This white paper explores how to assess and evolve the principle programmes of the security operations centre (SOC): threat monitoring, threat hunting, threat investigation and incident response. LogRhythm developed the Threat Lifecycle Management (TLM) framework to help organisations ideally align technology, people and process in support of these programmes. The TLM framework defines the critical security operations technological capabilities and workflow processes that are vital to achieve an efficient and effective SOC. LogRhythm’s Security Operations Maturity Model (SOMM) helps organisations measure the effectiveness of their security operations and to mature their security operations capabilities. Using our TLM framework, the SOMM provides a practical guide for organisations that wish to optimally reduce their mean time to detect (MTTD) and mean time to respond (MTTR) — thereby dramatically improving their resilience to cyberthreats.
Of course, TLM doesn’t describe every programme a SOC might encompass. For instance, a SOC might also be responsible for other programmes, such as an organisation’s vulnerability management programme or a security awareness programme. LogRhythm recognises the importance of other programmes that run out of the SOC. However, when evaluating the fundamental maturity of security operations, LogRhythm believes TLM and the programmes delivered thereby, serve as the foundation of the SOC and are where organisations should place highest emphasis from a maturity modelling perspective.
Whether a SOC is a virtual team of three or a 24×7 operation, improvements in TLM will result in faster mean time to detect (MTTD) and mean time to respond (MTTR) to cyberthreats. Reduction of MTTD and MTTR should be a primary goal for every organisation desiring to materially reduce cyber-incident risk.