Lesson 30: Security Operations Center (SOC) — Building and Operating

What You Will Learn in This Lesson

• The core functions, tiers, and architecture of a modern Security Operations Center
• How to choose between an in-house SOC, outsourced MSSP, or hybrid model for a Saudi financial institution
• The technology stack — SIEM, SOAR, EDR, and threat intelligence — and how to integrate them
• Staffing structures, shift models, and playbook design that keep a SOC running 24/7

What Exactly Does a SOC Do?

A Security Operations Center is the nerve center of an organization's cyber defense. Its job is deceptively simple: detect threats, investigate them, and respond before damage spreads. In practice, that means ingesting millions of log events per day, filtering out noise, correlating alerts into incidents, and executing response actions — all under time pressure. For Saudi financial institutions regulated by SAMA and NCA, operating a SOC is not optional; the SAMA Cyber Security Common Controls (CSCC) explicitly require continuous monitoring capabilities (Domain 3: Cybersecurity Operations and Technology).

Think of a SOC the way you would think about an emergency room. Patients (alerts) arrive constantly. Triage nurses (Tier 1 analysts) decide who needs immediate attention. Specialists (Tier 2 and Tier 3) handle complex cases. And hospital administrators (SOC management) ensure staffing, equipment, and processes are in place so the ER never shuts down. If the ER is poorly organized, patients die. If a SOC is poorly organized, breaches go undetected — sometimes for months.

SOC Models: In-House, MSSP, or Hybrid?

Before you purchase a single tool, you need to make an architectural decision. There are three common models, and the right choice depends on your organization's size, budget, and regulatory posture.

In-House SOC: You build and staff everything yourself. This gives you full control over data, processes, and response times. It is the preferred model for large banks and insurance companies in Saudi Arabia where SAMA expects direct oversight of security operations. The downside: it is expensive. A 24/7 SOC requires a minimum of 8–10 analysts across three shifts, plus a SOC manager and threat intelligence lead. Salaries for experienced SOC analysts in the Saudi market range significantly, and competition for talent is fierce.

Managed Security Services Provider (MSSP): You outsource detection and monitoring to a third party. This is cost-effective for smaller fintech companies or payment processors that cannot justify a full in-house team. However, SAMA's third-party risk management controls require you to maintain oversight and ensure the MSSP meets the same standards you would apply internally. You still own the risk.

Hybrid SOC: The most common model for mid-size Saudi financial institutions. You maintain a small internal team (typically Tier 2/3 analysts and a SOC manager) while outsourcing Tier 1 monitoring to an MSSP. This balances cost with control. Your internal team handles escalations, threat hunting, and regulatory reporting, while the MSSP provides 24/7 eyes on the screen.

Practical Example: A mid-size Saudi insurance company with 2,000 employees chose the hybrid model. They contracted an MSSP for Tier 1 alert triage (operating from a Riyadh-based facility to satisfy data residency requirements) and hired three internal analysts plus a SOC manager for incident response and threat hunting. During a SAMA review, the assessors specifically validated that the MSSP's SLAs included 15-minute acknowledgment for critical alerts and that all logs were stored within the Kingdom.

The Technology Stack

A SOC without the right tools is like a surgeon without instruments. Here is the core technology stack and how each component fits together.

SIEM (Security Information and Event Management): The foundation. Your SIEM ingests logs from firewalls, endpoints, servers, applications, cloud platforms, and identity systems. It normalizes them, applies correlation rules, and generates alerts. Common choices include Splunk, IBM QRadar, Microsoft Sentinel, and Elastic Security. For Saudi organizations, ensure your SIEM deployment supports data residency within the Kingdom — this is a SAMA and NCA requirement for financial and government data.

SOAR (Security Orchestration, Automation, and Response): SOAR platforms automate repetitive tasks. When your SIEM fires an alert for a known phishing pattern, the SOAR can automatically enrich the IOC (Indicator of Compromise), check it against threat intelligence feeds, block the sender domain at the email gateway, and create a ticket — all without human intervention. Tools like Palo Alto XSOAR, Splunk SOAR, and IBM Resilient are widely used.

EDR (Endpoint Detection and Response): While your SIEM watches the network, EDR watches individual endpoints — laptops, servers, and workstations. CrowdStrike Falcon, Microsoft Defender for Endpoint, and SentinelOne provide behavioral detection that catches threats that signature-based antivirus misses.

Threat Intelligence Platform (TIP): Feeds your SIEM and SOAR with up-to-date IOCs, threat actor profiles, and campaign data. Saudi-specific feeds from Saudi CERT (CERT-SA) and sector-specific ISACs are essential additions to commercial feeds like Recorded Future or Mandiant Advantage.

# Example: A simplified SIEM correlation rule in pseudo-logic
# Detects potential brute-force attack against a banking application

RULE: brute_force_banking_app
  WHEN:
    source = "core_banking_app_auth_log"
    AND event_type = "login_failed"
    AND count(DISTINCT username) >= 5     # Multiple accounts targeted
    AND count(events) >= 20               # High volume of failures
    AND timewindow = 10 minutes
    AND source_ip NOT IN (whitelist_internal_ips)
  THEN:
    severity = HIGH
    action = CREATE_INCIDENT
    action = SOAR_ENRICH(source_ip)       # Auto-lookup IP reputation
    action = NOTIFY(soc_tier2_oncall)     # Page the on-call analyst
    action = BLOCK_IP(source_ip, duration=60min)  # Temporary block

Staffing and Shift Models

Technology alone does not make a SOC effective — people do. A well-structured SOC uses a tiered analyst model.

Tier 1 — Alert Triage Analysts: They monitor the SIEM dashboard, review incoming alerts, perform initial triage, and escalate confirmed incidents. They follow documented playbooks and need strong foundational knowledge but not deep specialization. In a 24/7 model, you need a minimum of 4–5 Tier 1 analysts to cover three shifts plus weekends and leave.

Tier 2 — Incident Responders: They handle escalated incidents. They perform deeper investigation — packet capture analysis, memory forensics, lateral movement tracing. They are the ones who determine the scope and impact of an incident. You typically need 2–3 Tier 2 analysts.

Tier 3 — Threat Hunters and Specialists: They proactively search for threats that automated tools miss. They develop new detection rules, analyze adversary tactics (using the MITRE ATT&CK framework), and lead purple team exercises. Even one strong Tier 3 analyst significantly improves a SOC's detection capability.

SOC Manager: Oversees operations, manages staffing, reports to the CISO, and ensures compliance with SAMA and NCA reporting requirements. This person bridges the gap between technical operations and executive leadership.

A common shift model for Saudi organizations is the "follow-the-sun" hybrid: in-house coverage during Saudi business hours (Sunday–Thursday, 08:00–20:00 AST) with MSSP coverage for nights and weekends. This reduces staffing costs while maintaining 24/7 monitoring.

Playbooks: The SOC's Operating Manual

Every SOC needs documented playbooks — step-by-step procedures for handling specific incident types. Without playbooks, your response depends on which analyst happens to be on shift, which creates inconsistency and increases risk. Here are the essential playbooks every Saudi financial institution should have:

Phishing Response: Receive alert → Extract IOCs (sender, URL, attachment hash) → Check threat intelligence → Quarantine email across all mailboxes → Block sender domain → Notify affected users → Document in case management.

Ransomware Response: Isolate affected endpoints from network → Preserve forensic evidence → Identify ransomware variant → Assess blast radius → Activate incident response team → Notify SAMA within required timeframe → Begin recovery from clean backups → Conduct root cause analysis.

Unauthorized Access: Verify alert legitimacy → Identify compromised credentials → Force password reset → Revoke active sessions → Check for lateral movement → Review access logs for data exfiltration → Escalate per SAMA incident classification.

DDoS Attack: Confirm attack (vs. legitimate traffic spike) → Activate DDoS mitigation (cloud scrubbing or on-premise appliance) → Communicate with ISP → Monitor for secondary attacks (DDoS is often a smokescreen) → Report to SAMA if service disruption exceeds threshold.

Key Metrics: Measuring SOC Performance

You cannot improve what you do not measure. Track these metrics and report them monthly to your CISO and quarterly to the board:

MTTD (Mean Time to Detect): How long from when a threat enters your environment to when the SOC identifies it. Industry benchmark for mature SOCs: under 24 hours. Elite SOCs target under 1 hour for critical threats.

MTTR (Mean Time to Respond): How long from detection to containment. SAMA expects financial institutions to contain critical incidents within hours, not days. Your MTTR should be under 4 hours for P1 incidents.

Alert-to-Incident Ratio: What percentage of alerts become confirmed incidents? If your ratio is 1000:1, your detection rules are too noisy. If it is 5:1, you might be missing threats. A healthy ratio is typically between 20:1 and 50:1.

False Positive Rate: Track and continuously reduce. Every false positive wastes analyst time and contributes to alert fatigue — the number one cause of missed real threats.

Connection to the Saudi Regulatory Landscape

SAMA CSCC Domain 3 (Cybersecurity Operations and Technology) directly mandates continuous monitoring, incident detection, and response capabilities — all core SOC functions. NCA's ECC controls require government-linked entities to implement security event monitoring and log management. Both frameworks expect organizations to demonstrate not just that they have a SOC, but that it is operationally effective: documented playbooks, trained staff, measured KPIs, and evidence of continuous improvement. During SAMA audits, assessors will request SOC operational reports, incident timelines, and evidence that alerts are being triaged within SLA. If your SOC exists only on paper, it will not pass review.

Common Mistakes to Avoid

• Buying tools before defining processes: Organizations often purchase an expensive SIEM before defining what they want to detect or how they will respond. Start with use cases and playbooks, then select technology that supports them. A well-tuned open-source SIEM outperforms an unconfigured enterprise one.
• Ignoring alert fatigue: Flooding Tier 1 analysts with thousands of low-fidelity alerts destroys morale and causes them to miss real threats. Invest time in tuning detection rules, whitelisting known-good activity, and implementing alert scoring. Quality over quantity.
• No data residency planning: Sending log data to a SIEM hosted outside Saudi Arabia can violate SAMA and NCA data localization requirements. Ensure your SIEM infrastructure — whether on-premise or cloud — keeps regulated data within the Kingdom, or have explicit regulatory approval for cross-border transfers.

Lesson Summary

• A SOC is the operational heart of cyber defense — choose the right model (in-house, MSSP, or hybrid) based on your organization's size and regulatory obligations
• The core technology stack (SIEM, SOAR, EDR, TIP) must be integrated and tuned, not just purchased — start with use cases and playbooks before buying tools
• Staff your SOC with a tiered analyst model, measure performance with MTTD/MTTR/false positive rate, and report metrics regularly to leadership and regulators

What's Next

This lesson completes the Hands-On Cybersecurity path. In the next lesson, we begin a new path — Security Leadership — starting with: The Role of the CISO: Responsibilities and Challenges in Saudi Arabia. You will learn what it takes to lead cybersecurity at the executive level in a SAMA-regulated environment, from board communication to budget justification.

Ready to apply these concepts in your organization? Contact Fyntralink for a complimentary SAMA Cyber Maturity Assessment.