Monday, July 22, 2013

Service-level agreement of a SOC

From Wikipedia: "A service-level agreement (SLA) is a part of a service contract where a service is formally defined. In practice, the term SLA is sometimes used to refer to the contracted delivery time (of the service or performance)”.

Usually, when you are speaking about SLA in a SOC, you mean how long (maximum) it will take to do something. To be clear I will list the normal SLA used in a SOC for every service usually provided. Some SLA will be normally provided to the customers others are “internal” SLAs that you will normally not share with SOC customers.
I would be happy to listen to your SLAs, so feel free to comment!

Common SLAs
These SLA apply to every service but can vary from service to service

·         Maximum days to activate a new customer
·         Maximum days to deactivate a customer (internal)
·         Coverage (h24, 5x8 Mon-Fri, etc)
·         Reporting (on request, automatic, etc)

SDM (Security Device Management)

1)      Change Management

·         Max minutes to start to work a request from the customer
·         Max minutes to apply a change requested by a customer
·         Max minutes to apply a rollback (could be seen as a change)

2)      Fault Management
·         Max ninutes passed between the fault of the hardware and the ticket opened
·         Max hours needed to substitute a hardware declared as damaged

DDoS Mitigation

·         Max minutes passed between the start of the attack and the ticket opened
·         Max minutes passed between the ticket opened and the customer contact (phone call, email, etc)
·         Max minutes passed between the request of the customer to apply a mitigation rule and its activation

Note that in this service there is no possibility of having a SLA for the problem to be solved because there is no way you can be sure to stop an attack in a certain period of time.

Log Management
This service, in some way, could be seen as a device management (sometimes you have to manage the log collectors, other times the virtual machine or virtual appliance used to collect the data, etc) additional SLAs can be:

·         Max minutes passed between the time you stopped receiving logs from a log source and the time you open a ticket
·         Max minutes passed between the time you opened the ticket and the time you start working the ticket
·         Max minutes passed between the time you started working  the ticket and the time you solved the problem

Security Assessment (Vulnerability Assessment, Penetration Test, etc)
It’s quiet difficult to establish SLAs in these services but some ideas could be:

·         Max days passed between the customer signed the contract and the time the company is able to provide the service (sometime the group is busy with other activities, has a fit schedule, etc) (internal)
·         Max days passed between the finish of the activity and the delivery of the activity report

Thank you so much for reading this post and remember that comments are really appreciated.


  1. I am glad that I saw this post. It is informative blog for us and we need this type of blog thanks for share this blog, Keep posting such instructional blogs and I am looking forward for your future posts.
    Cyber Security Projects for CSE Students

    JavaScript Training in Chennai

    Project Centers in Chennai for CSE

    JavaScript Training in Chennai

  2. Also, UMAC is located between Department of Defense Cyber Command in Maryland and the Cyber Corridor in Virginia. cyber security course in hyderabad

  3. Thumbs up guys your doing a really good job. It is the intent to provide valuable information and best practices, including an understanding of the regulatory process.
    Cyber Security Course in Bangalore

  4. Very nice blog and articles. I am realy very happy to visit your blog. Now I am found which I actually want. I check your blog everyday and try to learn something from your blog. Thank you and waiting for your new post.
    Cyber Security Training in Bangalore

  5. I will really appreciate the writer's choice for choosing this excellent article appropriate to my matter. Here is deep description about the article matter which helped me more.
    Best Institute for Cyber Security in Bangalore

  6. In the same report by PayScale, statistics indicate that salaries for other positions are also attractive. A CCNA trained professional who works as an information technology manager could expect to make between $50,487 and $111,568. CCNA Training in Pune