Cybersecurity Research Frameworks

Security Operations Center (SOC) SOC: What is it? A Security Operations Center (SOC) is a centralized unit that handles security monitoring and threat detection, analysis, and response for an organization. It is a crucial part of the organization’s security infrastructure, and its role is to ensure that cybersecurity incidents are detected early and responded to effectively and timely. SOC Operations SOC operations focus on continuously identifying, investigating, and responding to potential security incidents. Key activities include: Continuous Monitoring: Ongoing surveillance of all security systems to detect anomalous activity. Incident Response: Prompt action to contain and remediate security breaches. Alert Triage: Identifying and filtering false positives from genuine alerts. Threat Intelligence: Collecting and sharing information on emerging threats. Security Incident Management: Ensuring incidents are handled effectively and efficiently, with proper escalation procedures. SOC Workflow The workflow within a SOC typically follows these stages: Alert Generation: The monitoring tools detect unusual activities or events and generate alerts. Alert Triage: Analysts review and assess the severity of alerts. Investigation: Analysts dig deeper into the alert to determine its legitimacy. Incident Response: Once a genuine threat is identified, response measures such as isolation or blocking IPs are taken. Remediation: Infected systems are cleaned or patched to prevent further damage. Recovery: Systems are restored to normal functionality, and monitoring continues. Post-Incident Analysis: Analysts investigate the root cause and document findings for future prevention. Types of SOC Models In-House (Internal) SOC: Managed and operated within the organization. Offers better control and tailored security measures. Outsourced SOC: A third-party vendor manages the SOC. Useful for cost savings and access to expert resources. Hybrid SOC: Combines in-house SOC with outsourced resources for flexibility and scalability. SOC Maturity Models Maturity models assess the progression and capabilities of a SOC. The SOC Capability Maturity Model includes these stages: Maturity Level 1: Basic monitoring with limited response capabilities. Correlation rules are created. Maturity Level 2: Automated response actions are integrated to improve efficiency. Maturity Level 3: Full service management integration, including patching, recovery, and post-incident processes. SOC Implementation Implementing a SOC involves: Planning and Design: Understanding the organization's security needs and designing a framework. Resource Allocation: Identifying technology, staff, and other resources needed. Deployment: Installing and configuring security tools and processes. Monitoring and Optimization: Ongoing tuning of detection capabilities and response processes.

“Mapping Cybersecurity Threats to Defenses: A Strategic Approach to Risk Mitigation” Most of the time we talk about reducing risk by implementing controls, but we don’t talk about if the implemented controls will reduce the Probability or Impact of the Risk. The below matrix helps organizations build a robust, prioritized, and strategic cybersecurity posture while ensuring risks are managed comprehensively by implementing controls that reduces the probability while minimising the impact. Key Takeaways from the Matrix 1. Multi-layered Security: Many controls address multiple attack types, emphasizing the importance of defense in depth. 2. Balance Between Probability and Impact: Controls like patch management and EDR reduce both the likelihood of attacks (probability) and the harm they can cause (impact). 3. Tailored Controls: Some attacks (e.g., DDoS) require specific solutions like DDoS protection, while broader threats (e.g., phishing) are countered by multiple layers like email security, IAM, and training. 4. Holistic Approach: Combining technical measures (e.g., WAF) with process controls (e.g., training, third-party risk management) creates a comprehensive security posture. This matrix can be a powerful tool for understanding how individual security controls align with specific threats, helping organizations prioritize investments and optimize their cybersecurity strategy. Cyber Security News ®The Cyber Security Hub™

🚀 My latest research "Cognitive Integration Process for Harmonising Emerging Risks" is now published in the Journal of AI, Robotics and Workplace Automation. 95% of Australian businesses are SMEs operating on ~$500 cybersecurity budgets. Yet they're being asked to securely integrate AI, quantum computing, and blockchain into their operations. How do you make sound security decisions about emerging technologies when you lack both technical expertise and enterprise-level resources? This is fundamentally a systems engineering challenge that requires first principles thinking. When I presented this research at the Programmable Software Developers Conference in Melbourne in March, I asked the room: "Heard of an AI security incident?" No hands up. "Would you know what an AI security incident looked like?" No hands. This illustrates the gap between AI hype and foundational security understanding - the first principles are missing. That's why I developed CIPHER (Cognitive Integration Process for Harmonising Emerging Risks) - a cognitive mental model that applies systems thinking to technology integration in resource-constrained environments. 🧠 Six cognitive stages: Contextualise, Identify, Prioritise, Harmonise, Evaluate, Refine 🔧 Systems engineering foundation: Built on cognitive science, game theory, and dynamical systems theory 🎯 Technology agnostic: Works across any emerging technology, any environment, any resource constraint CIPHER is a cybersecurity framework that gives smaller organisations the same strategic decision-making capabilities that large enterprises use, designed for their operational realities. It bridges the gap between cutting-edge security research and the practical constraints that define how most Australian businesses operate. The framework recognises that in resource-constrained environments, enterprise security models cannot be applied at scale. You need cognitive tools that help teams think systematically in complex integration challenges without requiring extensive technical depth or large security budgets. My research journey continues: I'm now deep into my UNSW Canberra Masters Research capstone, building on my 2023 work on LLMs in SME cybersecurity. The goal? Developing specialised security models and creating an agnostic, holistic measurement framework for LLMs in Australian SMEs - essentially taking the $500 problem from 2023 into the AI-driven reality of 2025. #CyberSecurity #SystemsEngineering #SME #Australia #AI #EmergingTech #ResourceConstrainedSecurity #CIPHER #FirstPrinciples

Security Operations Center (SOC) SOC: What is it? A Security Operations Center (SOC) is a centralized unit that handles security monitoring and threat detection, analysis, and response for an organization. It is a crucial part of the organization’s security infrastructure, and its role is to ensure that cybersecurity incidents are detected early and responded to effectively and timely. SOC Operations SOC operations focus on continuously identifying, investigating, and responding to potential security incidents. Key activities include: Continuous Monitoring: Ongoing surveillance of all security systems to detect anomalous activity. Incident Response: Prompt action to contain and remediate security breaches. Alert Triage: Identifying and filtering false positives from genuine alerts. Threat Intelligence: Collecting and sharing information on emerging threats. Security Incident Management: Ensuring incidents are handled effectively and efficiently, with proper escalation procedures. SOC Workflow The workflow within a SOC typically follows these stages: Alert Generation: The monitoring tools detect unusual activities or events and generate alerts. Alert Triage: Analysts review and assess the severity of alerts. Investigation: Analysts dig deeper into the alert to determine its legitimacy. Incident Response: Once a genuine threat is identified, response measures such as isolation or blocking IPs are taken. Remediation: Infected systems are cleaned or patched to prevent further damage. Recovery: Systems are restored to normal functionality, and monitoring continues. Post-Incident Analysis: Analysts investigate the root cause and document findings for future prevention. Types of SOC Models In-House (Internal) SOC: Managed and operated within the organization. Offers better control and tailored security measures. Outsourced SOC: A third-party vendor manages the SOC. Useful for cost savings and access to expert resources. Hybrid SOC: Combines in-house SOC with outsourced resources for flexibility and scalability. SOC Maturity Models Maturity models assess the progression and capabilities of a SOC. The SOC Capability Maturity Model includes these stages: Maturity Level 1: Basic monitoring with limited response capabilities. Correlation rules are created. Maturity Level 2: Automated response actions are integrated to improve efficiency. Maturity Level 3: Full service management integration, including patching, recovery, and post-incident processes. SOC Implementation Implementing a SOC involves: Planning and Design: Understanding the organization's security needs and designing a framework. Resource Allocation: Identifying technology, staff, and other resources needed. Deployment: Installing and configuring security tools and processes. Monitoring and Optimization: Ongoing tuning of detection capabilities and response processes. #InfoSec #CyberSe #Security #DataSecurity #ITSecurity #NetworkSecurity #InformationSecurity #CyberProtection

Most organizations still treat cyber risk as a static exercise—managed through spreadsheets, heatmaps, and periodic assessments. But cyber threats evolve in real time, and so must our approach. That’s why we created the Cyber Risk Operational Model (CROM)—a visual and strategic guide to move from reactive documentation to proactive, operational cyber risk management. In this article, we break down all six levels of cyber risk maturity—from Level 0 (Unaware) to Level 5 (Proactive)—and show how to evolve through key stages like CyberRiskOps adoption and CROC enablement. If you’re still managing cyber risk through disconnected assessments, it’s time to rethink the model. #CyberRisk #CyberSecurity #RiskManagement #ProactiveSecurity #CyberRiskOps #CROC #OperationalResilience #SecurityLeadership #ContinuousMonitoring #DigitalRisk #CyberMaturity #Infosec #SecurityStrategy #RiskBasedSecurity #CyberRiskFramework #CROM

Recently, the Office of Inspector General (OIG) for a major federal agency found that the agency's security maturity had actually dropped from Level 4 (Managed & Measurable) to Level 2 (Defined), based on FISMA's Maturity Model. See https://lnkd.in/euvknXaC. This result should be unsurprising given that the report acknowledges that the agency's security staffing was cut significantly in 2025. Id. at 10. Nonetheless, the six areas with which the OIG raised concerns can provide organizations and agencies with useful guidance for maintaining and improving their programs: 1. Define Cyber Roles Within Enterprise Risk Management (ERM) Organizations should clearly define cybersecurity roles and responsibilities within their ERM strategy. This ensures security decisions are aligned with broader agency risk priorities. 2. Build and Maintain Cyber Risk Registers Create centralized risk registers to aggregate, normalize, and prioritize cybersecurity risks across the enterprise. This helps leadership see the full threat landscape and respond strategically. 3. Use Cybersecurity Profiles to Guide Strategy Develop current and target cybersecurity profiles to assess where your organization stands and where it needs to go. These profiles should reflect mission objectives, threat landscape, and resource constraints. 4. Reassess Risk Acceptance Decisions Review any risk acceptance memorandums (RAMs) to ensure they were based on complete system analysis and aligned with appropriate standards. If gaps exist, conduct additional risk analysis or implement compensating controls. 5. Quantify Risk in RAMs Ensure RAMs include qualitative and quantitative assessments of cybersecurity risk. Vague or undocumented risk decisions can leave organizations exposed. 6. Modernize Continuous Monitoring Evaluate options to restore or enhance continuous monitoring activities. Staffing losses or outdated tools shouldn’t compromise your ability to detect and respond to threats in real time. Stay safe out there!

𝗚𝗼𝗮𝗹 𝟮 -> 𝗛𝗮𝗿𝗱𝗲𝗻 𝘁𝗵𝗲 𝗧𝗲𝗿𝗿𝗮𝗶𝗻 from Cybersecurity and Infrastructure Security Agency ➡️Control 2.1 Understand how attacks really occur — and how to stop them. This control focuses on gaining a deeper understanding of the methods and tactics used by cyber attackers. It involves studying real-world attack scenarios to learn not just the initial point of entry but also the various ways attackers exploit weaknesses in systems and networks to achieve their objectives. By understanding these patterns, #msps can develop more effective defense strategies and implement security measures that address the root causes of vulnerabilities. Action Item: ✅MSPs need to stay updated on the latest attack methods and continually refine their defense strategies. This includes training staff on new and evolving threats, conducting regular security assessments, and applying the insights gained from analyzing real-world attacks to improve the security posture of their clients. Tool Category: ✅Threat Intelligence Platforms, Penetration Testing tools Suggested tools: 🛠️ AlienVault USM, Securly, Shield Cyber Microsoft Defender for Endpoint ➡️Control 2.2 Drive implementation of measurably effective cybersecurity investments Ensure investments in cybersecurity are effective and show clear results. Action Item: ✅MSPs must focus on providing security solutions that demonstrate clear results. Measure the effectiveness of cybersecurity investments and update guidelines accordingly. This involves continuous assessment of the effectiveness of current security measures, identifying gaps, and making informed decisions about which technologies, processes, and practices to adopt or enhance. Jesse talks a lot about business outcomes. Tool Category: ✅Risk Management tools, Compliance Software Suggested tools: 🛠️ Compliance Scorecard MITRE ATT&CK ➡️Control 2.3 Provide cybersecurity capabilities and services that fill gaps and help measure progress. Offer tools and services to improve security and measure progress. Action Item: ✅MSPs may need to offer new services or tools that fill existing security gaps for their clients by providing cybersecurity and #compliance capabilities and services to fill gaps. Tool Category: ✅Security Assessment tools, Cybersecurity Performance Tracking tools Suggested tools: 🛠️ Compliance Scorecard UpGuard Goal 2 focuses on strengthening cybersecurity by understanding attack methods, ensuring effective investment in security measures, and providing capabilities that close security gaps and track progress.

Attention leaders who are responsible for providing guidance/oversight/etc to their cybersecurity/security programs... One of the best questions you can ask when arriving at a new organization or trying to determine your risk in a current org is to do a simple maturity assessment of the overall enterprise cybersecurity program. It's not a complete answer, but it will help you make sure you know what additional questions to ask... National Institute of Standards and Technology (NIST) has made this simple for us with the Cybersecurity Framework (CSF) and particularly 2.0. No I don't work for NIST, but I do like free and this is free... for everyone. So yes I push free as much as I also like ISO/SOC2/etc. Just open up this doc and take a look. All you need to do is assess all the functions, categories, and sub-categories with your best guess based on input from the various elements of the security org based on CMMI scoring from 1 to 5. If you're fancy and have resources, you can contract it out to get a good independent third-party assessment. Find everything below a 3 and target to get to a 3 within a year. Assign an accountable executive at each level, with the CISO overall responsible at each function's level. Then VP/next-level/etc down for the categories and then for sub-categories. Formalize these areas of accountability across the company. Formally assign team members to each area as well and have them identify the tasks needed to mature. Drive tasks to completion... Rinse, wash, and repeat annually at a minimum. Will this compliance exercise replace security? Absolutely not, but it will help maintain visibility into all the areas where you need work (these are your risk areas!). I will always argue that you can't have effective security w/o some compliance and vice versa. If you encounter people who tell you this is a waste of time and you should just focus on security/technical controls/etc and not check the box security, they don't know what they are talking about no matter how senior they are. Figure out how to integrate them into the process and draw on their expertise, but keep driving this high-level alignment. You can gut-check the results against things like Center for Internet Security Critical Security Controls (https://lnkd.in/ezzds_eM) (Previously known at top 20) This is how you scope, assess, build, mature, and manage security programs by establishing effective governance to ensure continued improvement. Use roll-ups to brief risk to the c-suite along with key security risk through distilled metrics from vuln mgmt, sec ops, insider threat, and other areas of the program. Too easy... #cybersecurity #NIST #board #executiveleadership

𝐓𝐡𝐞 𝐃𝐢𝐚𝐦𝐨𝐧𝐝 𝐌𝐨𝐝𝐞𝐥 𝐨𝐟 𝐈𝐧𝐭𝐫𝐮𝐬𝐢𝐨𝐧 𝐀𝐧𝐚𝐥𝐲𝐬𝐢𝐬: The Diamond Model of Intrusion Analysis is a framework designed to enhance the understanding and analysis of cyber intrusions/ threat adversary. Developed by Sergio Caltagirone, Andrew Pendergast, and Christopher Betz, this model provides a structured approach to dissecting cyber-attacks by focusing on four key components, often referred to as the "corners" of the diamond: (1) Adversary, (2) Infrastructure, (3) Capability, and (4) Victim. ➡️Adversary: Who is behind the attack? ➡️Capability: What tools and techniques were used? ➡️Infrastructure: What systems and networks were involved? ➡️Victim: Who was targeted? The Diamond Model is widely used in cybersecurity for its ability to provide a holistic view of cyber incidents. It helps analysts identify the relationships between the adversary, their infrastructure, the capabilities they use, and their chosen victims. This structured analysis aids in attribution, understanding attack patterns, and developing effective mitigation strategies. Diamond Model can be combined with MITRE ATT&CK/ Cyber Kill Chain to get a holistic view of a Cyber Incident. Practical applications include, mapping attack campaigns, prioritizing threat intelligence, and improving security posture. Please comment your experience with Diamond Model and how better it can leverage for a robust Threat Management. References: 1. The document - https://lnkd.in/guF9Vt96 2. https://lnkd.in/gcYHimRv 3. Image Courtesy: https://lnkd.in/gvBrwK6N #ThreatIntelligence #DiamondModel #IncidentResponse #cybersecurity #informationsecurity

🚨 Structured Analytic Techniques (SATs) 🚨 In cybersecurity science roles, dealing with complexity, ambiguity, and uncertainty is a daily challenge. That’s where Structured Analytic Techniques (SATs) come into play! SATs are systematic, evidence-based methods designed to enhance decision-making and problem-solving. They help cybersecurity professionals by: ✅ Exposing Assumptions ✅ Challenging Cognitive Biases ✅ Encouraging Creativity ✅ Improving Transparency From threat intelligence analysis to incident response and risk management, SATs empower cybersecurity professionals across all roles to handle the toughest challenges effectively. 🔍 Why are SATs crucial in cybersecurity science? * They counter biases like confirmation bias and groupthink. * They provide structured approaches to model adversary behavior and explore alternative scenarios. * They foster collaboration by creating shared frameworks for complex problem-solving. SATs align perfectly with the 7 core themes of cybersecurity science, enhancing measurable security, agility, human factors, and more. For example: * Risk Analysts use SATs like Indicators of Change to assess rare, high-impact scenarios. * Forensic Investigators leverage ACH to ensure all possible explanations for evidence are rigorously tested. * SOC Analysts employ techniques like brainstorming and red-teaming to remain resilient under pressure. As cyber threats evolve, SATs will continue to be an essential part of our toolkit, enabling us to outthink adversaries, adapt to change, and protect our digital ecosystems with confidence. 💡 Let’s embrace these techniques to strengthen our analytical rigor and make more defensible, informed decisions. Curious to dive deeper? Check out the article! 🚀