rob van os, soc, soc-cmm, threat hunting
Share on facebook
Share on twitter
Share on linkedin

Rob Van Os talks to us about his journey in cyber, the SOC-CMM assessment methodology and the MaGMa framework. He also tells us what it is like to work in a SOC, what training cyber professionals should have and tips on career progression within a Security Operations Centre.

Current job title: Security Advisor
Previous career: Security Analyst / Security Engineer

Give us an introduction of who you are, what you do (current role) and for how long. Furthermore explain how you started your career in the industry.

 

I am Rob van Os, and my current role is security advisor for the CZ group. They are one of the largest health insurance companies in the Netherlands. I developed an interest in security whilst working as a systems administrator. To start off, my first job was as a security analyst and security engineer in a managed service provider. As a security engineer, I was mainly involved in technical and functional deployments of on-prem SIEM solutions. Following that I spent a few years as a security consultant to broaden my security knowledge. Eventually, I returned to security operations and worked for 7 years in the SOC of one of the largest banks in the Netherlands. At first, as a security specialist, later on as a team lead and finally as the Product Owner of the Security Operations Centre.

Talk to us about the SOC-CMM initiative and why you created this methodology. What issues does this methodology solve? How will the methodology evolve?

 

The SOC-CMM is the result of my Masters thesis, where I looked into how you could measure the capability maturity of a SOC. I did research, but found out that there was no freely obtainable model that could be used as an extensive assessment to cover your security operations. So I created it myself, and I launched the website after I obtained my degree. 

My idea was to create a freely available tool that would let a SOC evaluate themselves and determine their strengths and weaknesses. As a result, they could use that information to improve their security operations. The model itself has already evolved a lot since its first inceptions. All the basics are still the same, but the model was extended to include modern SOC services. Then the tool was greatly improved and alignment to NIST CSF was introduced. In addition, it features MITRE ATT&CK visibility, detection engineering, adversary emulation and automated defence testing etc. 

Visit the SOC-CMM website – www.soc-cmm.com

What are the best scenarios where you can use the SOC-CMM assessment methodology?

 

I’ve seen the SOC-CMM being used in a number of ways:

  • Self-assessment tool (that was the initial idea)
  • Audit tool for third-party assessment of your SOC
  • Guideline to implement new SOCs
  • Benchmarking tool to compare different SOCs within an organisation. You could even create a minimal standard to measure against.
  • A means to show return on investment (RoI). You do an initial measurement, create an improvement program, take the necessary steps. Then, do another assessment to show your progress is paying off.

Can you explain what the MaGMa framework is, and in what kind of scenarios it is used? Are there any similarities between MaGMa and SOC-CMM?

 

The MaGMa use case framework (read more about MaGMa) is a framework for managing use cases throughout their lifecycle. MaGMa has 3 basic pillars: Management, Growth, Metrics & Assessment. 

Management means the use cases must be actively managed in their life cycle. Then continuously updated to reflect changes in the attacker landscape, the IT landscape and new insights from related Security Operations Centre efforts. For example: incident response, red teaming, hunting, etc. 

Growth means that you need to take a conscious decision on how to evolve your complete set of use cases. Top-down is the ideal way to go about it: focus on the biggest risks (using threat intelligence and crown jewel analysis) and build from there. 

Metrics & Assessment means that you are continuously measuring your ruleset. What rules fire too often? Which ones have the highest false positive rate? What rules never fire and what rules haven’t been updated for a while? 

The MaGMa framework also provides a way of structuring your use cases and looking at them from different angles. For example, what use cases belong to a particular risk or threat? What use cases belong to a particular attack pattern? Structuring of this kind helps determine if your ruleset provides detection in depth across the infrastructure or perhaps clusters of detections in a smaller scope.

The SOC-CMM has a section on use case management (part of the process domain), so MaGMa could fit right in there.

What projects are you currently working on? Any new tools or frameworks? Are you able to give us a teaser?

 

Last year, we wanted to create a revision of the MaGMa framework, but it was stopped in its tracks due to the covid pandemic. I’ll probably pick it up later this year. I am also identifying demand for a licensed and supported version of the SOC-CMM methodology. It will help to keep the methodology up to date and relevant and optimally support its user base.

Are you a SOC-CMM user or considering adopting the SOC-CMM for your organisation? Please help me by filling in the license and support survey here: https://lnkd.in/gNfMEt4n 

Could you share with us some tips for our readers on how to get a role in a SOC? Do you see any benefits for professionals starting their careers in a Security Operations Centre? Is there something you would recommend?

 

To me, the most important thing to have is the right mindset. Changing your mindset is very difficult. Compared to that, security knowledge is much easier to learn. Certainly with the right mindset you can go a long way in the security industry. Personally i think this means being inquisitive and wanting to know exactly what’s going on. Similarly not stopping when you cannot get an immediate answer is key, as well as being able to see events from a security perspective. 

For example in the Netherlands, there are some traineeship programs where people with the right mindset (and not necessarily the right background) are put through a fast track of courses and certifications. This helps to gain a lot of knowledge in a short time and kick-start your career. Furthermore, I personally think that a broad understanding of IT (IT education) as well as IT management will help you throughout your career.

What training should they have to get the job?

 

SANS blue team trainings are great, I personally teach the SECO/Security Academy SOC Analyst courses. It prepares students to work as an analyst in a Security Operations Centre. In addition, keep in mind that any good analyst course provides a solid theoretic foundation as well as hands-on practical assignments. Depending on what type of job you want, other specific courses and certification provide a lot of added value. Going further, a CISSP certification will allow you to become a more complete security professional as it covers a broad set of topics.

Tips to progress your career in a SOC?

 

First of all, you need to be in control of your own career path. Understand what is required of you in your current role, and what you need to do to progress. Try and find out what you really want to do best. It also means doing things outside your comfort zone. The least it will do is expand your comfort zone. But it could also help you to find new directions in your career. To sum up – keep an open mind (which is the opposite of keeping your eyes on the prize). Most importantly stay in control of your own career.

What would be your advice to future professionals entering the industry?

 

In short, seek a place where there is freedom to grow, experiment and make mistakes (making mistakes is the fastest way to grow). There is certainly no better way to learn the job than just doing it.