Monday, October 28, 2013

Technologies used in a SOC with costs and 2013 Gartner magic quadrants

A blog reader asked me about what kind of technologies do you need to provide managed security services so, here I am. To help you in the choice and analysis, I will link for every technology (when available) the GARTNER quadrant. Of course the quadrant is just to help you in the analysis as it is just the GARTNER point of view. Also, the "costs" are absolutely not precise, they are just to give you a clue of what you will need to invest.

Security Device Management

To provide SDM service you need basically 2 technologies:

  • Monitoring, to monitor the hardware or software faults and the performance (for ex. CPU and memory usage, storage capacity etc). There are many tools to do it, some free and some not. An example of good work is Cacti
  • Management console, to manage the technologies. Usually every vendor has its own management console. So, to manage Fortigate appliances for example, you need the Fortinet management console, for Stonesoft the SMC (Stonesoft Management Console), etc
There are not magic quadrants for the monitoring and management console but there are magic quadrants for the UTM and Enterprise Network Firewalls. This quadrants will help you in the choice of which technologies you want to provide to your customers because you can't manage EVERY technology, this is because you need specific knowledge, certifications, and having few technologies help you to industrialize the processes and procedures.

Gartner's 2013 Magic Quadrant Report for Unified Threat Management (UTM)

Gartner's 2013 Magic Quadrant Report for Enterprise Network Firewalls

Costs of the technologies:

  • Monitoring: from 0 up to 100k€. Depending if free or commercial and how many nodes do you want to monitor
  • Management: from 0 to 100k€ for every vendor. Some vendors offer it for free, some other wants a license fee.

Log Management & Correlation

To provide this service you need a log collection technology, some of this technologies support correlation between events too.

2013 Magic Quadrant for SIEM (Security Information and Event Management)


  • Log Management, from 0 up to 100k€, depending how many eps (events per second) do you need to receive and do you need to store.
  • Log Management & Correlation, SIEM are very expensive, for 30.000eps you will need something like between 200k€ and 500k€.

Security Assessment

  • Vulnerability Assessment, for this service you will need a vulnerability assessment tool, there are many with very similar functions. Some have less false positive, some have more, but usually they are very similar (some vendors will kill me if they read this! hehe). In general, I think it's really better to focus on the "easy to understand" reports than on the ability to find 1-2 more vulnerabilities. 
  • Penetration Test, for this you will need an exploting framework, needed for penetration tests, web application assessments, etc (there are free like metasploit and commercial like Core Impact)

Gartner 2013 "Marketscope for Vulnerability Assessment tools"


  • Vulnerability assessment, between 100 and 200k€.
  • Exploting framework, from 0 to 100k€
  • Other tools used in PT, from 0 to 20/30k€

Early Warning

There is not really a technology to provide this service, you should build one for yourself. When you start with few customers, you can do it easily "by hand", when you reach 10/15 customers then the things become more difficult and you will need to build a custom technology.

DDoS Mitigation

To provide a DDoS mitigation service you will need a traffic cleaning platform aka "washing machine". As far as I know there are just two main vendors: Radware and Arbor.


  • Between 100 and 200k€ for every traffic cleaning platform, able to clean 5-10GB/s of traffic

I hope you enjoyed this post and has been useful for your work. If you have any question or you want to suggest me a new blog post, please write me by email or comments.
Thanks for reading this.

Monday, July 22, 2013

Service-level agreement of a SOC

From Wikipedia: "A service-level agreement (SLA) is a part of a service contract where a service is formally defined. In practice, the term SLA is sometimes used to refer to the contracted delivery time (of the service or performance)”.

Usually, when you are speaking about SLA in a SOC, you mean how long (maximum) it will take to do something. To be clear I will list the normal SLA used in a SOC for every service usually provided. Some SLA will be normally provided to the customers others are “internal” SLAs that you will normally not share with SOC customers.
I would be happy to listen to your SLAs, so feel free to comment!

Common SLAs
These SLA apply to every service but can vary from service to service

·         Maximum days to activate a new customer
·         Maximum days to deactivate a customer (internal)
·         Coverage (h24, 5x8 Mon-Fri, etc)
·         Reporting (on request, automatic, etc)

SDM (Security Device Management)

1)      Change Management

·         Max minutes to start to work a request from the customer
·         Max minutes to apply a change requested by a customer
·         Max minutes to apply a rollback (could be seen as a change)

2)      Fault Management
·         Max ninutes passed between the fault of the hardware and the ticket opened
·         Max hours needed to substitute a hardware declared as damaged

DDoS Mitigation

·         Max minutes passed between the start of the attack and the ticket opened
·         Max minutes passed between the ticket opened and the customer contact (phone call, email, etc)
·         Max minutes passed between the request of the customer to apply a mitigation rule and its activation

Note that in this service there is no possibility of having a SLA for the problem to be solved because there is no way you can be sure to stop an attack in a certain period of time.

Log Management
This service, in some way, could be seen as a device management (sometimes you have to manage the log collectors, other times the virtual machine or virtual appliance used to collect the data, etc) additional SLAs can be:

·         Max minutes passed between the time you stopped receiving logs from a log source and the time you open a ticket
·         Max minutes passed between the time you opened the ticket and the time you start working the ticket
·         Max minutes passed between the time you started working  the ticket and the time you solved the problem

Security Assessment (Vulnerability Assessment, Penetration Test, etc)
It’s quiet difficult to establish SLAs in these services but some ideas could be:

·         Max days passed between the customer signed the contract and the time the company is able to provide the service (sometime the group is busy with other activities, has a fit schedule, etc) (internal)
·         Max days passed between the finish of the activity and the delivery of the activity report

Thank you so much for reading this post and remember that comments are really appreciated.

Saturday, January 12, 2013

How to pick the best MSSP for your SMB

A very nice article has been published by Dark Reading about "how to pick the best MSSP for your SMB". The article is by Ericka Chickowski and you can read it here.

Obviously, if you are starting up a SOC for MSSP, you should check what can you do to improve the possibility to be chosen by SMB.

Enjoy the article!