The costs of founding a Security Operations Centre come mainly from the following 3 factors:
- Procuring and furnishing a physical location
- Hiring staff
- Tools and hosting costs
Procuring and Furnishing A Physical Location
Some organisations may choose not a have a physical location for their SOC, particularly if they are primarily remote. The SIEM, ITSM, MISP and other core components can be made accessible from anywhere, after all. Or they may choose to start commence deployment remotely, and then procure a facility when possible. Some deciding factors include:
- If the number of SOC staff will be small, they could share the space of the IT department.
- Consider who will be responsible for responding to different kinds of incidents- usually either the SOC itself or the IT. For instance, an account compromise can be resolved remotely, but if a computer is infected with a bootkit malware, this would require someone to find the machine in-person and re-image it.
- A physical location will always foster better team relationships, knowledge sharing and collaboration between analysts.
- Consider, also, whether the sensitivity of the data that the analysts will be dealing with warrants separation.
Once/if a physical location is selected, aside from the standard office requirements (desks, chairs, laptops), below are some additional design considerations:
- Open desk plans are superior to cubicles for communication.
- A monitor wall is beneficial for displaying any dashboards with important data, such as the health of data sources and open incidents (see Workplace Ninja’s guide for setting up a monitor wall).
- Physical access control systems, such as RFID card-based door locks and biometrics, are usually implemented to restrict access to select employees with authorisation to view the data in the room.
- While you don’t have to lock your analysts away in a dungeon, unglazed windows are a vulnerability. If you can see other buildings or people from your window, an ultra-zoom camera can see what’s on your screen.
Hiring Staff
The various factors affecting the scope of responsibilities and functions discussed on the last page will determine how many you will need to hire. In addition to the SOC manager (who is assumed to be the one taking the lead in this deployment process), it is recommended to start with at least one analyst for a 9/5 operation. Then, once the logs are flowing, some detections are configured and alerts are initially tuned, the SOC can run in ‘evaluation mode’ and decide how many analysts they need. I will go more in depth into hiring and SOC organisation structure, but below is an overview of typical roles within a SOC.
| Role | Responsibilities | Salary (AUD) |
| Level 1 Analyst | Triaging alerts, investigating basic incidents (e.g. Phishing). | 60-80k |
| Level 2 Analyst | Investigating more complex incidents. | 80-110k |
| Level 3 Analyst | Complex threat hunting and digital forensics. | 90-130k |
| SOC Engineer | Detection engineering, developing playbooks, designing the SOC. | 90-140k |
| SOC Manager | Overall SOC strategy and management. Consulting with executives. | 150k+ |
For valuable hiring guidance, see also the NICE Framework (the Workforce Framework for Cybersecurity), which provides definitions of tasks, knowledge and skills that are required to fulfill various cyber security roles, and also prescribes training/certification recommendations.
Tools and Hosting Costs
Now comes the stage where you need to list out the infrastructure components of your SOC.
| Component | Description | Selection | CapEx (AUD) | OpEx (AUD) |
| SIEM (Security Incident & Event Manager) | The heart of the SOC into which all logs are fed to be analysed for anomalies and threats, and generates alerts. | Azure Sentinel | 0 | See log analytics workspace ingest cost plans Default pay-as-you-go is $5.16 per GB per month |
| ITSM (IT service management) | Also known as the IT ticketing system. Alerts generated in the SIEM will be fed into here for easier tracking and collaboration with the IT department. | SnipeIT (it’s free, okay) | 0 | 0 |
| SOAR (Security Orchestration, Automation and Response) | Platform used to coordinate automated response to alerts generated by the SIEM. Improves response times and reduces labour. | Azure Logic Apps, Defender XDR | 0 | License costs for various Defender products + Logic app compute costs (difficult to calculate but usually only a few dollars per month) |
| Archive Storage | Cold log storage for data retention purposes. May be required for compliance, and may be used for older incidents. | Amazon S3 Storage | 0 | See S3 pricing Standard infrequent access tier is $0.0138 per GB per month |
| Detection-as-Code Platform | Used for the controlled development, deployment and managing of detection rules, workbooks, playbooks and other contents. | GitHub | 0 | 0 |
| MISP (Managed Information Sharing Platform) | Used to collect, filter and process threat intel data in a controlled manner before ingesting into the SIEM. | MISP Threat Sharing | 0 | Self-hosting costs |
| Data control platform | Used to collect, filter, enrich and normalise log data before it reaches the SIEM, reducing ingest cost and improving query performance. | Cribl Stream | 0 | 1 TB throughput per day free, then see pricing |
To use the above chart to create a total costing estimate, we need to know what our log throughput will be (gigabytes per day). Thankfully, as mentioned above, our intermediary data platform Cribl allows for 1 TB free throughput per day, and will tell us exactly how many gigabytes our log sources are producing. Follow on the next page.