Review existing governance model, playbook, Daily/weekly/monthly reporting, and Dashboards.
Review SOP's, especially day-to-day tasks for L1 and L2 staff, and enhance.
Review all log sources are efficiently configured & optimized.
Document the frequency of process review and oversight.
Document the frequency with which the data is pulled at regular intervals from the data source and system to generate a 360-degree view of all critical alarms and incidents/risks in the device and application ecosystem based on the logs status and availability.
Identify the number of configured log sources that are properly sending the log and the log sources that are not sending logs.
Document the frequency and assessment of effectiveness of use cases.
Meet with SOC Manager and team to:
Study and understand SIEM solution deployment in the environment.
Validate and assess effectiveness of the SIEM project deployed, highlight gaps in the solution.
Review the current events of importance, existing use cases and how it ties in with the in-scope critical assets and log sources.
Validate critical logs sources integration with SIEM and ensure Real-Time Monitoring of those log sources.
Conduct health check activity which includes:
1- Disk, and memory usage.
2- Incoming Log Data Quality
3- Current version running on Qradar (recommend if upgrade required)
4- Correlation rules validation and recommendation
5- Systems generated reports review and recommendation
6- On-disk Logs Retention Period
7- Data backup validation
8- DR site availability
9- Warning and notification review and recommendation
10- EPS and Flows utilization
11- Highlight logs sources which consuming much EPS
12- Real-time IP reputation check validation
13- Qradar Auto updates validation and verification
Review SOC SOP's, processes, and procedures. Highlight gaps in the processes and recommend
Ensure alerts automation processes, highlight gaps and give recommendations to improve and automate the process.
Analyze SOC gaps, determine ways to improve the current operation and monitoring processes, create a road map based on the assessment to summarize the efforts required to improve the current level to a highly mature SOC.
Assess logs sources including network and security devices, servers, applications and DB's and ensure that relevant security logs are enable on the devices and receive real time logs on the SIEM solution.
Validate effectiveness of the use cases configured on the SIEM and recommend where improvement required.
Review dashboard, reports and alerts and recommend improvement on the basis of industry standards and best practices.
Review patches, plugin and agents status and ensure all are functional and up to date.
Review SOAR ticketing system which is used for tickets logging, reporting, escalation and follow-ups purpose.
Review and validate threat intelligences platform/services incorporate in the SIRP and validate its effectiveness.
Review SOC KRIS/ KPIs and Sub KRIs/KPIs and recommend where improvement/modification is required.
Review "Cyber Security Incident Response Plan", and how it ties in with the current SOC Processes
uses cases; highlight gaps in the processes and recommend solution as per industry standards and best practice.
Review incident severity, incident categorization and escalation ladder in cyber security incident response plan, recommend improvement in existing procedure.
Explore optimization and automation of processes, give solution and remediation plan identified in Gap Assessment Report
Explore changes to integration SOP's, Procedures, guidelines.
Provide the following:
Level of maturity in SOC and SIEM operations
Improvement in the current SOC-SIEM process
Gap Assessment Report along with remediation plan