KuppingerCole Report
Architecture Blueprint
By Paul Simmonds

Architecting your Security Operations Centre

A security operations centre (SOC) is a dedicated team, usually operating 24x365, to detect and respond to cybersecurity incidents within your organisation that potentially affect your people and systems. Architecting your SOC properly in terms of technology, processes, people and a close coupling with the organisation is critical if you are to achieve value from implementing a SOC within your organisation.
By Paul Simmonds

1 Summary

Architecting and implementing a Security Operations Centre (or SOC for short) for today’s threat environment is not easy. Modern businesses need the ...

Login Get full Access

2 Highlights

  • Architecting and implementing a SOC is not an easy task, with a SOC needing to be custom designed to be an integral part of the business.
  • Implemen ...
Login Get full Access

3 What is a SOC and why should you have one?

The need for a SOC can be unclear for many businesses, yet an imperative for others. However, the decision to build a SOC is an expensive commitment; ...

Login Get full Access

3.1 Why do you need a SOC?

Businesses are constantly being attacked, from random exploits that circulate on the Internet hoping to strike lucky, to the targeted attacks of organ ...

Login Get full Access

3.2 What is a SOC?

A SOC (security operations centre) is a dedicated team that monitors, assesses and proactively takes action on information security issues on an organ ...

Login Get full Access

3.3 Interfacing to other teams

A SOC will interface to a multitude of other teams and business processes.

  • The CISO & their security team (and may be a part of that team)
  • The s ...
Login Get full Access

4 Designing a SOC

Designing a SOC is not a stand-alone process, or one that can be outsourced (though expert guidance may be sought). It touches every part of the organ ...

Login Get full Access

4.1 The function of a modern SOC

The most effective SOC teams will secure and monitor the network’s perimeter, data, customers, and remote users so that the SOC can detect, analyse, ...

Login Get full Access

4.2 Starting the design process

The first design process when building a SOC is threat modelling, and you should be able to answer the following questions:

  • What threats does my o ...
Login Get full Access

4.3 Feeding your SOC with data

Where will your information feeds come from? What inputs will you feed into your SOC?

Good data is the lifeblood of any SOC; data that is incompl ...

Login Get full Access

4.4 External data feeds

Monitoring your environment for anomalous activity assumes that you have seen it before and therefore know how to find this activity across your infra ...

Login Get full Access

4.5 Tools to detect and manage the threats

Within the SOC a number of tools to consume and analyse the data feeds will be required.

Technology to consume and store data sources

  • Network ac ...
Login Get full Access

5 Staffing a SOC

As in building any new team, the staff you select, together with the management hierarchy, will be key to developing a high performing SOC. Staffing a ...

Login Get full Access

5.1 The SOC Team - Roles and Responsibilities

A SOC and its security information and event management software (SIEM) is only useful if you have the people, processes and intelligence to maintain ...

Login Get full Access

5.2 Training

It’s really important that every analyst receives the same training experience and tools. This not only helps ensure consistency, but also a shared ...

Login Get full Access

5.3 Staffing an incident

Organisations can rarely fully meet the demands of a major incident using solely the SOC teams. It is important to plan for and understand how you wil ...

Login Get full Access

5.4 Finding the right skills

Good staff are a rare commodity and often need a range of other skills in addition to their technical ability; depending on your business you may need ...

Login Get full Access

5.5 Languages

When working globally, correct language recognition and usage can be critical. When resourcing a SOC or multiple SOCs, understanding which languages n ...

Login Get full Access

6 SOC Tools & Processes

The availability of specific tools and functions in a SOC can vary dramatically depending on the platforms and technologies used to power it. Discussi ...

Login Get full Access

6.1 Dashboards

A tool that offers dashboarding will provide visibility into teams and ticket activity everywhere. Dashboards are very effective at helping everyone s ...

Login Get full Access

6.2 Collaboration tools

Teams in different time zones or remote areas will rely on collaboration tools for quick discussions and handoffs. Tools like Slack, Google Hangouts o ...

Login Get full Access

6.3 Daily handoffs

Issues must be passed on to other shifts for continued attention when one shift ends and another begins, or handed off to other SOCs in a follow-the-s ...

Login Get full Access

6.4 Things to think about when selecting tools for your SOC

Start any tool selection by looking at what is already in use within your organisation. Look at its suitability for re-use into the SOC environment, a ...

Login Get full Access

7 Budgeting for a SOC

Building and resourcing a SOC is not cheap! Having just one staff member available 24x365 takes five people (3 x 8-hour shifts, then factor in holiday ...

Login Get full Access

7.1 Budgeting for a small or basic SOC

A small, simple SOC budget could consist of the following items:

Initial Costs

  • Building work to create/modify premises
  • Software initial purcha ...
Login Get full Access

7.2 Can I combine it with other organisation functions?

When planning a SOC then you should look at the other teams and processes that your organisation uses, with the aim of combining facilities, simplifyi ...

Login Get full Access

7.3 Can I outsource the SOC?

For a smaller organisation, then outsourcing a SOC may seem an attractive proposition, especially if there is minimal budget or little management appe ...

Login Get full Access

8 Maintaining and evolving your SOC

Implementing a SOC together with the staff, tools, wider technical and physical infrastructure will be challenging; however, ongoing maintenance and e ...

Login Get full Access

8.1 Management Metrics

Good metrics should be planned in from the start; a SOC is expensive to build and run, and so the ability to prove your worth to the organisation is k ...

Login Get full Access

8.2 Key performance indicators (KPIs)

KPIs can inform the SOC staff of the SOC's effectiveness and improvement over time, as well as senior management. SOC metrics typically include the fo ...

Login Get full Access

8.3 Board-level reporting

Remember that however pretty your “management” dashboard is; the board will not be interested in it! Board level metrics must be specifically tail ...

Login Get full Access

8.4 Staying relevant

Security technology and threats move at an alarming pace! It is important to stay current with technology and be on top of emerging threats. This is a ...

Login Get full Access

8.5 Communicating laterally as well as vertically

SOCs are all affected by external resource constraints. Most organisations score poorly when it comes to keeping up with system patches, and even wors ...

Login Get full Access

8.6 Senior Leadership

Your SOC and its management need clear support and sponsorship from the board so it is empowered to act when an incident happens.

Local management m ...

Login Get full Access

9 Why SOCs fail (or fail to deliver ROI)

Implementing a SOC is a large financial and operational commitment; and with pressures on all business budgets the SOC, as a “below-the-line” cost ...

Login Get full Access

9.1 Understanding why SOCs fail or underperform

A SOC is a major investment in people, technology, time and money; therefore, it is important to understand some of the reasons why a SOC may not deli ...

Login Get full Access

9.2 Questions to ask yourself

No SOC has unlimited resources. In fact, most are understaffed and spend their time catching up with their workload. The noise-to-signal ratio is simp ...

Login Get full Access

10 Recommendations

Implementing a SOC is expensive and therefore should not be entered into without a great deal of thought and planning. Even a basic SOC has the potent ...

Login Get full Access

10.1 Summary Recommendations

Before you start, understand the potential threat (and associated cost) faced by the business that a SOC may potentially mitigate.
Pe ...

Login Get full Access


©2021 KuppingerCole Analysts AG all rights reserved. Reproduction and distribution of this publication in any form is forbidden unless prior written permission. All conclusions, recommendations and predictions in this document represent KuppingerCole´s initial view. Through gathering more information and performing deep analysis, positions presented in this document will be subject to refinements or even major changes. KuppingerCole disclaim all warranties as to the completeness, accuracy and/or adequacy of this information. Even if KuppingerCole research documents may discuss legal issues related to information security and technology, KuppingerCole do not provide any legal services or advice and its publications shall not be used as such. KuppingerCole shall have no liability for errors or inadequacies in the information contained in this document. Any opinion expressed may be subject to change without notice. All product and company names are trademarks™ or registered® trademarks of their respective holders. Use of them does not imply any affiliation with or endorsement by them.

KuppingerCole Analysts support IT professionals with outstanding expertise in defining IT strategies and in relevant decision-making processes. As a leading analyst ompany, KuppingerCole provides first-hand vendor-neutral information. Our services allow you to feel comfortable and secure in taking decisions essential to your business.

KuppingerCole, founded in 2004, is a global, independent analyst organization headquartered in Europe. We specialize in providing vendor-neutral advice, expertise, thought leadership, and practical relevance in Cybersecurity, Digital Identity & IAM (Identity and Access Management), Cloud Risk and Security, and Artificial Intelligence, as well as for all technologies fostering Digital Transformation. We support companies, corporate users, integrators and software manufacturers in meeting both tactical and strategic challenges and make better decisions for the success of their business. Maintaining a balance between immediate implementation and long-term viability is at the heart of our philosophy.

For further information, please contact clients@kuppingercole.com.