MaGMa, a security incident management framework proposal

04 October,2021 - BY admin

MaGMa, a security incident management framework proposal

As the need for security incident management has grown, the responsibility has gone from partial dedications of IT managers or Sysadmins to the most evolved form of the SOC or Security Operation Center, dedicated departments, many times externalized, that handle all the related activities. In this situation, it has become necessary to organize the way the environment is handled. Although this is true for traditional cybersecurity management systems, in industrial environments as envisioned in the ODIN project, require a more structured approach that help define how cybersecurity should be treated.

This is where a security management framework makes its appearance as a way of organizing the security operations. One of these frameworks is the MaGMa[1] Use Case Framework, created collaboratively by several Dutch financial institutions.



The main element of the security management is the usecase, which MaGMa defines as “a security monitoring scenario that is aimed at the detection of manifestations of a cyber threat”. As we see, the emphasis on the monitoring scenario indicates that the focus will be in the detect phase of the NIST cybersecurity framework[2]. The usecases are subdivided in three levels, from the top Business layer, describing how it is connected to the organizational needs, Threat layer, describing how the usecase can be menaced and the low-level Implementation layer where the technical and operational aspects of the architecture are described. The threats are also divided in three levels of detail, from higher L1, L2 (both being part of the Threat/tactical layer) and the actual monitoring rules covered in the L3 level, based on the MITRE ATT&CK Matrix for Enterprise [3]. This structure is the way of linking a top-level business view to a low-level technical asset or operation.

The key at this point is to identify and create the correct use cases that help industry to operate with an adequate cybersecurity monitoring strategy.



In order to approach the real live of an environment, the framework implementation will have to go through a lifecycle process of four phases:

  • Onboarding, covering the planning and building of new usecases. It should implicate all stakeholders and document the usecase, planning and operationalizing it.
  • Operational, where all the elements are running as part of the day-to-day work.
  • Maintenance, evolving the platform, both by environmental or operational changes.
  • Offloading, to manage the decommission of a usecase.

All the processes should be measured by the appropriate metrics at different levels.

The creation of the MaGMa framework came from the initiative of a group of experienced organizations. To achieve the success in the management they identified some best practices that should be considered:

  • Challenge the customer. Help the specific department requesting the service to accurately define the risks and procedures.
  • Make sure incident response is known beforehand.
  • Obtain required mandate for incident response.
  • Use playbooks for security incident response.
  • Always evaluate incident response.
  • Provide sufficient context for security monitoring.
  • Use a grace period
  • Be vigilant about false positives
  • Go beyond detection and response where possible
  • Support risk management process
  • Have the framework audited or reviewed



Comments (0)

Get the latest news on ODIN right to your inbox!

Newsletter Permission: The ODIN project will use the information you provide in this form to be in touch with you and to provide updates and news. Please let us know if you would like to hear from us:
ODIN newsletter: You can change your mind at any time by contacting us at We will not distribute your email address to any party at any time.