Friday, August 24, 2012

Start up project of a Security Operations Center for a MSSP

In the first post I will describe the typical startup project of a Security Operations Center (SOC) for a Managed Security Service Provider (MSSP).
Probably it could also be useful for a generic startup of a market oriented technical structure.
Please feel free to send me suggestions to integrate it.

Start up project of a Security Operations Center for a Managed Security Service Provider

Phase 1 - Predesign

  • Certifications useful for the design
Some certifications could be very useful during the design phase. You will be able to save a lot of time and money and avoid the most common mistakes. Some examples: ITIL, ISO27001, PMP, etc
In general, you should never forget that "following a well known best practice" it's the best answer to the question "why are you doing it in this way?".

  • Security services market analysis
You are market driven. You should never forget this. You have to implement services required by the market. You are not a scientist, you are not a researcher, you are working for the market. A good example of market analysis (easy to find on the web) are the GARTNER magic quadrants.

  • Interview people involved into the market
To better understand the situation of Managed Security Services in your country you should try to interview as much people involved in the market as you can. Try to read specific LinkedIN groups, phone friends, talk to the well-known market players.

  • Build up the design team
Build up the design team. The members should be from both inside and outside the organization. If you have the occasion, involve marketing people, pre-sales and NOC etc. Marketing and pre-sales will help you to push on sales while NOC people could help you to solve know issues and bureaucracy issues inside the organizations. The more (but not too much) people you involved in the design, the more they will push the project inside the organization and to the market.

  • Visit other Security Operations Centers
If possible, try to visit other SOCs. Try to understand how they work (or they should work).

  • Study competitors
Try to understand which services do they manage, which they do not manage, why, the lacks, deficiencies and possible improvement, the prices and the offering models.

  • Budget
Understand how much resources you will have, what kind of technologies will you be able to implement (a SIEM for example is very expensive) and if you will be able to acquire the know-how.

  • Timing
The organization will give you a goal in terms of timing. In the best case, you will be able to negotiate it. In the worst case, the goal will be fixed. Will you have enough time to startup the SOC and implement the services?

Phase 2 - Design

  • Decide the services to implement
Decide the services to implement basing your decision on the market analysis, budget, timing, etc.

  • Design services
Finally design how the services should work.

  • Technologies choice
You will need to choose which technologies will you manage and sell.
A good methodology to choose could be: market analysis, create a short list of vendor, PoC (Proof of Concept), evaluation, choice.

  • Define KPI/KPO
For the government of a SOC it’s very important to define the Key Performance Indicators and Key Performance Objectives.

  • Facilities
From the facilities point of view, you will need a room with restricted access, computers & phone (with headset) for your analyst, a videowall (actually it’s not really useful but it’s what customer really want to see). Last but not least, the network of the SOC should be segregated by a firewall (and IPS) from the rest of the company network.

  • Sharing people between services
Try to figure out what kind of saving you can implement sharing people between SOC services or with other structures (for example with NOC).

  • Plan a marketing strategy
Contact the marketing department (one member of your design team should be from marketing) and plan a marketing strategy.

Phase 3 - Implementation

  • Write down processes and procedures
Definitely involve the technical people (if possible, let them write it) in the writing of technical procedures (you will have to review it, of course), while let processes be written by people who is already aware of the organization’s internal processes and bureaucracy.

  • Acquire the know-how
To acquire the know-how you can: hire people (consultants or employees) or take some courses/certifications.

  • Implement the technologies
Implement the technologies you choose in the design phase.

  • Create a security culture in sales people
Make sales people aware of the new services. Organize meetings, prepare easy to digest powerpoints.

  • Implement a lab environment
You will need a test environment for the new configurations, new technologies, PoC, etc.

  • Start the marketing strategy
Start the marketing strategy.

  • Apply KPI/KPO
KPI and KPO should be applied to your everyday work.

Phase 4 - Improvement

  • Evaluate useful SOC certifications
Some certifications are required by RFPs (Request For Proposal) for example the ISO27001 is often required.

  • Evaluate useful SOC team certifications
Some will be required by RFP, others will be useful during troubleshooting.
A short list of useful certifications as an example: GIAC, CISM, Security+, vendor specific, CCNA, CISSP, ITIL, etc.

  • Keep you and the your team updated about security news
Read everyday the most important sources of IT Security / hacking news like: dark reading, twitter, linkedin groups and status update, etc.

  • Let the market be aware of you
Organize meetings, take part to conferences, use linkedin, twitter, a blog and any other instrument to let other people understand you are an important and aware player.

  • Let the management be aware of you
Never forget you are part of a bigger organization. Your management should always be aware of what you are doing and about your results. Organize periodical presentations.

  • Scouting of new security services required by the market
It’s very important to never stop speaking with customers, reading market analysis, etc to understand where the market is going and intercept the customers needs.

  • Periodical upgrade of technologies
At least every year you should check if the technologies you are selling (UTM, proxy, IPS etc) and you are using (management, ticketing, etc) are the state of art. Otherwise you should.

  • KPI/KPO monitoring
Key Performance Indicator and Key Performance Objectives will be the thermometer of your work. If you choose the right KPI/KPO they will help you to understand if you are working well or not, if you can do better or not. If you are working too much or you can work more.  


  1. Nice and interesting post,I appreciate your hard work,keep uploading more, Thank you for sharing valuable information.
    dissertation writing service

  2. A firewall system is designed to prevent unauthorized access to or from a private network. You can implement a firewall in either hardware or software form, or a combination of both. Firewalls prevent unauthorized Internet users from accessing private networks connected to the internet, especially intranets. A firewall can help secure a network from both internal and external dangers. Firewall Security Services in Australia can help secure a network from potential attackers such as hackers.

  3. Nice article. thanks for share this post. i like your blog post. we also provide Soc Solutions Services. for more information visit on our website.