Security operations self-assessment tool
Triage
Assess alerts, set priorities, and route incidents to your security operations center team members to resolve.
Investigation
Quickly determine if an alert indicates an actual attack or a false alarm.
Hunting
Increase focus on searching for adversaries that have evaded your primary and automated defenses.
Incident Management
Coordinate response by technical, operations, communications, legal, and governance functions.
How do you prioritize incidents and threat alerts?
(Select all that apply)
To what degree do you use automation for investigation and remediation for high-volume or repetitive incidents?
In how many scenarios are you using cloud-based tools to secure on-premises and multicloud resources?
Do you have a ticketing system in place to manage security incidents and measure time to acknowledge and time to remediate?
How do you manage alert fatigue?
(Select all that apply)
Recommendations
Based on your responses, you’re in the Optimized security operations stage.
Get more information on how to optimize your security operations center maturity.
Recommendations
Based on your responses, you’re in the Advanced security operations stage.
Get more information on how to move to the optimal stage of security operations center maturity.
Recommendations
Based on your responses, you’re in the Basic security operations stage.
Get more information on how to move to the advanced stage of security operations center maturity.
The following resources and recommendations may be helpful in this stage.
Threat alert prioritization
- Threat alert prioritization is critical to your success. It’s a best practice to score based on true positive rate of source. Explore key insights and best practices from security leaders for maturing your security operations. Learn more
Automation
- Automation helps relieve you and your operations team from tedious tasks so you can focus on critical threats, increase productivity, and reduce burnout.
- Learn how to configure automation in Microsoft Defender for Endpoint
Leverage cloud-based tools
- Cloud-based tools help you see your entire organization's threat landscape across the cloud. Shifting to a cloud-based SIEM could mitigate the challenges presented by on-premise SIEM solutions. Learn more
Manage security incidents via ticketing
- Having a ticketing system helps your team work more efficiently and more successfully fight threats. Learn more
Managing alert fatigue
- Managing alert fatigue is critical to running smooth security operations. Without a prioritization system in place your team may end up investigating false positives and letting serious threats through, which may lead to burnout. Azure Sentinel reduces alert fatigue with machine learning. Learn more
How many security tools do analysts use for incident investigation (for example, vendor products or portals and custom tools or scripts
Do you use a SIEM or other tools to consolidate and correlate all data sources?
Are you using behavioral analytics in detection and investigation (for example, user entity and behavior analytics, or UEBA)?
Do you use detection and investigation tools focused on identity?
Do you use detection and investigation tools focused on endpoints?
Do you use detection and investigation tools focused on email and data?
Do you use detection and investigation tools focused on SaaS apps?
Do you use detection and investigation tools focused on cloud infrastructure, such as Virtual Machines, Internet of Things (IoT), and Operational Technology (OT)?
Do you use MITRE ATT&CK or other frameworks to track and analyze incidents?
Do investigation or hunt teams review cases in the triage queue to identify trends, root cause, and other insights?
Recommendations
Based on your responses, you’re in the Optimized security operations stage.
Key resources:
- Learn how a consolidated security stack can reduce your risks and costs.
- Learn more about security operations (SecOps) functions.
Get more information on how to optimize your security operations center maturity.
Recommendations
Based on your responses, you’re in the Advanced security operations stage.
Key resources:
- Learn how a consolidated security stack can reduce your risks and costs.
- Learn more about security operations (SecOps) functions.
Get more information on how to move to the optimal stage of security operations center maturity.
Recommendations
Based on your responses, you’re in the Basic security operations stage.
Key resources:
- Learn how a consolidated security stack can reduce your risks and costs.
- Learn more about security operations (SecOps) functions.
Get more information on how to move to the advanced stage of security operations center maturity.
The following resources and recommendations may be helpful in this stage.
Integrated security tooling
- Using intelligent, automated, and integrated security solutions across domains can help SecOps defenders connect seemingly disparate alerts and get ahead of attackers. Explore how a unified SIEM and XDR solution helps stop advanced attacks. Learn more
- Modernize the security operations center to better secure a remote workforce. Learn more.
Use SIEM to consolidate data sources
- A SIEM, such as Azure Sentinel, provides a bird’s-eye view of your threat landscape and captures all threat data, helping you be more proactive so you don’t miss anything. What is Azure Sentinel?
- Learn more about Microsoft Cybersecurity Reference Architecture.
Microsoft security best practices for security operations
- Machine learning and behavior analytics are best practices that can help you rapidly identify anomalous events with high confidence. Learn more
Data access management
- It’s important to know who has access to your data and what type of access they have. Leveraging an identify-based framework is a best practice to reduce risk and improve productivity. Learn more
Endpoint management
- It’s a best practice to know who’s accessing data from beyond the traditional perimeter and whether these devices are healthy. Microsoft Defender for Endpoint can help you via this step-by-step guidance. Learn more
- Learn how to deploy Microsoft Defender for Endpoint
Email and data detection
- Bad actors can enter your environment through compromised business email. A solution that can detect and stop threats such as phishing can help avoid tasking the end user with security. Learn more
SaaS app detection
- It’s important to secure cloud-based solutions that can access your sensitive data.
Cloud infrastructure detection
- As the perimeter expands to include IoT and storage, containers, and other components of your cloud infrastructure, it’s important to set monitoring and detection on these extensions of your environment.
Tracking and analyizing incidents
- MITRE ATT&CK® is a globally accessible knowledge base of adversary tactics and techniques based on real-world observations. Having frameworks like the MITRE ATT&CK can help you develop specific threat models and methodologies that can help you proactively develop defenses.
Document and review
- To garner insights and be proactive with threats it’s important to document investigation cases.
Do you include proactive threat hunting as part of your security strategy?
Do you use automated hunting processes such as Jupyter notebooks?
Do you have processes and tools to help detect and manage insider threats?
Does your hunt team make time to refine alerts to increase True positive rates for triage (tier 1) teams?
Recommendations
Based on your responses, you’re in the Optimized security operations stage.
Key resources:
- Learn more about insider risk management in Microsoft 365.
Get more information on how to optimize your security operations center maturity.
Recommendations
Based on your responses, you’re in the Advanced security operations stage.
Key resources:
- Learn more about insider risk management in Microsoft 365.
Get more information on how to move to the optimal stage of security operations center maturity.
Recommendations
Based on your responses, you’re in the Basic security operations stage.
Key resources:
- Learn more about insider risk management in Microsoft 365.
Get more information on how to move to the advanced stage of security operations center maturity.
The following resources and recommendations may be helpful in this stage.
Proactive threat hunting
- Identify threats before they happen. Determined adversaries can find ways around your automated detections so it’s important to have a proactive strategy. Reduce the impact of insider risks by accelerating time to action. Learn more
- See how the Microsoft SOC approaches threat hunting
Automated hunting
- Using automated hunting processes can help increase productivity and reduce volume.
Insider threats
- With employees, vendors, and contractors accessing the corporate network from myriad endpoints, it’s more critical than ever that risk practitioners be able to quickly identify risks happening within the organization and take remediation actions.
- Learn about insider threat monitoring
- Get started with insider risk management
Refining hunting processes
- Insights gathered from threat hunting teams can help refine and improve accuracy of triage alert systems. Learn more
Does your team have a crisis management process for handling major security incidents?
Does this process include provisions to bring in vendor teams with deep incident response, threat intelligence, or technology platform expertise?
Does this process involve executive leadership including legal teams and regulatory bodies?
Does this process include communications and public relations teams?
Does your team conduct regular exercises to practice and refine this process?
Recommendations
Based on your responses, you’re in the Optimized security operations stage.
Key resources:
- Learn more about insider risk management in Microsoft 365.
Get more information on how to optimize your security operations center maturity.
Recommendations
Based on your responses, you’re in the Advanced security operations stage.
Key resources:
- Learn more about insider risk management in Microsoft 365.
Get more information on how to move to the optimal stage of security operations center maturity.
Recommendations
Based on your responses, you’re in the Basic security operations stage.
Key resources:
- Learn more about insider risk management in Microsoft 365.
Get more information on how to move to the advanced stage of security operations center maturity.
The following resources and recommendations may be helpful in this stage.
Incident response
- Minutes matter in crisis response. Even having a temporary process in place is important to ensure quick remediation and incident management.
- Get the Incident Response Reference Guide
- Learn how to prevent cybersecurity attacks from ransomware to extortion.
Incident remediation
- Agility and flexibility are important for remediation and incident management. Understanding and assessing where your team skills and experiences are also helps you determine the vendor teams and technology you need. Learn more
Mitigating impacts
- Security is everyone's business in the organization. Insight from other business stakeholders can provide specific guidance for mitigating the impact of a breach.
- Watch the CISO Spotlight Series
- Learn more about cloud security
Communications and public relations
- Your process should include public relations and communications plans should a breach occur so you’re ready to support customers and mitigate the impact of the breach. Learn how to run a highly effective security operation.
Practice makes perfect
- Practice ensures you can spot gaps and areas to improve before a breach occurs. Test case exercises to ensure you’re prepared for a breach.
- Do you have vendor-provided or vendor-maintained automation that reduces investigation and remediation workload on analysts?
Can you orchestrate automated actions across different tools?
If you orchestrate automated actions across different tools, do you connect natively with all or most of your tools, or is it based on custom scripting?
Do you use community-provided automation?
Recommendations
Based on your responses, you’re in the Optimized security operations stage.
Key resources:
- Azure Sentinel - SOC Process Framework Workbook. Get it now.
- Security Orchestration, Automation, and Response (SOAR) in Azure Sentinel. Learn more.
- Guide to Seamless Secure Access: An Improved User Experience with Strengthened Security. Learn more.
- Embrace Proactive Security with Zero Trust. Learn more.
- Zero Trust Deployment Guide for Microsoft Azure Active Directory. Get it now.
Get more information on how to optimize your security operations center maturity.
Recommendations
Based on your responses, you’re in the Advanced security operations stage.
Key resources:
- Azure Sentinel - SOC Process Framework Workbook. Get it now.
- Security Orchestration, Automation, and Response (SOAR) in Azure Sentinel. Learn more.
- Guide to Seamless Secure Access: An Improved User Experience with Strengthened Security. Learn more.
- Embrace Proactive Security with Zero Trust. Learn more.
- Zero Trust Deployment Guide for Microsoft Azure Active Directory. Get it now.
Get more information on how to move to the optimal stage of security operations center maturity.
Recommendations
Based on your responses, you’re in the Basic security operations stage.
Key resources:
- Azure Sentinel - SOC Process Framework Workbook. Get it now.
- Security Orchestration, Automation, and Response (SOAR) in Azure Sentinel. Learn more.
- Guide to Seamless Secure Access: An Improved User Experience with Strengthened Security. Learn more.
- Embrace Proactive Security with Zero Trust. Learn more.
- Zero Trust Deployment Guide for Microsoft Azure Active Directory. Get it now.
Get more information on how to move to the advanced stage of security operations center maturity.
The following resources and recommendations may be helpful in this stage.
Managing analyst workload
- Vendor automation support could help your team manage their workload. Consider protecting your digital estate with an integrated approach for increased SOC efficiency. Learn more
- Explore how security operations teams are adapting to a shifting threat landscape
Orchestrating automated actions
- Integrating automated actions across all your tools could enhance productivity and help increase the likelihood that you don’t miss any threats. See how a consolidated security stack could help reduce your risks and costs. Learn more
Connecting automated actions
- Connected and integrated tools and processes could help reduce gaps in your threat monitoring program and help you keep up with an ever-changing cybersecurity threat landscape.
Community-provided automation
- Consider using community-provided automation, which increases threat pattern recognition and could save you time by eliminating the need for custom-built automated tools.
Follow Microsoft Security