The Most Overlooked Essential in Your SOC: The Collection Management Framework

The Collection Management Framework (CMF) is one of the most forgotten—but most critical—components of a Security Operations Center (SOC). While many teams focus on flashy tools and detection methods, they often overlook the foundational step of mapping out what data is collected, where it’s sourced, how long it’s stored, and which questions this data can answer. Without a solid CMF, you risk costly blind spots and an inefficient threat detection and incident response strategy.

Why a CMF Matters?

• Ensures Comprehensive Visibility as you can’t detect or defend against threats in systems you’re not monitoring. A CMF helps you structure and prioritize data collection so you know exactly where your coverage ends (and where the gaps begin).
• Aligns Security with Business Needs by linking collection requirements to business and risk priorities (like crown jewel assets or core compliance requirements), you ensure the security program focuses on what truly matters.
• Facilitates Faster Investigations as analysts waste precious time searching for logs and intelligence if data is disorganized or incomplete. A CMF acts like a blueprint, guiding teams toward the exact data sources needed for each requirement.
• Drives Continuous Improvement as threat landscapes evolve, and so do business priorities. A well-managed CMF is iterative, allowing you to plug new data sources, retire outdated ones, and refine processes to keep up with emerging threats.

CMFs can include internal or external data sources from How To Optimize Data Sources: Collection Management Framework - Kraven Security, as shown below.

The Five-Phase Lifecycle

Building and maintaining a CMF is best approached as a continuous lifecycle. Based on an excellent whitepaper from Dragos, here’s how you can tackle each phase:

1. Develop New Requirements

• Interview business owners to understand risk drivers.
• Run tabletop exercises to simulate real-world incidents and identify missing data.
• Leverage existing documentation (risk registers, IR plans, asset inventories) to build initial requirements.
• Use threat modeling to pinpoint threats most relevant to your industry and infrastructure.

2. Develop a Collection Plan

• Match requirements to data sources. For instance, do you have the logs needed to detect a Log4j exploitation?
• Consider structuring your CMF around frameworks like Cyber Kill Chain or MITRE ATT&CK to align data sets with attacker TTPs.
• Keep a simple spreadsheet or knowledge base (e.g., Notion) so analysts can quickly reference where relevant logs and intelligence are stored.

3. Implement

• Operationalize the plan by setting up new logging configurations or centralizing logs.
• Identify new data sources (e.g., NetFlow for improved network visibility or extended PowerShell logging).
• Document everything so analysts can easily pivot between sources and swiftly triage incidents.

4. Test

• Quantity of Coverage: How many of your critical assets are actually under surveillance?
• Quality of Coverage: Are logs complete, properly configured, and retained long enough to be useful during investigations?
• Adjust priorities based on test findings, whether that means investing in better logging solutions or refining collection scope.

5. Update the Collection Plan

• New threats, technologies, or business processes will arise. Revisit requirements regularly.
• Prune or expand the CMF as necessary. Split large CMFs into multiple, focused ones (e.g., one for IR, one for threat hunting).

A Collection Management Framework is the backbone of any modern SOC or threat intelligence function. It systematically reduces blind spots, accelerates response times, and clarifies how well you’re prepared against the latest (and future) threats.

If you’ve been operating without a CMF (or ignoring the one you built years ago), now is the time to dust it off, refine it, and harness its full potential. Think of it as turning on the lights in a dark alley—you’ll see exactly where your defenses stand, where you need to invest, and how to keep pace with ever-evolving risks.

Stay safe, stay vigilant, and never stop improving that collection strategy.

References:

1. Collection Management Frameworks – Beyond Asset Inventories for Preparing for and Responding to Cyber Threats: https://www.dragos.com/resources/whitepaper/collection-management-frameworks-beyond-asset-inventories-for-preparing-for-and-responding-to-cyber-threats/
2. Collection Management Framework Templates (+FREE Download) : https://kravensecurity.com/collection-management-framework-template/