Monday, October 28, 2013

Technologies used in a SOC with costs and 2013 Gartner magic quadrants

A blog reader asked me about what kind of technologies do you need to provide managed security services so, here I am. To help you in the choice and analysis, I will link for every technology (when available) the GARTNER quadrant. Of course the quadrant is just to help you in the analysis as it is just the GARTNER point of view. Also, the "costs" are absolutely not precise, they are just to give you a clue of what you will need to invest.

Security Device Management

To provide SDM service you need basically 2 technologies:

  • Monitoring, to monitor the hardware or software faults and the performance (for ex. CPU and memory usage, storage capacity etc). There are many tools to do it, some free and some not. An example of good work is Cacti
  • Management console, to manage the technologies. Usually every vendor has its own management console. So, to manage Fortigate appliances for example, you need the Fortinet management console, for Stonesoft the SMC (Stonesoft Management Console), etc
There are not magic quadrants for the monitoring and management console but there are magic quadrants for the UTM and Enterprise Network Firewalls. This quadrants will help you in the choice of which technologies you want to provide to your customers because you can't manage EVERY technology, this is because you need specific knowledge, certifications, and having few technologies help you to industrialize the processes and procedures.

Gartner's 2013 Magic Quadrant Report for Unified Threat Management (UTM)

Gartner's 2013 Magic Quadrant Report for Enterprise Network Firewalls

Costs of the technologies:

  • Monitoring: from 0 up to 100k€. Depending if free or commercial and how many nodes do you want to monitor
  • Management: from 0 to 100k€ for every vendor. Some vendors offer it for free, some other wants a license fee.

Log Management & Correlation

To provide this service you need a log collection technology, some of this technologies support correlation between events too.

2013 Magic Quadrant for SIEM (Security Information and Event Management)


  • Log Management, from 0 up to 100k€, depending how many eps (events per second) do you need to receive and do you need to store.
  • Log Management & Correlation, SIEM are very expensive, for 30.000eps you will need something like between 200k€ and 500k€.

Security Assessment

  • Vulnerability Assessment, for this service you will need a vulnerability assessment tool, there are many with very similar functions. Some have less false positive, some have more, but usually they are very similar (some vendors will kill me if they read this! hehe). In general, I think it's really better to focus on the "easy to understand" reports than on the ability to find 1-2 more vulnerabilities. 
  • Penetration Test, for this you will need an exploting framework, needed for penetration tests, web application assessments, etc (there are free like metasploit and commercial like Core Impact)

Gartner 2013 "Marketscope for Vulnerability Assessment tools"


  • Vulnerability assessment, between 100 and 200k€.
  • Exploting framework, from 0 to 100k€
  • Other tools used in PT, from 0 to 20/30k€

Early Warning

There is not really a technology to provide this service, you should build one for yourself. When you start with few customers, you can do it easily "by hand", when you reach 10/15 customers then the things become more difficult and you will need to build a custom technology.

DDoS Mitigation

To provide a DDoS mitigation service you will need a traffic cleaning platform aka "washing machine". As far as I know there are just two main vendors: Radware and Arbor.


  • Between 100 and 200k€ for every traffic cleaning platform, able to clean 5-10GB/s of traffic

I hope you enjoyed this post and has been useful for your work. If you have any question or you want to suggest me a new blog post, please write me by email or comments.
Thanks for reading this.