Best Practices for Security Operations Center

Abhishek Joshi - s3442187, Randeep Singh Chhabra - s3465543

School of Mathematical and Geospatial Science
RMIT University
Melbourne, Australia
28/05/2014

I.

Abstract

Security Operations Center (SOC) is an important facility for any organization that want to
address security threats, vulnerability, assessment and management. There are baseline in
existence that addresses few of the security aspects but a complete framework combining people,
process and technology currently is not up to the high standards (Jacobs, Arnab & Irwin 2013). A
well-functioning SOC can provide efficient and effective detection and management of threat
(Ernst & Young 2013). Therefore this paper addresses the best practices for building a SOC by
outlining its mission and combining people, processes and technology involved.

II.

Introduction

With the rise in information security breaches and sophistication of attacks on ever changing
information system, there is an increasing need for comprehensive analysis and monitoring tools,
processes and management of information security; all of these can be achieved from Security
Operations Center (SOC). SOC is a center where enterprise information systems are monitored,
assessed, protected and managed. It combines people, processes and technologies to provide
situational alertness through the detection, containment, and remediation of IT threats (HP 2013).
SOC manages all incidents in an enterprise, i.e. including identifying and analyzing possible
cyber-attacks or intrusion and carry out appropriate communication, action and reporting to
reduce negative impacts on business (Ernst & Young 2013).
Security threats are becoming increasingly complex, harder to detect and can cause damages to
an organization which can stretch across all business process and aspects including clients. Thus
for an organization just having a firewall, anti-virus and intrusion detection system (IDS) is not
enough (DEFCON n.d.) and therefore they need to implement SOC. As SOC not only looks over
preventing threats, but provides continuous prevention, protection, and detection, fast response
capabilities against threats, vulnerabilities and real-time incidents (Rotkhe 2012).
Moreover, most of our modern organization have different policies under their Information
Security Strategy. These policies include security, intrusion prevention, monitoring, incidence
response, configuration management and disaster recovery and in order to handle each of them,
there are several technologies available to make informed decisions, such as Firewall and Router
Logs, Application Level Logs, Application Security Testing Automation, Access Control
Management etc. These solutions remain a key control for battling todays known attacks.

Nevertheless, they become less effective over time as attackers find new and complex ways to
bypass controls (Ernst & Young 2013). Thus failing to provide a single holistic approach
towards overall security (Robert L Behm 2003). Eventually, advanced persistent attacks go
undetected for as long as months or even years before a breach gets noticed. The main problem is
the existence of distributed silo, lack of skilled professionals, the tools to provide them with
accurate information and processes to enable them to fulfil their responsibilities effectively
(Network Computing 2012).
Combating these complex threats and issues requires to enable ease of collaboration among
security personnel, streamline the incident-handling process and manage overall security tools/
technologies. Such a comprehensive system with different tools, process and people is carried by
SOC making it a backbone of any organizations Information Security Strategy (Network
Computing 2012).
To achieve an effectively operating SOC, the associated processes, people and technologies must
not only exist but also be mature (HP 2013). A well-operating SOC is the backbone of the most
efficient and effective detection and prevention of threats and vulnerabilities. It can allow
information security processes to respond much faster, carry out more collaborative work and
share knowledge more effectively (Ernst & Young 2013).
This paper would outline the evolution of SOC and address on different factors of best practices
for building a SOC.

III.

Evolution of SOC

The emergence of complex cyber threats continue to wreak havoc on current security systems.
There have never been a higher demand for a unified security system, services and intelligence
than now. Although with abundant management support, organizations still face difficulties to
staff skilled experts to keep up with rapidly advancing technologies. Additionally, the most
challenging process is to implement different procedures to manage and monitor security
operations from a single point that provides real time protection on against new/ multifaceted
threats (Internet Security Systems 2006).
SOC is the heart of such unified single point security system that integrates security tools,
services and intelligence (Internet Security Systems 2006). Building such SOC with regards to
emerging threats is very challenging, as there have been numerous advances and developments
in SOC since the inception of internet. In addition SOC has also been affected by the companys
evolutionary changes. Despite of these changes, SOC has always been bridging gaps between
different organizational units and have been on front lines of cyber defense. SOC has evolved
itself to provide the best security that any organization can demand (HP 2013).
HP ESP Security Intelligence and Operations Consulting Services in their business white paper
of 2013 has devised the five generations of SOC, i.e.
1st Generation (1975-1995)
2nd Generation (1996-2001)

3rd Generation (2002-2006)

4th Generation (2007-2012)
5G/ SOC (2013-?)

First four generations of SOC dealt with threats such as nuisance programs, malware outbreak,
cybercrime, cyberwar, Hacktivism etc. which was controlled using various technologies such as
intrusion detection and prevention (HP 2013). The current generation SOC not only responds to
attacks in progress, but understands the scope of the adversary and their motivations and
provides risk-appropriate security intelligence and protective measures. This generation SOC is
mostly influenced by big data analytics, intelligence-driven methodology, information sharing
and human adversary approach (HP 2013).
While HP refers the latest generation as simply 5G/ SOC, there are different experts that refers
SOC with different names. Forester Research calls the current version as SOC 1.0 while the next
generation is named SOC 2.0 (a better way to accomplish SOC tasks against evolving threats)
(Kindervag 2010). Nonetheless, all next generation SOC focuses on three key aspects for the
success of a SOC, i.e. People, Process and Technology (DTS-Solution n.d.) (Kindervag 2010).

IV.

Mission

Every organizations need to plan their steps prior to building a SOC. Their focus should not only
be on people, process and technology but also should address business problems and issues that
SOC will solve. The overall success of SOC depends on how mission has been stated (HP 2013).
Furthermore, we need a unifying drive to encourage team members, prioritize responsibilities
and respond effectively to growing business needs. The more we focus in identifying mission
more benefit we will get out of SOC in the long run (HP 2013).
For building a good and effective SOC, HP (2013) in their paper Security Operations suggests
that a mission statement should consist:
the needs and requirements what SOC will fulfill for the organization,
specific tasks that should be assigned to SOC to provide effective security,
probable consumers of SOC collected/ analyzed information and their expectations from
SOC,
Security data events that should be provided to SOC for monitoring.
Example Mission statement:
The SOC is responsible for monitoring, detecting, and isolating incidents and the management
of the organizations security products, network devices, end-user devices, and systems. This
function is performed seven days a week, 24 hours per day under Corporate IT. The SOC is the
primary location of the staff and the systems dedicated for this function servicing all the business
and IT stakeholders. (McAfee 2013)

V.

Executive and board support

Executive/ board commitment is one of the key to a successful and best SOC. Its support to
security is vital to encourage information systems owners and users and to deliver the visibility
needed by the team to confirm support of the business units. It is the most important factor for an
effective SOC as there are very few motivations to improve security, other than an actual loss of
data or direct attacks on the systems (Lee 2001).
Likewise, without any clear board support, implementing SOC from grass root level has minimal
chance of success and SOC might turn out to be ineffective without realizing its value. For an
effective SOC, it is essential for executive support to establish clear objectives and a long term
strategy in order to drive organizational change in terms of information security (Ernst & Young
2013).
In order to secure executive support to establish best SOC, following key points must be
discussed with the management (Ernst & Young 2013):

VI.

Define existing problems and its impact on security and business of the organization
o Need for SOC,
o SOCs goals and objectives,
o Existing issues that SOCs implementation would resolve.
Establish vision
o Mission Statement with desired expectations of outputs.
o Short and long term vision should be stated
o Match vision, mission with business objectives and risk posture.
Define resources, investment requirements for a successful SOC and its outcomes.
o Unifying people, process, and technology to produce successful output.
o Deciding on in-house requirements and outsourcing
o The initial and operating costs involved to either initiate new SOC or evolve an
existing SOC.
Show the value of implementing SOC by increasing productivity and achieving efficient
and effective security management.

Investment

One of the significant challenge when building SOC is that its implementation suffer inadequate
resources, mainly investments (money) or expertise (Bowen, Chew & Hash 2007). Such
circumstances restricts the SOC team to work with in limited means which makes it difficult to
achieve expected results. The scarcity of SOC expertise makes this condition worse as
organizations need to spend more on attractive compensations to draw such expertise (Ernst &
Young 2013).
Furthermore, SOCs technologies are very expensive. Even if organizations opt for open source
tools to minimize costs; expertise to customize it for organizations adaptability still would be

high and vendor provided solutions despite being easy are quite costly. Hence finding the right
balance between limited investment and quality of SOC is very essential (Ernst & Young 2013).
In addition understanding the benefits of compliance objectives such as information security risk
management objectives or achieving compliance with information security standards can help
overcome such restrictions by efficient management of resources and be able to achieve the
holistic objective of SOC with that limited resources (Bowen, Chew & Hash 2007).

VII. Physical space

A successful SOC cannot be achieved without creating a distinct location for SOC. The
organizations should maintain their own secured physical space to promote unity, team work,
and knowledge sharing with in short response time (Ernst & Young 2013).
Initial objective should be to clearly document requirements for space as early as in the design
process and obtain sufficient space required (Aggleton 2013). As SOC analysts work in a team
(rarely in isolation), their performance tend to be effective when in physical proximity to each
other. This proximity assists in fast communication that further helps to achieve better security
from diverse, collective knowledge of the team (Ernst & Young 2013).
Hence, SOC should be placed in a secured location which facilitates quality working
environment for the entire team (Aggleton 2013).

VIII. Strategy
The SOC strategy should be aligned with the mission statement and should have 3 broad
priorities a) Understanding overall risk posture and Aligning to it b) Supporting business goals c)
Meeting compliance obligations (Ernst & Young 2013).
Creation of SOCs governance and operating model helps organization and SOC team to achieve
accountability, guide communication and manage timely interactions with involved functions
such as IT, IR, HR, legal, compliance and others. Documentation of Service level agreements,
Processes and chain of authority helps minimize any uncertainty and chaos during emergency
high-impact actions (e.g., denial of service attack, system shutdown) (Ernst & Young 2013).
Strategy should also involve creation of detailed Standard operating procedures (SOPs)
specifying technical processes, checklists, techniques and forms used by the teams. This ensures
that the SOC operations reflect priorities of the organization (Kent & Souppaya 2006).
Based on resources and objectives an enterprise SOC operation can either be run entirely by
internal technology, process and teams or it can also relay partly/completely on external
provider. Factors like skill availability, cost, single/multiple global locations, requirements on
cloud coverage and support also play a part in deciding the same (IBM 2013).

A clear SOC strategy also needs to include milestones and guidelines in relation to IT Security
Metrics, as they help organization to monitor achievements of goals and objectives. Some
examples of such metrics are having Checkup standards for Security Logs, Configuration, Back
up and contingency, Policy & Procedures, Access control etc. (Kahraman, n.d).

IX.

People

As the functional requisites and technology requirements in a SOC are so vastly spread and
complex, it always requires cross disciplinary teams to work together. The team should be
having skills and should work together to detect, dissect and disable the threat. Some of the
critical skills required by the teams are a) Forensic Knowledge, b) Proficiency in coding, c)
Managing threat Intelligence, d) Breach Management, e) Penetration Testing and f) Data
Analysts (EMC 2013).
At times these skills could also be outsourced to bring fresh perspective or to quickly initiate
until internal teams scale up (Ernst & Young 2013).
The key roles in a SOC team can be Level 1 or 2 Analyst, Incident handler, Content Developer,
Operations Lead, SIEM Engineer, Network Administrators, Security Device Engineers, Data
Analysts, Compliance specialist, etc. It is also very important to ensure right coverage by
planning a right number of resources across multiple shifts (Anderson, n.d).

X.

Processes

A structured process is meant for enabling consistent operation and repeatable outcomes. It also
plugs the shortcoming of people and technology. For e.g. A new employee can learn faster using
a detailed process manual or a detailed manual activity process can help overcome limitation of
automation.
First step in devising a SOC process should be analysis and profiling of Networks, Application
and systems and understanding the normal behavior so that the anomaly can be easily identified.
Then a detailed set of event correlation rules and use cases needs to be created in order to arrest
an event quickly and validate if a particular incidence has occurred (Kent & Souppaya 2006).
Then it is required to have a detailed Incidence response procedure and a clear operating guide to
recover forensic and incident response data (Lyne 2013).
A structured process has to be followed for Incident prioritization. Incidences cannot be
addressed on a first come- first served basis instead they should be prioritized based on
Functional, Business and Information impact of incidence and the recoverability (Kent &
Souppaya 2006). All above SOC processes can be broken into broad 4 categories as suggested by
HP in their business white paper (2011):
a) Administrative processes
b) Technology process
c) Operational process

d) Analytical process.
(HP 2011)
Also for each process a respective procedure and workflow should be established, Process
defines who is responsible for carrying specific tasks, and procedure explains on how to
accomplish the task and workflow emphasizes on sequence. Process integration eliminates
redundant /repetitive steps, reduces opportunities of error, and facilitates best practice
implementation and closed loop cooperation cycles between involved teams (EMC 2013).
The Process maturity level of SOC, can be ascertained using frameworks such as Control
Objectives for Information Technology (CoBIT) and Information Technology Information
Library (ITIL), coupled with information security frameworks such as ISO/IEC 27001 (Jacobs,
Arnab & Irwin 2013).

XI.

Technology

The principle behind choosing SOC technology should be that technology should work for
people and best processes not vice versa. The solution should be able to convert operational data
into actionable information, which eventually improve security posture of organization (RSA
2008).
SOC needs technology for generating, storing, transmitting and analyzing, security log data from
applications, databases and network. As different logs comprises different methods of storing,
technology is also required to normalize and classify the logs. And then perform log correlation
analysis for identifying security incidents, anomalies, fraudulent activities etc. (Madani, Rezayi
& Gharaee 2011).
Some of the required technologies in a next generation SOC are:
a) Scalable Analytics Engine
b) Consolidated warehouse for security data or cross indexed series of data stores.
c) Centralized Management dashboard
d) Pattern based threat monitoring techniques
e) Ticketing system
f) Rich correlation of incidence information
g) Full network packet capture
h) Data and Identity classification and Access Management solution
i) Integrated Compliance and governance management tools.
j) Data Analytics and Forensic tools.
(EMC 2013)

XII. Environment
The overarching purpose of a SOC is to secure and enable the business. To achieve that, SOC
personnel must understand the business and the value associated with specific decisions in order

to prioritize the most appropriate response. By correlating business-relevant information against

available technical data, the SOC produces security industry trends that enable the business to
improve decision-making, risk management, compliance and business continuity (EY 2013).
For e.g. TELUS, leading national telecommunications company in Canada deployed a SOC
solution to ensure PCI compliance, significantly reducing time spent satisfying auditors requests
(EMC 2011).

XIII. Analytics and reporting

SOC needs to give actionable, prioritized and risk-based insight from the sea of information
coming from all the devices being monitored. It needs to capture anomalies, status/alerts and
perform real time correlation. The results should be made available in concise reports and
dashboards.
Analytical capability of a SOC is strengthened by rise of Big Data technologies. It is now
possible to perform forensics and the analysis of very long-term historical trends. The efficiency
of queries has become sophisticated enough to perform behavior based analysis by carrying out
complex queries. Also streaming data analyses adds considerable strength to traditional batch
processing techniques. This allows tools to identify sudden attacks more efficiently without
historical correlation (Taylor 2014).
Analytics involves building of Specific Connectors to:
a) Normalize every alarm and alert into a common security schema
b) Filter out unwanted traffic
c) Set severity according to a common taxonomy
d) Multi-Stage Event Correlation to analyze information from a variety of disparate
eventssometimes three or more different eventsto determine if they are all
related to the same incident.
e) Prioritization capability to identify the business relevance of the target in question as
it relates to the organizations business imperatives.
(HP 2011)
The SOC can also use analytics to create insightful metrics and performance measures. For
example, use metrics to facilitate internal operational improvements or management using it to
make informed decisions to balance trade-offs between cost and risk. Consequently, a good
metrics and reporting structure can add value beyond security matters by also serving as a
compelling communication vehicle for financial and operational concerns (EY 2013).

XIV. Continuous improvement

Ensuring safety of information assets is a moving target and hence the next generation SOC
should be continuously evolving. In field of continuous improvement, a principle called Time
Based Security Principle directly indicate the need to continuously improve defenses. It says that

the effective security measures are those where protections last longer than the time to detect a
threat plus the time to remediate that threat, i.e. MTP > MTD + MTR,
MTP (Mean Time to Protect); MTD (Mean Time to Detect); MTR (Mean Time to Repair)
(Swift 2011).
This clearly quantifies the need for rapid evolution of the SOC. Also, the existing approaches in
SOC broadly focus on Target Hardening and Anomaly/Incident detection. These approaches do
not cater to reducing the perceptions of net benefit of a hack or do not reduce provocation for an
attack. There are some Situational Crime prevention (SCP) techniques being devised which
when mixed with the traditional risk management process, can evolve new ways to counter
security attacks. SOC operations should be keeping an eye on such developments (Beebe & Rao
2010).
Advances in Big Data technology is also helping SOCs to have:
Real-time reputation services which can simultaneously correlate information from
multiple entities like IP addresses, URLs, user identities, email and file objects
(MacDonald 2011).

Accurate heuristics and models of malware activity based on broad visibility and using
more computing power to perform the analysis. Eventually helping in identifying new
and unknown threats compared to just blacklisting known threats (MacDonald 2011).

XV. Conclusion
Security Operations Center is the foundation of any organizations security control and
management (Nickle 2011). Building an SOC with effective management can rapidly improve its
ability to detect and prevent malicious events (HP 2013). It not only increases response time to
deal with threats but improves collaborative work and knowledge sharing. A successful SOC is
driven by management commitment, adequate budget, good governance, skilled individuals, well
executed processes and implemented technology and the drive for improvement (Rothke 2012)
(Ernst & Young 2013). The potential benefits of a SOC is massive and without these driving
factors SOC cannot realize its full potential (Nickle 2011).

Word Count: 3430 words

Percentage Allocation
Team Member
Name
Abhishek Joshi
Randeep S. Chhabra
Abhishek Joshi
Randeep S. Chhabra

Abhishek Joshi

Randeep S. Chhabra

Abhishek Joshi
Randeep S. Chhabra
Abhishek Joshi
Randeep S. Chhabra

Tasks Allocated and

Completed
Researched and decided the
scope on Security Operations
Center (SOC) for the report
Researched and collected as
much information as possible
on the best practices of SOC
Worked on drafting and
editing sections from
headings I to VII with
reference to researched
information.
Worked on drafting and
editing sections from
headings VIII to XIV with
reference to researched
information.
Worked on section XV
(Conclusion)
Edited the references and
finalized the document
format.
Managed the minutes for the
meetings.

Percentage
5%
5%
5%
5%

30%

30%

5%
5%
5%
5%

Abhishek Joshi

Total

50%

Randeep S.
Chhabra

Total

50%

10

Signature

References
Aggleton, D, 2013, Best Practices for SOC Design, Tips for planning and deploying an in-house
Security Operations Center, SecurityInfoWatch.com, viewed 15 May 2014,
<http://www.securityinfowatch.com/article/10893524/best-practices-for-soc-design>.
Anderson, B, n.d., Building, Maturing & Rocking a Security Operations Center, Global Cyber
Security Threat & Vulnerability Management, Hewlett-Packard, SANS Archive, viewed May 11
2014,
<http://digital-forensics.sans.org/summit-archives/DFIR_Summit/Building-Maturing-andRocking-a-Security-Operations-Center-Brandie-Anderson.pdf>.
Beebe, Nicole L. and Rao, V. Srinivasan, 2010, Improving Organizational Information Security
Strategy via Meso-Level Application of Situational Crime Prevention to the Risk Management
Process, Communications of the Association for Information Systems: Vol. 26, Article 17,
viewed 14 May 2014,
<http://aisel.aisnet.org/cais/vol26/iss1/17/>.
Bowen, P, Chew, E & Hash, J, 2012, Information Security Guide for Government Executives,
National Institute of Standards and Technology, viewed 13 May 2013,
<http://csrc.nist.gov/publications/nistir/ir7359/CSD_ExecGuide-booklet.pdf>.
DEFCON, n.d., Building Security Operations Center For little or no money, viewed 3 May
2014,
<http://www.defcon.org/images/defcon-18/dc-18-presentations/Pyorre/DEFCON-18-PyorreBuilding-Security-Operations-Center.pdf>.
DTS-Solution, n.d., Protecting your Information Assets from next Generation of Threats, Next
Generation Security Operations Center, viewed 1 April 2014,
<http://www.dts-solution.com/wp-content/uploads/2012/02/Security-Operations-Center-v1.pdf>.
EMC, 2011, TELUS improves compliance and strengthens security with market-leading SIEM
platform, RSA, EMC Corporation, viewed 12 May 2014,
<http://australia.emc.com/collateral/customer-profiles/10373-telus-cp.pdf>.
EMC, 2013, Building an Intelligence-Driven Security Operations Center, RSA Technical Brief,
EMC Corporation, viewed 14 May 2014,
<http://www.emc.com/collateral/technical-documentation/h11533-intelligence-driven-securityops-center.pdf>.
Ernst & Young, 2013, Security Operations Centers against Cybercrime - Top 10 considerations
for success, Insights on governance, risk and compliance, Ernst & Young Publication, viewed 15
April 2014,
<http://www.ey.com/Publication/vwLUAssets/EY__Security_Operations_Centers_against_cybercrime/$FILE/EY-SOC-Oct-2013.pdf>.

11

HP, 2011, Building a Successful SOC, HP Enterprise Security Business White Paper, Enterprise
Security, HP, viewed 5 April 2014,
<http://h71028.www7.hp.com/enterprise/downloads/software/ESP-BWP014-052809-09.pdf>.
HP, 2013, 5G/SOC: SOC Generations White Paper 2013, HP ESP Security Intelligence and
Operations Consulting Services, viewed 1 April 2014,
<http://h20195.www2.hp.com/V2/GetPDF.aspx%2F4AA4-6539ENN.pdf>.
HP, 2013, Security Operations Building a Successful SOC, HP Enterprise Security Business
White Paper, HP, viewed 1 April 2014,
<http://h20195.www2.hp.com/V2/GetDocument.aspx?docname=4AA46169ENW&cc=us&lc=en>.
IBM, 2013, Strategy considerations for building a security operations center, IBM Global
Technology Services, viewed 12 May 2014,
<http://public.dhe.ibm.com/common/ssi/ecm/en/sew03033usen/SEW03033USEN.PDF>.
Internet Security Systems, 2006, The Evolution of Managed Security Services, ISS Virtual-SOC
Solution, Security the Way You Need It, viewed 13 May 2014,
<http://www.iss.net/documents/whitepapers/ISS_Virtual_SOC.pdf>.
Jacobs, P, Arnab, A & Irwin B, Classification of Security Operation Centers, Department of
Computer Science, Rhodes University, South Africa, viewed 3 May 2014,
<http://icsa.cs.up.ac.za/issa/2013/Proceedings/Full/58/58_Paper.pdf>.
Kahraman, E, n.d., Evaluating IT security performance with quantiable metrics, Stockholm
University, viewed 13 May 2013,
<http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.102.4000&rep=rep1&type=pdf>.
Kent, K & Souppaya, M, 2006, Guide to Computer Security
Log Management, National Institute of Standards and Technology, viewed 12 May 2014,
<http://csrc.nist.gov/publications/nistpubs/800-92/SP800-92.pdf>.
Kindervag, J, 2010, SOC 2.0: Three key steps toward the next-generation security operations
center, TechTarget.com, viewed 13 May 2014,
<http://searchsecurity.techtarget.com/tip/SOC-20-Three-key-steps-toward-the-next-generationsecurity-operations-center>.
Lee, R. D., 2001, Developing Effective Information Systems Security Policy, SANS Institute,
viewed 13 May 2014
<http://www.sans.org/reading-room/whitepapers/policyissues/developing-effective-informationsystems-security-policies-491>.
Lyne, J, 2013, 8 tips for a security incident handling plan, naked security, viewed May 9 2014,

12

<http://nakedsecurity.sophos.com/2013/04/20/tips-incident-handlingplan/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+nakedsecurity+
%28Naked+Security+-+Sophos%29>.
Madani, A, Rezayi, S & Gharaee, H, 2011, Log management comprehensive architecture in
Security Operation Center (SOC), Computational Aspects of Social Networks (CASoN), viewed
11 May 2014,
<http://ieeexplore.ieee.org/xpl/articleDetails.jsp?arnumber=6085959>.
McAfee, 2012, Creating and Maintaining a SOC, The details behind successful Security
Operations Centers, white paper, McAfee An Intel Company, viewed 14 May 2014,
<http://www.mcafee.com/au/resources/white-papers/foundstone/wp-creating-maintainingsoc.pdf>.
MacDonald, N, 2011, Information Security is Becoming a Big Data Problem, The Gartner Blog
Network, viewed 16 May 2014,
<http://blogs.gartner.com/neil_macdonald/2011/04/12/information-security-is-becoming-bigdata-problem/>.
Network Computing, 2012, Do you need a Security Operations Center?, Wireless Infrastructure,
Network Computing, viewed 12 May 2014,
<http://www.networkcomputing.com/networking/do-you-need-a-security-operations-center/d/did/1102411>.
Nickle, M, 2011, Best practices for building a Security Operations Center - untangling the mess
created by multiple security solutions, CA Technology Services, viewed 18 May 2014,
<http://www.slideshare.net/nickle4245/soc-presentation-10590459>.
Rothke B, 2012, Building a Security Operations Center, Wyndham Worldwide Corp., RSA
Conference 2012, viewed 3 May 2014,
<http://www.rsaconference.com/writable/presentations/file_upload/tech-203.pdf>.
RSA, 2008, Creating an Effective Security Operations Function White Paper, RSA The
Security Division of EMC, viewed 10 May 2014,
<http://www.comprosec.ch/fileadmin/document_archive/Library/RSA_enVision/WPE_Creating
_an_Effective_Security_Operations_Function___9558_SOC_WP_0808-lowres_cps_dis.pdf>.
Swift, D, 2011, A Process for Continuous Improvement Using Log Analysis, SANS Institute,
viewed May 17 2014,
<http://www.sans.org/reading-room/whitepapers/awareness/process-continuous-improvementlog-analysis-33824>.
Taylor, B, 2014, How Big Data is changing the security analytics landscape, TechRepublic,
viewed May 13 2014,
<http://www.techrepublic.com/blog/big-data-analytics/how-big-data-is-changing-the-securityanalytics-landscape/#.>.

13

Minutes of the Meetings

Minutes of 1st Meeting
Date: 30th March 2014
Time: 8:30 pm
Members Present:
1. Abhishek Joshi
2. Randeep Singh Chhabra
Members Absent: None
Discussion:
- Possible topics provided in the guideline for project.
- Considered Security Operations Center as a probable topic.
Decision:
- To carry out more research on different topics before considering the final topic.
- Also test the feasibility of Security Operations Center as a probable topic.
Meeting adjourned at 8:50 pm.

Minutes of 2nd Meeting

Date: 1st April 2014
Time: 8:15 pm
Members Present:
1. Abhishek Joshi
2. Randeep Singh Chhabra
Members Absent: None
Discussion:
- Put forward different arguments and ideas to support the topic to be chosen.
- After finalizing Security Operations Center as a topic, discussed and finalized the outline of
the topic for submission.
Decision:
- Finalized Best Practices of Security Operations Center as the final topic for our study.
- Discussed and written the outline of the topic for submission.
- Division of tasks to further research on the topic for final discussion paper.
Meeting adjourned at 9:20 pm.

14

Minutes of 3rd Meeting

Date: 10thApril 2014
Time: 1:10 pm
Members Present:
1. Abhishek Joshi
2. Randeep Singh Chhabra
Members Absent: None
Discussion:
- Discussed on information gathered as per the previous research carried out.
- Discussed the scope of the project to sort out the relevant information.
- Planned on proceeding to finalize the introduction of the report.
Decision:
- To finalize, structure the introduction and probable headings of the report at next meeting.
Meeting adjourned at 1:35 pm.
Minutes of 4th Meeting
Date: 15thApril 2014
Time: 3:10 pm
Members Present:
1. Abhishek Joshi
2. Randeep Singh Chhabra
Members Absent: None
Discussion and Decision:
- Structured, finalized and formatted the introduction.
- Listed out probable components of the discussion report.
Meeting adjourned at 4:00 pm.

15

Minutes of 5th Meeting

Date: 23rd April 2014
Time: 8:30 pm
Members Present:
1. Abhishek Joshi
2. Randeep Singh Chhabra
Members Absent: None
Discussion:
- With regards to comments received on the introduction, discussed on how to improve.
- Finalized the listed out headings for the report.
Decision:
- Divided tasks amongst us to create a draft for the report.
- Allocated the whole report in 50 % each.
- Two weeks as a deadline to submit each draft.
Meeting adjourned at 8.45 pm
Minutes of 6th Meeting
Date: 7th May 2014
Time: 8:30 pm
Members Present:
1. Abhishek Joshi
2. Randeep Singh Chhabra
Members Absent: None
Discussion:
- Reviewed each others draft of their parts for errors and accuracy.
- Need of more references to back our study
- Too lengthy draft, both of us discussed how it would be feasible to cut the length without
losing the essence of the study.
Decision:
- Re-write the drafts to shorten the length and limit it under 3500 words
- Find more references to back our study for effective presentation
- Meeting next week after class.
Meeting Adjourned at 9.00 pm

16

Minutes of 7th Meeting

Date: 14th May 2014
Time: 8:30 pm
Members Present:
1. Abhishek Joshi
2. Randeep Singh Chhabra
Members Absent: None
Discussion:
- Reviewed the draft again along with the references.
- Still some improvements required for overall content.
- Discussed on how to send our message from presentation.
- Planned on the topics and the contents of the presentation.
Decision:
- To finalize the report by next week.
- And finalize the contents of the presentation by next week.
Meeting Adjourned at 9.05 pm
Minutes of 8th Meeting
Date: 21st May 2014
Time: 8:30 pm
Members Present:
1. Abhishek Joshi
2. Randeep Singh Chhabra
Members Absent: None
Discussion and Decision:
- Discussed on some essence missing after proof reading it and decided on to try improve it
again
- Structure and formatting of the report finalize.
- Discussed on possible presentation tools we can use for effective presentation.
- By Friday 23rd May 2014 finalize the report and the presentation.
Meeting adjourned at 8:55 pm

17

Minutes of 9th Meeting

Date: 26th May 2014
Time: 8:45 pm
Members Present:
1. Abhishek Joshi
2. Randeep Singh Chhabra
Members Absent: None
Discussion and Decision:
- Finalized the report, formatted, edited.
- Checked references and devised percentage allocation as per the tasks divided and carried
out.
- Reviewed the images to be used in presentation.
- Evaluated the contents for presentation in terms of time restriction.
Meeting adjourned at 10:00 pm

18