Security Operations Maturity Assessment (SOMA)

Has your organisation implemented perimeter and/or network detection technologies?

We have basic network devices and a firewall conducting some network-based traffic controls.

We have a perimeter NGFW that is providing some advanced features such as anti-malware scanning and URL filtering, alongside some spam and junk email filtering.

We have dedicated NGFWs in HA clusters, secure web & email gateway solutions performing advanced content filtering and some application-layer controls. The rules and policies implemented on these technologies are audited on an ad hoc basis.

We have dedicated NGFW, secure web, email gateway, privileged account management & application control solutions performing advanced content filtering and protective controls in accordance with ASD Essential 8 level 2+. The rules and policies implemented on these technologies are audited on an ad hoc basis, or more frequently as required.

Has your organisation implemented Next Generation Anti-Virus (NGAV) or Endpoint Detection & Response (EDR) technologies?

We do not have a dedicated endpoint protection solution.

We have anti-virus software installed on all of our workstations and servers.

We have deployed a NGAV solution that performs real-time scanning.

We have deployed an EDR solution that conducts real-time signature and behavioural detection alongside integrated threat intelligence and quarantine capabilities.

We have a multi-layered endpoint security strategy that incorporates EDR, insider threat management and application control solutions.

Has your organisation implemented a centralised logging solution/infrastructure?

No, we do not currently have this capability. Logs are stored locally where possible.

Yes, we have some basic centralised logging, such as a dedicated syslog server for critical network devices and on-premise infrastructure. Logging is not enabled on all Cloud Services, however, some do store logs locally.

Yes, we have a centralised logging solution that collects all critical and non-critical on-premise and cloud service events. Logs are stored for up to 90 days.

Yes, we have a centralised logging solution that collects all critical and non-critical on-premise and cloud service events. Logs are stored for 90+ days, and additional access and audit controls are implemented.

Has your organisation implemented logging for foundational log sources (Windows/DC)?

We have no centralised logging solutions.

Some local logging is conducted, however, there is no formal retention period or audit policy controls.

We have implemented a Windows Event Collector and are collecting and retaining some windows events, however, this is focussed on system events rather than security events.

We have implemented a Windows Event Collector and are collecting Microsoft’s recommended windows events. Windows Event Collection is reviewed as required.

We have implemented a Windows Event Collector and are collecting windows event logs that are specific to detection use cases. Windows Event Collector is tested and audited frequently.

We rely on our EDR/SIEM agents to collect Windows event logs from the endpoints.

Has your organisation implemented a Security Information and Event Management (SIEM) or another log correlation technologies such as a Syslog Server, User & Entity Behaviour Analytics (UEBA), or Network Behavioural & Anomaly Detection (NBAD)?

No, we do not have a SIEM solution or any centralised logging.

We do not have a SIEM solution, however, we do have a centralised syslog server where logs and events are stored for up to 90 days.

We have standalone SIEM/UEBA/NBAD solutions that are currently operational, however, we are only ingesting foundational/basic log sources. Alerts and investigations are responded to on an ad hoc basis.

We have an integrated SIEM/UEBA/NBAD solution that is ingesting multiple log sources and for the most part leveraging out of the box rules and use cases for alerting. Alerts and investigations are typically reviewed on a daily basis.

We have an integrated SIEM, UEBA & NBAD solutions that are mature and ingest log sources and events that relate to defined use cases and rules. We leverage out of the box rules and have also implemented custom use cases based on our organisation’s requirements. Alerts and investigations are typically reviewed on an hourly basis.

Security Operations Maturity Assessment (SOMA).

5 Step Assessment

Incident Management Policy & Governance

Do you have a published Incident Management Policy/Procedure?

Do you define Incident Management Roles & Responsibilities within your Policy Framework?

Do you conduct Incident Response (IR) testing?

Do you provide Security Awareness Training (SAT) and simulation exercises for your end users?

Technologies & Telemetry

Has your organisation implemented perimeter and/or network detection technologies?

Has your organisation implemented Next Generation Anti-Virus (NGAV) or Endpoint Detection & Response (EDR) technologies?

Has your organisation implemented a centralised logging solution/infrastructure?

Has your organisation implemented logging for foundational log sources (Windows/DC)?

Has your organisation implemented a Security Information and Event Management (SIEM) or another log correlation technologies such as a Syslog Server, User & Entity Behaviour Analytics (UEBA), or Network Behavioural & Anomaly Detection (NBAD)?

Automation & Response

Does your organisation have a published Incident Response (IR) plan?

Does your organisation have scenario-based playbooks?

Does your organisation utilise automation for business processes, IT operations or security?

What is your senior leadership’s expectations of Mean Time To Respond (MTTR) to a security incident?

Security Analytics & Forensics

How does your organisation keep on top of the latest Cyber Threat Intelligence (CTI) and security advisories?

Does your organisation have policy and technical controls in place for the forensic recovery and analysis of assets and images?

Does your organisation have an Incident Response (IR) retainer with a third-party supplier?

Does your organisation have any IT security governance committee and/or external regulator reporting requirements?

Get your results