ThetaPoint Security Operations

Security Reference Architecture – Introduction

The Primary Function of Security Operations Has Been Subverted

The Security Operations Center (SOC) provides two major enterprise services:

  1. Situation Awareness (SA) for enterprise systems in the Cyber Domain
  2. Incident Response (IR) for events that require intervention

For the last 20 years, innovation in the Security Information and Event Management (SIEM) product space has largely dictated the evolution of how these two services are supported. Over this time, the products have also shaped perspective on how to effectively perform these enterprise services. This influence on perspective has only increased as products have added more sophisticated features to meet more complex requirements.

The technology has come to dominate the thought space both within the enterprise and among practitioners as the market has matured. In some organizations, we have seen that the distinction has been lost between the SIEM and the enterprise services it enables. This also extends to the SIEM infrastructure itself – full commitment to a particular SIEM platform can restrict possible solutions to enterprise needs. These restrictions are often artifacts of vendor support, outsized infrastructure requirements, or (more depressingly) cost.

A map is not the territory it represents, but, if correct, it has a similar structure to the territory, which accounts for its usefulness. –  Alfred Korzybski, Science and Sanity, p. 58

The SIEM is not the SOC

These artificial constraints are unacceptable for an organization whose mission is risk mitigation. Tectonic shifts in the threat space occur regularly (if not predictably). Each new high-impact vulnerability could require retooling infrastructure, analytics, and procedures to provide an effective countermeasure. This can even be considered an implicit third function for the enterprise SOC – an agile strategic response capability that can adapt to shifts in technology, attack techniques, and even the hard lessons learned in a compromise.

Furthermore, SIEM platforms will burrow deep into the systems they monitor and expand in scope over time, which can increase displacement costs. These include:

  1. Labor to scope, design, implement, and test replacement functionality on the new platform
  2. Capital expenditure for equivalent hardware and software
  3. Operational commitment to run a parallel system in transition
  4. Disruption risk for transitioned business services

Let me tell you about the law of holes: If you find yourself in a hole, stop digging – The Banker’s Magazine, 1964

Just thinking about a SIEM replacement often requires an examination every enterprise system no matter how large or small. The cognitive load alone can shut down any serious deliberation. This architectural inertia can become a strategic vulnerability over time if not kept in check.

A New Path Forward – ThetaPoint’s Security Reference Architecture

ThetaPoint has time and again encountered these challenges in the Fortune 500 and Public Sectors, and we’ve developed an architectural remedy that we feel so strongly about, that we’re giving it away. ThetaPoint has developed the ThetaPoint Security Reference Architecture, a battle-tested design for SOCs based on open standards and our SOC services expertise.

The ThetaPoint Security Reference Architecture provides prescriptive guidance for the People, Process, and Technology needed for you to build a modern SOC that can:

  • Provide safe transitions for retooling and technology migration
  • Maximize existing investments with more flexibility
  • Sustain present value while breaking vendor dependence


The ThetaPoint Security Reference Architecture provides guidance for staffing your SOC with qualified practitioners. First, we articulate the analytical and operational functions required to staff a future-proof SOC from talent pools available on the open market. We also provide the minimum qualifications you would need to select talent from available candidates. Finally, we provide guidance for skills development tracks in each position, along with measurable expectations for both achievement and performance.


The ThetaPoint Security Reference Architecture builds processes that create consistent analytical outcomes and provide repeatability as you adapt to new data, technologies, and threats. We establish clear Mission goals for strategic guidance, a policy framework that establishes authorities and governance, and modular workflows that are easily adapted to your requirements.


The ThetaPoint Security Reference Architecture establishes a highly performant and scalable Baseline Infrastructure that evolves at your own pace. The Baseline Infrastructure extracts commodity workload out of the SIEM and onto a utility infrastructure that can be reused for data distribution, filtering, aggregation, enrichment, custom analytics, and workflow automation. Once established, the Baseline Infrastructure lowers future migration cost and transition risk. This lets you execute on less disruptive transformations, either through addition, incremental displacement, or outright replacement of existing technology solutions.

What’s Next

We have published the framework in high level detail on our Blog, and hope to engage you in a collaborative discussion of the challenges you are experiencing and the solutions we have developed. Please contact us to continue the dialog.

About ThetaPoint, Inc.

ThetaPoint is a leading provider of strategic consulting and managed security services.  We help clients plan, build and run successful SIEM and Log Management platforms and work with the leading technology providers to properly align capabilities to clients needs.  Recognized for our unique technical experience, in addition to our ability to quickly and rapidly solve complex customer challenges, ThetaPoint partners with some of the largest and most demanding clients in the commercial and public sector.  For more information, visit or follow us on Twitter or Linked-In

No Comments

Leave a Comment