include,but is not limited to: Malware analysis Vulnerability ScanningEvent Correlation and Workflow. Vulnerability AnalysisThis refers to the capability to correlate eventsbetween different device types and vendors, as well askick off workflows in response to correlation rulesbeing triggered. Correlation rules could be basic, toAI based automated rules. Services with a lowcapability supplies only basic, manual correlationrules with no workflow capability. A highly capableservice will provide complex, automated correlationrules integrated into enterprise wide workflowsystems. Device Management Identity Attestation and Recertification Penetration testing Type of Industry verticals monitored. Threats againsta Financial Institution’s network will differ from thoseagainst a Supervisory Control and Data Acquisition(SCADA) network. Integration with Physical Security controls.Incident ManagementThis refers to the ability to react to, and escalateincidents. A Service with a low capability willmanually create and react to incidents. Escalation isalso manual. A highly capable service will haveIncident Management and escalation automated, andtracked and managed by integration into enterprisewide incident management systems.The secondary aspects are not exhaustive and are expectedto change over time. Furthermore, secondary aspects couldalso be industry or geographic specific.These aspects will be further defined by their capabilities andmaturity.

III. MODEL FOR SOC MATURITY AND CAPABILITYBased on maturity models discussed previously, wepropose a 6 step maturity model, which we have aligned to themodels discussed previously.LevelNameAlignment0Non ExistentCoBIT 0, etc.1InitialCoBIT, SSE, ITIL:Initial CERT: Exists2Repeatable(CoBIT, ITIL, SSECMM andCERT/CSO)Defined Process(CERT/CSO) / WellDefined (SSECMM), DefinedProcess (CoBIT),Common Practice(CITI-ISEM)Reviewed andupdatedCERT/CSO),Quantitativelycontrolled (SSECMM), Managedand Measureable(CoBIT) andContinuousImprovement (CITIISEM)345more important than the number of capabilities [25].ContinuouslyOptimisedOptimised (CoBIT),ContinuouslyImproving (CITIISEM), ContinuouslyImproving (SSECMM)Table 2: Process MaturityThe cube in Figure 4 will assist in assigning a weight andlevel to SOCs. Due to the importance of Process Maturity, wepropose a slightly higher weighting for Maturity. Maturity ofprocesses is weighted higher than capability, since themaintenance, execution and repeatability of the capability isFigure 4: SOC Classification CubeThe Maturity, Aspects and Capability of SOCs can beexpressed as follows: 0.05Where SOC Score Sum of all applicable aspect scores,where each aspect is scored on Capability and Maturityexpressed as a score out of 100.α 0.4β 0.6This will provide a weighting which can be referencedagainst the provided map. SOC Managers and customersshould strive for a high maturity and high capability level.Based on the business requirements, it would also be possibleto weigh specific aspects higher than others.This will give consumers of SOC services a classificationscheme and reference framework to work from when choosinga partner or building and in-house solution.We have used the above approach, and applied it to rate aknown SOC provider in South Africa, which we are wellacquainted with. The breakdown of the individual aspects asshown in Figure 5, and the total score of the SOC is 46.4.While this particular SOC service has some strong services, themajority of the services are below par, and this is reflected inthe overall score. As discussed in Section IV, we intend toextend this rating formally across multiple providers in SouthAfrica , which would allow us to build a comprehensiveanalysis of the SOC services market in South Africa, includingthe strengths and weaknesses of various players together withthe overall industry norms.

REPORTINGLOG COLLECTIONLOG RETENTIONLOG ANALYSISMONITORINGCORRELATIONDEVICE TYPESINCIDENT MGMTREACTION TO THREATSTHREAT neh Madani et al, “Log Managementcomprehensive architecture in Security OperationCenter(SOC),” 2011 International Conference onComputational Aspects of Social Networks (CASoN),2011. [Online]. Available:http://ieeexplore.ieee.org/xpls/abs all.jsp?arnumber 6085959&tag 1.[2]Kevin Warda, “A Fundamental and Essential look intoManaged Security Services,” SANS (GSEC) PracticalAssignment Version 1.4c – Option 1 March 28, 2005,2005. [Online]. [3]Diana Kelley and Ron Moritz, “Best Practices forBuilding a Security Operations Center,” The (ISC)2Information Systems Security, 2006. al/Kelley.pdf.[4]C. Thompson, “Incident Response and Creating theCSIRT in Corporate America,” SANS Institute InfoSecReading Room, 2001. [Online]. Available:http://www.sans.org/reading ng-csirt-corporateamerica 642.[5]Renaud Bidou, “Security Operation Center Concepts& Implementation,” 2004. [Online]. epts-&implementation.[6]Diana Kelley and Ron Moritz, “Best Practices forBuilding a Security Operations Center,” InformationSecurity Journal: A Global Perspective, 2006.[Online]. .pdf.[7]S. P. M. Ibrahim Al-Mayahi, “ISO 27001 GapAnalysis - Case Study,” 2012. [Online]. apers/WorldComp2012/SAM9779.pdf.[8]Andrea Pederiva, “The COBIT Maturity Model in aVendor Evaluation Case,” Information SystemsControl. Journal, 2003. [Online]. pdf.[9]Mark Adler et al, “CobiT 4.1 Framework,” 2007.[Online]. Available: ts/CobiT 4.1.pdf.[10]Ian MacDonald, “ITIL Process AssessmentFramework,” 2010. [Online]. Available:Table 3: SA MSSP RatingFigure 5: Rating of SA MSSPIV. FUTURE WORKWe plan to verify the completeness of the model, throughengagement with both consumers and providers of SOCservices, and to thereafter classify existing providers in theSouth African environment to understand the currentstrengths, and weaknesses, as an additional verification for themodel.V.CONCLUSIONAfter having done extensive research and literature reviews,no literature or references could be found on an Industryaccepted framework or comprehensive classification schemefor SOCs.Using this proposed classification matrix, it is possible toassign a weighting to SOC capability and maturity levels. Thiscan assist SOC owners in determining their status, as well asidentify where growth and improvement is needed. Customerslooking at making use of SOC services can use this model todetermine the level of service they can expect, as well as toallow them to make an informed decision when signing up forSOC services.ACKNOWLEDGMENTWe would like to thank Schalk Peach and Karel Rode fortheir early review and feedback on the proposed model.REFERENCES

les/ITIL Process AssessmentFramework - MacDonald.pdf.[11][12]Wim Van Grembergen and Steven De Haes,“Measuring and Improving IT Governance Throughthe Balanced Scorecard,” Information Systems ControlJournal, 2005. [Online]. ving.pdf.Bill Curtis et al, “Software Capability Maturity Model(CMM).” [Online]. -maturitymodel.aspx.[21]Michael Protz et al, “A SAS Framework forNetwork Security Intelligence,” 2009. /sugi30/190-30.pdf.[22]Cisco Systems, “Cracking the Code for a SOCBlueprint Architecture, Requirements, Methods andProcesses and Deliverables,” Cisco Networkers, 2006.[Online]. Available: .pdf.[23]ISO / IEC, “ISO/IEC 27001:2005 Informationtechnology -- Security techniques -- Informationsecurity management systems -- Requirements,” 2005.[Online]. AnnexIX1302.pdf.[13]IT Governance, “Software Capability Maturity Model(CMM).” [Online]. -maturitymodel.aspx.[14]NIST, “Security Maturity Levels,” 2012. /prisma/security maturity levels.html.[24]Ashley Hanna, “ITIL glossary and abbreviations,”2011. [Online]. Available: ialog.aspx?lid 1180&.[15]Mike Phillips, “Using a Capability Maturity Model toDerive Security Requirements,” 2003. [Online].Available:http://www.sans.org/reading l-derive-securityrequirements 1005.[25][16]Steven Akridge and David A.Chapin, “How CanSecurity Be Measured?,” Information Systems Auditand Control Association., 2005. [Online]. px.K. Chung, “People and Processes More Important thanTechnology in Securing the Enterprise, According toGlobal Survey of 4,000 Information SecurityProfessionals,” 3rd Annual (ISC) 2-Sponsored GlobalInformation Security Workforce Study says AsiaPacific offers attractive employment incentives andopportunities for information security professionals,2006. [Online]. .aspx?id 2714.[17]M. Sajko, “Measuring and Evaluating theEffectiveness of Information S ecurity,” 2007.[Online]. ]Reply Communication Valley, “SECURITYOPERATION CENTER.” [Online]. Available:http://www.reply.eu/1937 img COMVR11 SOC eng[19]D. Del Vecchio, “The Security Services a SOC shouldprovide,” 2012. [Online]. 9/thesecurity-services-of-soc.html.[20]Cisco Systems, “How to Build Security OperationsCenter (SOC),” 2007. [Online]. Available: ion-

The ITIL Process Maturity Framework (PMF) also identifies five Process Maturity Levels [10], and as illustrated in Figure 1, ITIL focus more on the Operational aspects of the IT Key concepts, and this is reflected in the fact that their framework addresses Process Maturity. The five ITIL Process Maturity Framework maturity levels are: