Centralized SOC Report

Wiki > Centralized SOC Report

1.1              Introduction

This document defines the format for the KPMG GSOC Report that is intended to be circulated to the KPMG Global CISO (Member Firm CISOs, NITSOs (decided by CISO) GSOC Manager.


Report Classification
Distribution Scope GSOC / Member Firm
Audience Global CISO / Member Firm CISOs / GSOC Manager / NITSO
Mode of Generation Manual
Distribution Channel SharePoint
Production Format Document-based (PDF)
Data Schedule Periodic
Data Source RSA Archer SecOps / Security Analytics / Helpdesk (Remedy)


This report looks at the overall performance of the KPMG GSOC based on three criteria:

  1. Advisory
  2. Detection
  3. Information Sharing

1.2              Advisory

The following KPIs and associated Metrics are considered to be vital while ascertaining the overall performance of the KPMG GSOC.


1.2.1          Security Advisories

This section lists the details around the advisories issued by the GSOC per priority.


<<Explanatory commentary goes here>>

1.2.2          Training Support

The KPMG GSOC supported the following training and awareness initiatives during this period. The total coverage spreads on X number of workshops with listed participation of Y number of participants spread within KPMG and the Member Firms space. Example topics covered may include:

  • <<Password Security>>
  • <<Phishing Awareness>>


<<Explanatory commentary goes here>>


1.2.3          Security Advisories segregated by Categories

The issued advisories are segregated as below based on top seven (7) categories further distinguished by their respective priorities:


<<Explanatory commentary goes here>>

1.2.4          Prioritized View of Incidents per Vendor

Following is an account of number of incidents per vendor further distinguished by the respective incident priority level:



<<Explanatory commentary goes here>>

1.2.5          Top Five Prioritized Sources of Vulnerabilities (Future)

The section below shows the top ten vulnerabilities by vendor:

<<Explanatory commentary goes here>>

1.2.6          Antivirus Detection Metrics for Email Gateway

Following is the account of email infrastructure related detection provided by the Antivirus solution. It is common to see a high number of malware detection at the Gateway level with gradual drop in the number of malicious software eventually making past to the endpoint.

The priority levels (High, Medium and Low) are derived from the corresponding incidents detected by the SIEM.


<<Explanatory commentary goes here>>

1.3              Detection

1.3.1          Top 10 Triggered SIEM Rules

<<Explanatory commentary goes here>>

1.3.2          Top 10 SIEM Rules with Highest False Positive Ratio

<<Explanatory commentary goes here>>

1.3.3          Criticality of Responses



<<Explanatory commentary goes here>>

1.3.4          Open Incidents per Month (new incidents)



<<Explanatory commentary goes here. This area can be used to highlight incidents of interest especially the ones which gained publicity within the organization. >>

1.3.5          Top 10 Targets

Following is the account of assets that are targeted the most within the KPMG space. The key consideration is the fact that these targets are accessible from the outside world:

<<Explanatory commentary goes here>>

1.4              Information Sharing

The following section is proposed to show the efficacy of the KPMG GSOC in terms of information sharing with rest of the stakeholders and other parts of the business.


1.4.1          Top 5 Origins of the Information Requests Distributed by Month

Please note the metrics below exhibit the number of responses that the GSOC provided per month. It must be noted that the GSOC receives a much larger number of queries however being a critical function within the KPMG space can only respond to Queries which are either attached a specific priority or are evaluated to be of material value by the GSOC.



<<Explanatory commentary goes here>>





1.5              Planned Metrics Collection – Future Planning

As the KPMG GSOC develops in maturity, there will be additional areas that will produce and also be able to share data that can be used for definition of further KPIs and associated metrics. This section records such areas which are lacking information but are a good candidate for future.

1.6              Protection

1.6.1          Application Security

Application Vulnerabilities determined by Type through Penetration Testing. The classification follows the OWASP Top 10 which represents a broad consensus about what the most critical web and mobile application security flaws are (see http://www.owasp.org).



<<Explanatory commentary goes here>>



1.7              Detection

1.7.1          Average Number of Log Events per Second (EPS)

Add details around the logs consumption per second, event and incident correlation.



<<Explanatory commentary goes here>>



1.7.2          Antivirus Detection

These following metrics are currently rolled up within the SIEM events based on the AV logs inputs into RSA Security Analytics. They are shown here as a future proposal only in case there is a need to verify the efficacy of the AV solution outside the realm of the Security and Information Event Management.


<<Explanatory commentary goes here>>