Security Operations Centre (SOC) Report

Wiki > Security Operations Centre (SOC) Report

This template provides one of the many options to format standard weekly and/or monthly report produced by the SOC. This report looks at the overall performance of the SOC based on four criteria:

  1. Protection
  2. Detection
  3. Response
  4. Information Dissemination

Protection

The following KPIs and associated Metrics are considered to be vital while ascertaining the overall performance of the SOC.

  • Security Advisories: Lists the details around the advisories issued by the SOC per priority.
  • Training Support: Lists the details around the training and awareness initiatives during the said period. The total coverage spreads on X number of workshops with listed participation of Y number of participants spread across the organisation.
  • Security Advisories segregated by Categories: The issued advisories are segregated as below based on top seven (7) categories further distinguished by their respective priorities:
    • Environmental
    • Error
    • Physical
    • Misuse
    • Social
    • Hacking
    • Malware
  • Prioritized View of Incidents per Vendor: An account of a number of incidents per third party vendor further distinguished by the respective incident priority level.
  • Top Five Prioritized Sources of Vulnerabilities by Vendor: Shows the top five vulnerabilities by the vendor.
  • Endpoint Detection Metrics for Email Gateway: The account of email infrastructure-related detection provided by the Endpoint solution. It is common to see a high number of malware detection levels at the Gateway with a gradual drop in the number of malicious software eventually making past to the recipient.
  • Application Vulnerabilities distributed by Type uncovered through Penetration Testing, Exploit News or Vendor Notification. The classification usually follows the OWASP Top 10 which represents a broad consensus about the most critical web and mobile application security flaws.

Detection

  • Top 10 Triggered SIEM Rules
  • Top 10 SIEM Rules with Highest False Positive Ratio
  • Criticality of Responses
  • Open Incidents per Month (new incidents)
  • Top 10 Targets usually the ones accessible from the outside world.
    • Web Applications
    • Wireless Network
    • Firewall
    • Intrusion Detection System (IDS)
    • Intrusion Prevention System (IPS)
    • Spear Phishing Campaigns
    • Cloud-based Payroll Server
    • Email Gateway
    • Internet Webservers
  • Average Number of Log Events per Second (EPS) is a performance metric to demonstrate the log throughput, consumption per second, event and incident correlation.
  • Endpoint Detection Metrics

Response

TBC

Information Sharing

This shows the efficacy of the SOC in terms of information sharing with the internal and external customers as appropriate.

  • Top 5 origins of the inbound information requests distributed by month
  • Total Number and trend of Security Advisories issued.