SOC Value Chain & Delivery Models

I was recently working with a firm to develop their Security Operations Centre (SOC) from a good but limited capability to a mature enterprise capability. While working through the maturity assessment, formalising their requirements and developing a roadmap we needed to consider a variety of delivery model characteristics. To draw out some of the key characteristics we needed to consider the organisation itself but also the state of SOC components.

To dig into this we developed a Wardley map mapping the value chain and evolution of SOC components. Wardley maps look complicated but are effectively a tool for discussion in front of a white board to identify dependencies and the maturity of components and services. (Click on the diagram for a full size version).

SOC Wardley Map


The services in this particular map were defined as:

Service Name Service Description
The Vulnerability Management service will identify and scan devices and systems connected to the network for security vulnerabilities and will report on these to stakeholders on a regular schedule and on-demand.
The Threat Intelligence service will identify, characterize and track cyber adversaries, will generate actionable intelligence from external feeds and internal data sources as well as engage with external peers to collaborate and share information.
Automated Control
The Automated Control Monitoring service will use the SOC Monitoring Data to track the effectiveness and performance of security controls both for stakeholders that operate those controls and for audit purposes.
The Attack Monitoring service will provide level 1 and level 2 analysis of SOC monitoring data to triage security events, identify security attacks and verify security incidents.
Analysis &
The Analysis & Hunting service will provide level 3 analysis of verified security incidents to categorize and prioritize them. Known security incidents will be remediated and higher impact or Unknown security incidents will be escalated to the Incident Management service. When not conducting analysis and remediation support the Analysis & Hunting service will develop Attack Monitoring use case descriptions and conduct pro-active threat hunting.
The Incident Management service will provide investigation and remediation coordination to high impact, known security incidents (that have been handled previously and documented) and unknown security incidents (that have not been previously handled or documented).
Forensics The Forensics service will provide forensic imaging, analysis and evidential storage to the SOC and other investigative teams.
The Reverse Engineering service will provide malware analysis to support Threat Intelligence, Analysis & Hunting, and Incident Management.

Hopefully the technical components are pretty self explanatory. I’d be interested to hear if people disagree with where we ended up, please let me know in the comments. I shared this with Simon Wardley himself and he did which was cool and useful:

On the map itself, the evolution axis is derived from examining ubiquity (how common something is) vs certainty (how well understood something is) – see Hence I’d argue that many of the components are more evolved than shown on the map, however it’s fair to say that people often custom build that which should already be late product or even commodity.

The point is that for the organisation where we used this it was a useful tool when discussing what could be outsourced because they are well-defined and can be quantitatively managed and what couldn’t currently be outsourced because they are subject to change and development. This allowed us to develop the following map for a potential hybrid delivery model. (Click on the diagram for a full size version).

Hybrid SOC Delivery Model

In this case the organisation was so large that there is a very very short list of MSSPs that could scale to meet their requirements so it is likely they will build and operate internally for now but keep a watching brief on the MSSP market as the providers  scale their operations over time.

I hope this is a helpful starting point for others considering delivery models for a SOC and with a tip of a hat to Simon Wardley who has developed and made available a very useful approach.