• Jeffrey Crump

Security Operations Center - Use Case Maturity Model/Cube (SOC-UCMM)

Updated: Mar 27

Tags: #SOCUCMM #MaturityModel #SIEM #UseCase #SecurityOperationsCenter #SOC #ManagedSecurity #MSSP #Content #Library #Catalog #IncidentResponse #IR

UPDATE: March 26, 2021: The SOC-UCMM license has changed to a Creative Commons Attribution-NonCommercial 4.0 International License.

Download the SOC-UCMM.

In 2014, during my time at Datashield, the RSA white-labeled Managed Security Services Provider (MSSP) - now ADT Cybersecurity - it was clear in working closely with more than 40 clients that they essentially fell into two categories: compliance-driven or maturity-driven.

Compliance-driven clients basically wanted to be able to check a box that their event logs were being managed. Yes, security was important but it more or less took backseat to ensuring they were complying with regulatory requirements. Monthly status calls were quick and easy with discussions concentrated on availability and any client-specific monitoring content (also referred to as use cases) that was being developed/deployed.

Maturity-driven clients were much more emotionally invested in the security operations center outsourcing relationship. For them, establishing a more robust security posture and having a clear roadmap to becoming more security mature was at the forefront. Despite having a vary large catalog of monitoring content/rules there really wasn't a roadmap and there most certainly wasn't any way to articulate the relationship(s) between monitoring content or the prerequisites for an evolution of maturity.

So, although we were not under duty to do so and we weren't employed to create one, a colleague of mine, Praveen Money, and I set off on building the initial framework for what we called a Monitored Security Service Use Case Maturity Cube (renamed Security Operations Center - Use Case Maturity Model/Cube (SOC-UCMM). Once the wireframe of the cube was developed I set off working with the security operations center (SOC) team to add some real content into the initial framework.

After we established a minimal viable product (MVP) we began to work with a select few clients on using the Security Operations Center - Use Case Maturity Model/Cube (SOC-UCMM). It was extremely well received since it was not only easy to understand but that it outlined the relationship and requirements in a manner any client could understand.

Just to reiterate, this is not about the maturity of the SOC / MSSP. This about the monitoring content (e.g. the rules/use cases developed and implemented within a security information and event management (SIEM)).

The goal of the Security Operations Center - Use Case Maturity Model/Cube (SOC-UCMM) is to provide a prescriptive framework for incremental improvement for information security monitoring.

The cube is comprised of Maturity Levels, Domains and Use Cases. Use case complexity increases along with the maturity level. Predecessor and/or prerequisite relationships are common amongst the use cases.

Security Operations Center - Use Case Maturity Model/Cube (SOC-UCMM)

Maturity Levels


Use Case Structure

A few more examples:

Code: M1O2

Title: Maturity Level 1 | Organizational Domain | Use Case 2

Name: Network architecture is documented.

Description: Through the process of documenting the network

architecture an organization demonstrates an awareness required for

higher maturity use cases.

Source: Logs & Packets

Predecessor(s): None

Code Mapping: M1HALL M1NALL

Code: M1O5

Title: Maturity Level 1 | Organizational Domain | Use Case 5

Name: Normal/expected network traffic volume is understood.

Description: An organization must understand the source of its network

Traffic in order to establish a normal/expected threshold, which will be

used to establish correlated alerts.

Source: Logs & Packets

Predecessor(s): None

Code Mapping: M1HALL M1NALL

Code: M1O6

Title: Maturity Level 1 | Organizational Domain | Use Case 6

Name: Changes are authorized and verified.

Description: An organization must have a documented process in place

to review, verify and confirm that changes made to monitored devices

are approved and implemented as expected.

Source: Logs & Packets

Predecessor(s): M1O2

Code Mapping: M1HALL M1NALL

Code: M2O3

Title: Maturity Level 2 | Organizational Domain | Use Case 3

Name: Normal/expected port usage is documented.

Description: The traffic associated with specific ports must be documented

in order to mitigate risk associated with unauthorized use or potentially

malicious activity flagged in subsequent correlated alerts.

Source: Logs & Packets

Predecessor(s): M102, M105

Code Mapping: M1HALL M1NALL

The cube has other faces that would contain additional intelligence as shown below.

With the additional faces in mind I have expanded the original framework to include the following:


Code | Title:



Domain: Host, Network, Account, Integration, Organizational

Predecessor Code(s):

Sibling Code(s):

Child Code(s):



Standards Mapping (e.g. ISO 27001, NIST 800-53, etc.):


Notification: Alert | Report


Attack Vector: Virus, email attachment, web page, etc.

Attack Corridor: External | Internal | Direct | Indirect (square, x place in table)


Kill Chain State: Reconnaissance, Weaponization, Delivery, Exploitation, Installation, Command and Control, Action on Objectives


Incident Response Playbook Code(s):


Domain Weight:

Model Weight:

Obviously no one is going to go around creating a bunch of cube images to represent each use case so the practical manner in which to implement the maturity model/cube is through an Excel spreadsheet or a database. The work I have thus far is Excel-based.

I'd love to find a few committed souls willing to engage and continue the work on this. There's still a lot of work to do to validate the framework and the faces as well as go through a (growing) library of use cases and work them through the framework. Please contact me if you or your company are interested in being a part of this.

Important License Information

Attribution — You must give appropriate credit, provide a link to the license, and indicate if changes were made. You may do so in any reasonable manner, but not in any way that suggests I endorse you or your use.

NonCommercial — You may not use the material for commercial purposes.

No additional restrictions — You may not apply legal terms or technological measures that legally restrict others from doing anything the license permits.