Cost breakdown to build a Security Operation Center

COBOL_DOS_ERA

Guys, those who are managing SOC/NOC and or have had experience building a SOC/NOC from cradle to grave could please let me know how much was your initial cost for setting up the SOC.  I would appreciate if anyone could provide me with a details cost break down of the SOC or could provide me with a sample response to any RFP describing the setting up a SOC with cost, labor, education, etc. Breakdown.

The company that I’m working for has never taken this kind of initiative but is looking to bid on a contract to build a combined NOC/SOC in the middle east, and fortunately/unfortunately they asked me to look into this and create a report based on my research about this prospect. Any advice is welcome, and thank you all for your advice.

paul78

Alienvault has some decent advice here - https://www.alienvault.com/resource-center/ebook/building-a-soc

COBOL_DOS_ERA

Thank you, Paul, I'm actually using Alienvault's ebook and few other as my guideline, and also thinking about using their USM application as a primary SOC tool. My biggest problem is not having a cost breakdown structure for year one or two. My initial research says that for the year one, I'm looking at 600K to 1Million onwards depending on the logistics.

paul78

You're welcome. Besides the tooling and facilities - you kinda also have to factor in how you plan to do investigations and if you also need eyes-on-glass depending on your environment. You could consider starting with an external SOC although I'm told by colleagues in industry that they have had to adjust their expectations on those kinds of services and its best to NOT rely on them for triage support.

Generally speaking - headcount is likely to be your biggest cost.

Blucodex

promethuschow said:

Thank you, Paul, I'm actually using Alienvault's ebook and few other as my guideline, and also thinking about using their USM application as a primary SOC tool. My biggest problem is not having a cost breakdown structure for year one or two. My initial research says that for the year one, I'm looking at 600K to 1Million onwards depending on the logistics.

This figure sounds extremely low to me.  Especially if you plan to use any commercial tooling.  Also very dependent on current security architecture is already in place.

Building a SIEM and staff... maybe not too bad.  Need to build out infrastructure?  Could easily be 10-100m+ depending on size.

COBOL_DOS_ERA

@Bluecodex thank you for your feedback. As you pointed out " Building a SIEM and staff... maybe not too bad.  Need to build out infrastructure?  Could easily be 10-100m+ depending on size."  See my dilemma with the cost. I'm more inclined with building the SIEM and the staff and hoping the budget is around $10 Mil or more.  Since this is the first of a kind for this country's said first initiatives of this kind.

JDMurray

The first thing you need to spec-out is the scope of what functions are covered in the SOC's budget. In a smaller organization, the SOC may be responsible for the planning and engineering of security appliances, such as SIEM, WAF, IDP, EPS, etc. In a large enterprise, the SOC would only monitor data from security appliances (i.e., syslog, Netflow, packet caps) and may not own or even control the SIEM instance(s) it uses.

What are the customer requirements? What is in your Statment of Work?

FluffyBunny

The company that I’m working for has never taken this kind of initiative but is looking to bid on a contract to build a combined NOC/SOC

I'd suggest you guys try to hire a few experienced people asap. 

I have worked on a similar project, in a similar situation and we found that we were greatly delayed by a lack of in-house experience. This was compounded by what you are currently illustrating: without experience, you have no clue how to budget the project. The same happened to us: consulting rates as well as hard/software purchases were much higher than expected and even the annual CTO was underestimated. 

For your specific situation, here's a few pointers.

• You're designing, building and operating a complex system. It consists of server hardware, server software, workstations and workstation software.
• This complex system needs to inter-operate with the client's other IT systems. You will need to determine the exact interactions required and how you should implement these. Think: IAM, RBAC, storage, but also data flows.
• This complex system is not something you "fire and forget". You don't manually build a few boxen, put them on a desk/cabinet and never touch them again. You will need to be able to REbuild them, to back them up, to restore them, to manage them, to patch them. Does the client already have systems that you can build upon? 
• The front-office part of the NOC/SOC will require a lot of TLC: tender loving care. You're building a working environment for people who will have a strenuous job! It's not simply a matter of putting Windows PCs with a browser on there! You have to either make use of the client's existing working environment (if you're lucky) or design and implement your own end-user environment.
• I've already mentioned this: data flows. Does the client already have security software, a SIEM, alerting, monitoring etc and are you only building the front-office? Or are you expected to implement all of that as well? Those are things that take a lot of effort to build The Right Way(tm) and it takes even more time to ensure you're actually getting data in there from the client's actual production environment.

Just a few thoughts

Good luck!

Blucodex

FluffyBunny said:

show previous quotes

The company that I’m working for has never taken this kind of initiative but is looking to bid on a contract to build a combined NOC/SOC

I'd suggest you guys try to hire a few experienced people asap. 

Cannot stress this enough!  Do not hire L1 Analysts to build your SOC.  Get experienced Analysts that can properly guide your data ingestion, alerting use-cases, playbooks, and IR procedures.  Once you actually have that in place you can start staffing Analysts with less experience to crunch tickets.

FluffyBunny

Blucodex said:

show previous quotes

Once you actually have that in place you can start staffing Analysts with less experience to crunch tickets.

OH GOSH I forgot to mention that! 

• This complex system will not run itself! Aside from the analysts in the front-office, you will also need to actually manage the whole system (servers, workstations, data feeds, all of it). This will impact your CTO, because you're keeping people employed who are not necessarily performing "visible" work for the customer. You need to budget for these people as well.

Arles

Your suggestions on leveraging existing infrastructure and ensuring proper data flow from the client's environment offer practical steps towards building a robust and efficient system.

10jwood

The biggest cost is going to be hiring people. You need to budget in the Ms. But it all depends on context.