Threat Monitoring Model

Our client for this engagement was a globally respected Australian brand with a very large and complex technology environment. As a result, they are a very attractive target for cyber criminals.


One of the most challenging elements of any Security Operations Centre is identifying and then prioritising the monitoring that matters. Which data point, or combination of data points will alert you to a real world threat.

Our role

elevenM were asked to develop a model which defined the telemetry and data sources that helped the client monitor real threats. The key objective being that the client’s cyber defence team were able to prioritise efforts and activities which delivered the greatest level of threat mitigation.

What we did

In order to create the model elevenM carried out the following activities:

  • Understood the assets the client are trying to protect
  • Understood the attack surface they managed
  • Defined the threat actors the client faced including their capabilities and motivations
  • Understood the Tactics, Techniques and Procedures (TTPs) of those actors
  • Reviewed the telemetry against the TTPs
  • Defined which alerting from the telemetry actively alerted against those TTPs
  • Assigned a value to telemetry based on its ability to monitor different threats