This week we are talking to Rob Van Os etc

Current job title: Cyber Security Consultant & SOC Manager
Previous career: Security Operations Center Analyst

Give us an introduction of who you are, what you do (current role), for how long and how you started your career in the industry.

My name is Rob van Os, and my current role is security advisor for the CZ group, one of the largest health insurance companies in the Netherlands. I developed an interest in security whilst working as a systems administrator. My first job in the industry was as a security analyst and security engineer in a managed service provider. As a security engineer, I was mainly involved in technical and functional deployments of on-prem SIEM solutions. After this, I spent a few years as a security consultant to broaden my security knowledge. Eventually, I returned to security operations and worked for 7 years in the SOC of one of the largest banks in the Netherlands. At first, as a security specialist, later on as a team lead and finally as the Product Owner of the SOC.

Talk to us about the SOC-CMM initiative and why you created this methodology, what issues does this methodology solve? How will the methodology evolve?

The SOC-CMM is the result of my Masters thesis, where I looked into how you could measure the capability maturity of a SOC. I did some research, but found out that there was no freely obtainable model that could be used as an extensive assessment to cover your security operations. This is why I created it myself and launched the website after I obtained my degree. 

The idea was to create a freely available tool that would let a SOC evaluate themselves, determine their strengths and weaknesses, and use that information to improve their security operations. The model itself has already evolved a lot since its first inceptions. The basics are still the same, but the model was extended to include modern SOC services, the tool was greatly improved, alignment to NIST CSF was introduced, etc. The next step is the introduction of EDR to the technology stack to align it with the SOC visibility triad (augmented with SOAR). I also want to include detection engineering into the process area, as well as visibility and data source management. 

What are the best scenarios where you can use the SOC-CMM assessment methodology?

I’ve seen the SOC-CMM being used in a number of ways:

  • A self-assessment tool (that was the initial idea)
  • An audit tool for third-party assessment of your SOC
  • A guideline to implement new SOCs
  • A benchmarking tool to compare different SOCs within an organisation. You could even create a minimal standard to measure against.
  • A means to show return on investment (RoI). You do an initial measurement, create an improvement program, take the necessary steps. Then, do another assessment to show your progress is paying off.

Can you explain what the Magma framework is, and in what kind of scenarios it is used? Are there any similarities between Magma and SOC-CMM?

The MaGMa use case framework is a framework for managing use cases throughout their lifecycle. MaGMa has 3 basic pillars: Management, Growth, Metrics & Assessment. Management means the use cases must be actively managed in their life cycle, continuously updated to reflect changes in the attacker landscape, the IT landscape and new insights from related SOC efforts (such as incident response, red teaming, hunting, etc.). Growth means that you need to take a conscious decision on how to evolve your complete set of use cases. This should be done top-down: focus on the biggest risks (using threat intelligence and crown jewel analysis) and build from there. Metrics & Assessment means that you are continuously measuring your ruleset. What rules fire too often? Which ones have the highest false positive rate? What rules never fire? What rules haven’t been updated for a while? 

MaGMa also provides a way of structuring your use cases and looking at them from different angles. What use cases belong to a particular risk or threat? What use cases belong to a particular attack pattern? This kind of structuring helps determine if your ruleset provides detection in depth across the infrastructure or perhaps clusters of detections in a smaller scope.

The SOC-CMM has a section on use case management (part of the process domain), so MaGMa could fit right in there.

What projects are you currently working on? Any new tools or frameworks? Are you able to give us a teaser?

I’m currently working on a new version of the SOC-CMM, but progress has been slow. So unfortunately, no teaser at this moment. Last year, we wanted to create a revision of the MaGMa framework, but it was stopped in its tracks due to the covid pandemic. I’ll probably pick it up later this year or beginning of next year.

Can you provide some tips for our readers on how to get a role in a SOC? Do you see any benefits for professionals starting their careers in a SOC? Is there something you would recommend?

To me, the most important thing to have is the right mindset. Changing your mindset is very difficult. Compared to that, security knowledge is much easier to learn. With the right mindset (which to me is being inquisitive, wanting to know what’s going on exactly, not stopping when you cannot get an immediate answer, being able to see events from a security perspective), you can go a long way in the security industry. In the Netherlands, there are some traineeship programs where people with the right mindset (and not necessarily the right background) are put through a fast track of courses and certifications. This helps to gain a lot of knowledge in a short time and kick-start your career. I personally think that a broad understanding of IT (IT education) and also IT management will help you throughout your career.

What training should they have to get the job?

SANS blue team trainings are great, I personally teach the SECO/Security Academy SOC Analyst courses. It prepares students to work as an analyst in a SOC. Keep in mind that any good analyst course provides a solid theoretic foundation as well as hands-on practical assignments. Depending on what type of job you want, other specific courses and certification provide a lot of added value. Also, a CISSP certification will allow to become a more complete security professional as it covers a broad set of topics.

Tips to progress your career in a SOC?

Be in control of your own career path. This means understanding what is required of you in your current role, and what you need to do to progress. Try and find out what you really want to do best. This also means doing things outside your comfort zone. The least it will do is expand your comfort zone. But it could also help you to find new directions in your career. So, in short: keep an open mind (which is the opposite of keeping your eyes on the prize), and stay in control of your own career.

What would be your advice to future professionals entering the industry?

Seek a place where there is freedom to grow, experiment and make mistakes (making mistakes is the fastest way to grow). There is no better way to learn the job than just doing it.