Useful certifications for SOC people

According to me, the most important certifications useful for a SOC analysts are the vendor specific.
But of course there are other certifications that could be useful in a SOC environment. This is a short list (prices, when available, included).

Technical certifications

This first group of certifications is more useful for analysts and technical people.

CEH (Certified Ethical Hacker). Course + Exam: 2895$.
CGIH (Certified GIAC Incident Handler). Course and certifications: Corso + Esame 3500$
OSCP (Offensive Security Certified Professional). Course + exam 4000$
ISECOM OPST (Open Source Security tester). I could not find any info regarding the price.
ISECOM OPSA (Open Source Security Analyst). I could not find any info regarding the price.

Less-technical (but still useful!) certifications

This second group of certifications is more useful for analyst coordinators or SOC managers.

CISM (Certified Information Security Manager) - Exam cost 500€. Course cost ~800€ (in Italy).
CISSP (Certified Information Systems Security Professional) - Exam cost: ~500€.
ISO27001 Lead Auditor Exam + course cost  ~1800€.
PMP (Project Manager Professional) Exam cost 340€ for PMI members (129$ needed to be PMI member) or 465€ for not PMI members. Course cost: 3K€.
ITIL v3 foundations. Exam cost: ~150€
CISA (Certified Information System Auditor) Exam Cost 500€. Course cost ~800€.

Start up project of a Security Operations Center for a MSSP

In the first post I will describe the typical startup project of a Security Operations Center (SOC) for a Managed Security Service Provider (MSSP).
Probably it could also be useful for a generic startup of a market oriented technical structure.
Please feel free to send me suggestions to integrate it.

Start up project of a Security Operations Center for a Managed Security Service Provider

Phase 1 - Predesign

• Certifications useful for the design

Some certifications could be very useful during the design phase. You will be able to save a lot of time and money and avoid the most common mistakes. Some examples: ITIL, ISO27001, PMP, etc

In general, you should never forget that "following a well known best practice" it's the best answer to the question "why are you doing it in this way?".

• Security services market analysis

You are market driven. You should never forget this. You have to implement services required by the market. You are not a scientist, you are not a researcher, you are working for the market. A good example of market analysis (easy to find on the web) are the GARTNER magic quadrants.

• Interview people involved into the market

To better understand the situation of Managed Security Services in your country you should try to interview as much people involved in the market as you can. Try to read specific LinkedIN groups, phone friends, talk to the well-known market players.

• Build up the design team

Build up the design team. The members should be from both inside and outside the organization. If you have the occasion, involve marketing people, pre-sales and NOC etc. Marketing and pre-sales will help you to push on sales while NOC people could help you to solve know issues and bureaucracy issues inside the organizations. The more (but not too much) people you involved in the design, the more they will push the project inside the organization and to the market.

• Visit other Security Operations Centers

If possible, try to visit other SOCs. Try to understand how they work (or they should work).

• Study competitors

Try to understand which services do they manage, which they do not manage, why, the lacks, deficiencies and possible improvement, the prices and the offering models.

• Budget

Understand how much resources you will have, what kind of technologies will you be able to implement (a SIEM for example is very expensive) and if you will be able to acquire the know-how.

• Timing

The organization will give you a goal in terms of timing. In the best case, you will be able to negotiate it. In the worst case, the goal will be fixed. Will you have enough time to startup the SOC and implement the services?


Phase 2 - Design

• Decide the services to implement

Decide the services to implement basing your decision on the market analysis, budget, timing, etc.

• Design services

Finally design how the services should work.

• Technologies choice

You will need to choose which technologies will you manage and sell.
A good methodology to choose could be: market analysis, create a short list of vendor, PoC (Proof of Concept), evaluation, choice.

• Define KPI/KPO

For the government of a SOC it’s very important to define the Key Performance Indicators and Key Performance Objectives.

• Facilities

From the facilities point of view, you will need a room with restricted access, computers & phone (with headset) for your analyst, a videowall (actually it’s not really useful but it’s what customer really want to see). Last but not least, the network of the SOC should be segregated by a firewall (and IPS) from the rest of the company network.

• Sharing people between services

Try to figure out what kind of saving you can implement sharing people between SOC services or with other structures (for example with NOC).

• Plan a marketing strategy

Contact the marketing department (one member of your design team should be from marketing) and plan a marketing strategy.


Phase 3 - Implementation

• Write down processes and procedures

Definitely involve the technical people (if possible, let them write it) in the writing of technical procedures (you will have to review it, of course), while let processes be written by people who is already aware of the organization’s internal processes and bureaucracy.

• Acquire the know-how

To acquire the know-how you can: hire people (consultants or employees) or take some courses/certifications.

• Implement the technologies

Implement the technologies you choose in the design phase.

• Create a security culture in sales people

Make sales people aware of the new services. Organize meetings, prepare easy to digest powerpoints.

• Implement a lab environment

You will need a test environment for the new configurations, new technologies, PoC, etc.

• Start the marketing strategy

Start the marketing strategy.

• Apply KPI/KPO

KPI and KPO should be applied to your everyday work.


Phase 4 - Improvement

• Evaluate useful SOC certifications

Some certifications are required by RFPs (Request For Proposal) for example the ISO27001 is often required.

• Evaluate useful SOC team certifications

Some will be required by RFP, others will be useful during troubleshooting.
A short list of useful certifications as an example: GIAC, CISM, Security+, vendor specific, CCNA, CISSP, ITIL, etc.

• Keep you and the your team updated about security news

Read everyday the most important sources of IT Security / hacking news like: dark reading, twitter, linkedin groups and status update, etc.

• Let the market be aware of you

Organize meetings, take part to conferences, use linkedin, twitter, a blog and any other instrument to let other people understand you are an important and aware player.

• Let the management be aware of you

Never forget you are part of a bigger organization. Your management should always be aware of what you are doing and about your results. Organize periodical presentations.

• Scouting of new security services required by the market

It’s very important to never stop speaking with customers, reading market analysis, etc to understand where the market is going and intercept the customers needs.

• Periodical upgrade of technologies

At least every year you should check if the technologies you are selling (UTM, proxy, IPS etc) and you are using (management, ticketing, etc) are the state of art. Otherwise you should.

• KPI/KPO monitoring

Key Performance Indicator and Key Performance Objectives will be the thermometer of your work. If you choose the right KPI/KPO they will help you to understand if you are working well or not, if you can do better or not. If you are working too much or you can work more.  

New work...and new blog!

As some of you could know, I have a new work.

Actually I am employed as manager for a MSSP and Telco and I'm busy building up and running a SOC (Security Operations Center).

This is my 3rd experience in a SOC startup and the reason of this blog is to try to write down some notes, to not forget the most important things and maybe help some of you.