ArticlePDF Available

Security Operations Center: A Systematic Study and Open Challenges


Abstract and Figures

Since the introduction of Security Operations Centers (SOCs) around 15 years ago, their importance has grown significantly, especially over the last five years. This is mainly due to the paramount necessity to prevent major cyber incidents and the resulting adoption of centralized security operations in businesses. Despite their popularity, existing academic work on the topic lacks a generally accepted view and focuses mainly on fragments rather than looking at it holistically. These shortcomings impede further innovation. In this paper, a comprehensive literature survey is conducted to collate different views. The discovered literature is then used to determine the current state-of-the-art of SOCs and derive primary building blocks. Current challenges within a SOC are identified and summarized. A notable shortcoming of academic research is its focus on the human and technological aspects of a SOC while neglecting the connection of these two areas by specific processes (especially by non-technical processes). However, this area is essential for leveraging the full potential of a SOC in the future.
Content may be subject to copyright.
Received November 24, 2020, accepted December 13, 2020, date of publication December 17, 2020,
date of current version December 31, 2020.
Digital Object Identifier 10.1109/ACCESS.2020.3045514
Security Operations Center: A Systematic
Study and Open Challenges
Chair of Information Systems, University of Regensburg, 93053 Regensburg, Germany
Corresponding author: Manfred Vielberth (
ABSTRACT Since the introduction of Security Operations Centers (SOCs) around 15 years ago, their
importance has grown significantly, especially over the last five years. This is mainly due to the paramount
necessity to prevent major cyber incidents and the resulting adoption of centralized security operations in
businesses. Despite their popularity, existing academic work on the topic lacks a generally accepted view
and focuses mainly on fragments rather than looking at it holistically. These shortcomings impede further
innovation. In this paper, a comprehensive literature survey is conducted to collate different views. The
discovered literature is then used to determine the current state-of-the-art of SOCs and derive primary
building blocks. Current challenges within a SOC are identified and summarized. A notable shortcoming
of academic research is its focus on the human and technological aspects of a SOC while neglecting the
connection of these two areas by specific processes (especially by non-technical processes). However, this
area is essential for leveraging the full potential of a SOC in the future.
INDEX TERMS Security management, security operations center, security operations, SOC.
According to a recent report, the average number of security
breaches reported by organizations has risen by 11% from
130 in 2017 to 145 incidents in 2018 [1]. Over the last five
years, this number has risen by a total of 65%. However,
this report only covers detected and reported incidents, and
the number of unreported incidents is probably much higher.
The total annual cost of any type of cyber-attack is also
growing at a steady pace [1]. Unfortunately, many attacks
go undetected for a surprisingly long time. The mean time
to detect an incident was 196 days in 2018, and it took
another 69 days on average to contain the breach [1]. This
detection time demonstrates how ineffective companies are
at detecting and mitigating cyber-attacks. The reasons for
this inefficiency include but are not limited to companies
(1) not having an overview of their devices, systems, applica-
tions, and networks, (2) not knowing which assets to protect,
(3) not knowing which tools to use and how to integrate them
with the existing infrastructure, or (4) being overwhelmed by
the speed technology and the ever-evolving threat landscape.
The associate editor coordinating the review of this manuscript and
approving it for publication was Wei Huang .
Security Operations Centers (SOCs) can provide an over-
arching solution for detecting and mitigating an attack if
implemented correctly. They incorporate a mixture of peo-
ple, processes, technologies, and governance and compliance,
to effectively identify, detect, and mitigate threats, ideally
before any damage occurrs. However, there are a few research
gaps and challenges associated with SOCs. The biggest issue
is the lack of a precise definition of a SOC and its com-
ponents. For some researchers, a SOC is solely an entity
responsible for monitoring the network. For others, it is
an organizational unit encompassing all security operations,
like incident management and threat intelligence. This lack
of consensus hinders companies from deploying efficient
SOCs and researchers from further adding to the innovation
of SOCs. Therefore, this work’s main contribution is to close
this research gap by establishing a ground truth for a state-
of-the-art SOC. We conduct a structured literature review to
identify and subsume the current state-of-the-art.
The remainder of this paper is structured as follows.
We identify related work in Section II. We describe the
methodology applied to carry out this literature survey
throughout Section III. Section IV is the first part of the
main contribution of this work. Therein we summarize rel-
evant work for the definition of a SOC and other more
227756 This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see VOLUME 8, 2020
M. Vielberth et al.: Security Operations Center: A Systematic Study and Open Challenges
TABLE 1. Review protocol.
general aspects. The second main contribution is formulated
in Section V, which distills the building blocks of a SOC
from literature. To highlight a roadmap for future research,
we identify a series of open challenges within Section VI.
We conclude our work in Section VII summarizing the
A fundamental problem within a significant part of SOC
literature is that it is very fragmented and widespread. Only a
limited body of work has attempted to define holistic, archi-
tectural SOC frameworks so far [2]–[6]. Although researchers
agree on most of the necessary capabilities, there is no clear
consensus of what constitutes a SOC. Furthermore, most
academic work focuses on particular characteristics of a SOC
without paying much attention to the overall picture.
We identified some work partially relevant to our approach
which is trying to get a more hands-on understanding
of SOCs. The authors of the respective publications use
semi-structured interviews [2], [7]–[11], on-site visits [2],
[12], case studies [13], or ethnographic fieldwork [14]–[17].
These publications derive their definition of SOCs following
a bottom-up approach leading to a limited understanding of
SOCs. Interviews and on-site visits provide insight into a
small fraction of specific SOC elements but do not allow
conclusions upon a general state-of-the-art. We see a lack
of general overview and identification of the status-quo in
the field of SOC research. There is a need for a commonly
agreed-upon terminology to advance the field further. We take
the first step to fulfill this need.
Our work aims to identify, evaluate, and synthesize relevant
academic literature in the field of SOCs. Despite the real,
practical significance of the topic, there is a lack of academic
research, especially regarding a commonly agreed, holistic
definition of SOCs. This issue makes it hard for researchers
and organizations to identify relevant literature, and as a
result, impedes future research and innovations in this field.
We aim to provide a guided tour through existing literature
and establish a common ground truth. To conduct the review,
we follow the three stages proposed by Tranfield et al. [18]
based on well-established guidelines [19]–[21]. The review
protocol in Table 1specifies research questions, information
sources, search criteria, and relevant keywords. After the
first collection of papers, we apply predefined criteria for
inclusion or exclusion of papers to decrease the amount of
papers and increase the quality of the literature considered
for further review.
Table 1lists the used keywords to identify relevant lit-
erature. Only publications that had the exact search term
in title, abstract, or keywords are considered. Searching for
‘‘Security’’ AND ‘‘Operations’’ AND ‘‘Center’’ results in an
immense number of papers, from which only a very small
fraction is relevant to this study. Therefore, only the full
term is applied to identify relevant literature. The common
abbreviation ‘‘SOC’’ is not used to search for papers because
it also abbreviates System on a Chip (SoC) and, as a result,
also produces a high number of false positives. The defined
keywords are used to search in the databases defined in
(Table 1). We chose these databases because of their rep-
utation within information systems, computer science, and
cybersecurity. Finally, Dimensions is included in the list of
searched databases as it provides a holistic view over a wide
variety of papers reflected by the number of search results.
In total, 321 academic publications are identified using
the keywords depicted in Table 2. From this set, we remove
all duplicates, leaving 208 papers to analyze. Those papers
are extracted, and the selection (inclusion/exclusion) criteria
are applied. All available remaining papers are downloaded
and their abstracts are read to decide upon their relevancy
for the study, leaving a total of 158 papers.8Figure 1illus-
trates the publication dates of the remaining 158 papers after
applying the exclusion criteria. The first paper included in
the literature review was published in 2003. The number
of publications about SOCs is skyrocketing since 2015, and
we expect it to keep rising within the next years. Therefore,
we see a strong necessity to establish a common baseline for
SOC research.
8For transparency reasons, the full list of 321 academic publications and
the filtering steps are made available via
VOLUME 8, 2020 227757
M. Vielberth et al.: Security Operations Center: A Systematic Study and Open Challenges
TABLE 2. Search results per database.
FIGURE 1. Relevant publications per year (until June 31st, 2020)
identified in the structured review.
The identified literature can be categorized into two main
categories General Aspects and Building Blocks. The first one
summarizes the state-of-the-art regarding SOC definitions,
operating models, and architectures. The second main cate-
gory, Building Blocks, deals with the aspects which, based on
literature, are comprising a SOC. Although we analyze sci-
entific work to understand academia’s current view, the topic
of SOCs is highly driven by the industry as well. However,
within the industry, the term Security Operations Center is
used very ambiguously. Therefore, we only include a limited
number of influential gray literature in this survey when
appropriate. This literature is identified in the references used
in scientific papers.
Besides the term ‘‘Security Operations Center’’, there is a
wide variety of other, closely related terms used in the liter-
ature, e.g. Grid Security Operation Center (GSOC), Virtual
Security Operation Center (VSOC), and many more. From
here on, we will use the term SOC to abbreviate ‘‘Security
Operations Center’’.
This section introduces the first part of our main contribution.
We subdivide this part of our work into the delimitation &
definition of SOCs, their architecture, and operating mod-
els. Identified literature for these subtopics is summarized
in Table 3.
A SOC is an organizational unit operating at the heart of
all security operations. It is usually not seen as a single
entity or system but rather as a complex structure to man-
age and enhance an organization’s overall security posture.
TABLE 3. Identified literature for the topic General Aspects.
Its function is to detect, analyze, and respond to cyberse-
curity threats and incidents employing people, processes,
and technology [2], [22]–[25], [69]. Those activities can be
formalized into seven dimensions or functional areas of a
SOC [5], [26]. While widely accepted as utterly crucial for
a company’s security, SOCs are still considered a passive and
reactive defense mechanism [27]–[29].
Research often describes operations within a SOC
following the People, Processes, and Technologies (PPT)
framework [3], [30]–[33]. This framework is used for vari-
ous information technology topics like knowledge manage-
ment [70] or customer relationship management [34]. Also,
among SOC vendors, this framework is popular to summa-
rize and structure their product. Although the Governance
and Compliance aspect is often subordinated to processes,
we consider it to be a category of its own due to the high
importance within SOCs. It offers the framework in which
people operate and according to which the processes and
technologies are built. Therefore we extend the original
PPT framework resulting in the People, Processes, Tech-
nology, Governance and Compliance (PPTGC) framework
displayed in Figure 2.
FIGURE 2. The People, processes and technology, governance &
compliance (PPTGC) framework based on [70].
When implemented along with the PPTGC framework,
a SOC can improve a company’s security posture [36]. How-
ever, there is no clear terminology established describing
a SOC. The following paragraphs delimit SOC from various
other terms:
Computer Security Incident Response Team: This
term is often used interchangeably for a SOC although
it mainly focuses on the response part once an attack has
227758 VOLUME 8, 2020
M. Vielberth et al.: Security Operations Center: A Systematic Study and Open Challenges
happened. A CSIRT is an organizational unit responsible
for coordinating and supporting the response to a com-
puter security incident [71]. A CSIRT is classified either
as an independent team or part of a SOC [37].
Network Operations Center: A Network Operations
Center (NOC) oversees identifying, investigating, pri-
oritizing, escalating, and resolving problems [17], [38].
However, in NOCs, the addressed problems are dif-
ferent as the NOC focuses on incidents impacting the
performance and availability of an organization’s net-
work [36], [72]. As incidents can occur on all systems
not just networks, it is beneficial for organizations when
the NOC and SOC teams work together.
Security Intelligence Center: The term Security Intel-
ligence Center (SIC) was first used in 2017 to describe
the successor of SOCs. It aims to provide a more holistic,
integrated view than a SOC and can fully visualize and
manage security intelligence in one place [24]. There-
fore, several technologies (e.g. Information Security (IS)
knowledge management, big data processing) are
combined [39].
Security Information and Event Management: SIEM
is an integral part of many SOCs to cover a large part
of the technological requirements. It is responsible for
collecting security-relevant data in a centralized manner.
Thereby, it provides security analytics capabilities by
correlating log events. Further functionalities enable
enrichment with context data, normalizing heteroge-
neous data, reporting, and alerting [73]. To allow the
exchange of threat information, SIEM provides a con-
nection to cyber threat intelligence exchange platforms,
and it involves human security analysts by offering
visual security analytics capabilities. It includes log
management capabilities by long time storage of event
While analyzing literature for this section, we saw the
lack of a commonly agreed-upon definition for a SOC. Def-
initions vary widely, making it quite hard to get a grasp
of what a SOC is. Additionally, a SOC takes on different
responsibilities depending on the technology landscape and
maturity of the organization. To ensure a clear definition of
the term SOC in our work, we define our understanding of a
SOC stemming from and summarizing the analyzed literature
in the following paragraph:
The Security Operations Center (SOC) represents an organi-
zational aspect of an enterprise’s security strategy. It com-
bines processes, technologies, and people to manage and
enhance an organization’s overall security posture. This goal
can usually not be accomplished by a single entity or system
but rather by a complex structure. It creates situational aware-
ness, mitigates the exposed risks, and helps to fulfill regula-
tory requirements. Additionally, a SOC provides governance
and compliance as a framework in which people operate and
to which processes and technologies are tailored.
This section gives an overview of architectural design
approaches for SOCs, which we identified within relevant
SOC literature. The first part (Section IV-B1) summarizes
three different general architectural approaches applied to
SOC designs throughout the literature. The second part of this
section (Section IV-B2) goes into more detail about specific
architectures proposed throughout the years and describes the
most influential ones.
SOCs can either be structured as centralized, distributed,
or decentralized entities on a high and abstract level.
In the case of SOCs, a centralized architecture describes
the approach where all the data is sent from different
locations or subsidiaries to one central SOC for further
processing [4], [34].
A distributed SOC, on the other hand, resembles one sin-
gle system operating across several subsidiaries [6], [40].
It appears for users as if they are dealing with one entity.
The distributed system enables all entities to retrieve, process,
combine and provide security information and services to
other entities [41], [42]. It allows for spreading the workload
and data evenly.
The third overall architectural design for SOCs is a decen-
tralized system, a combination of the two system designs
mentioned above [39]. A decentralized SOC comprises a few
SOCs with possibly limited capabilities reporting to one or
more central SOCs. A shift from having one central SOC to a
more decentralized architecture is observed when comparing
earlier research with more recent publications. The main
reason for this seems to be to avoid a single point of failure.
A SOC is an organizational unit encompassing different func-
tionalities and not just one single system. One of the first
architecture models for SOCs is the SOCBox proposed by
Bidou et al. [4], [34] and evaluated by Ganame et al. [43].
SOCBox defines a SOC as composed of five main modules:
event generators, event collectors, message databases, analy-
sis engines, and reaction management software.
Although the SOCBox architecture is still relevant regard-
ing its main components, it has certain limitations as it was
proposed almost 15 years ago, and technology has advanced
considerably. SOCBox primarily focuses on data collection
and incident management but fails to include digital foren-
sics and reactive capabilities to prevent attacks. Moreover,
the proposed architecture describes a centralized system with
numerous single points of failure. Due to the complexity
of modern IT landscapes and technological developments,
distributed architectures are often deemed to be more appro-
priate [6], [41]. Therefore, the SOCBox architecture has
undergone several iterations and was improved throughout
the years. Its direct successor is the Distributed SOC (DSOC)
proposed by the same group of authors [6].
VOLUME 8, 2020 227759
M. Vielberth et al.: Security Operations Center: A Systematic Study and Open Challenges
The DSOC architecture lays the basis for the distributed
Grid SOC (GSOC) architecture for critical infrastructures,
which again is developed by the research teams starting the
work on the original SOCBox [40]–[42]. These three archi-
tectures highlight the shift from centralized to distributed
SOC setup over time. The original SOCBox architecture [4]
was also used by Miloslavskaya [39] to design a modern SOC
for big data processing.
Radu [3] states that a SOC architecture consists of a
generation layer, an acquisition layer, a data manipulation
layer, and an output or presentation layer. This more abstract
approach to defining a SOC’s technological architecture
using only very few building blocks can be found in several
works [30], [44]–[46]. These publications conclude that a
SOC consists of similar architectural blocks: a block that
summarizes the data sources, followed by a block designed to
collect the data from the sources and hand it to a third block
responsible for analyzing the data. The last block describes
the presentation of the data analysis results. None of these
blocks makes any assumptions, whether done manually or
We also identified further proposals of SOC architectures
within the relevant literature, focusing on SOCs for specific
use cases. Settani et al. [47] describe the implementation
of a SOC architecture for critical infrastructure providers.
Tafazzoli and Grakani propose an architecture for process-
ing events in an OpenStack environment to detect attacks
in the cloud on a very superficial level [48]. There is a
wide variety of other, very specific, and domain-tailored
SOC architectures [49]–[61], [74].
There are numerous ways of operating a SOC. Broadly speak-
ing, a SOC can be operated internally or externally [7],
[25], [62], [63]. However, various other and more specific
classifications exist. Schinagl et al. [2] propose clustering
the different operating models based on the SOC’s organi-
zational placement and its functionality, such as an integral,
a technology-driven, a partly outsourced, and a specialized
SOC. A different approach to classify SOC operating models
is taken by Zimmerman et al. [75] and adapted by Radu
et al. [3]. They use a combination of size, authority, and
the organizational model and propose to divide SOCs into
five different operating models: virtual SOC, small SOC,
large SOC, tiered SOC, and national SOC. Another clus-
tering of SOC operating models applies four main cate-
gories: dedicated, virtual, outsourced, and hybrid SOC [76].
Independently of the operating model of a SOC, it has to
be secured itself. A failing SOC leaves the whole rest of
a company vulnerable as attacks might spread undetected.
Therefore, special attention must be paid to the security of
a SOC [65], [66].
Each operating model has certain advantages and disad-
vantages, and it is essential to come to a decision upfront.
Changing the SOC structure after setting it up will require a
considerable amount of time and resources [64], [77], [78].
However, the choice between SOC operating models is not
a trivial task, and the implications of this choice should
be thoroughly considered. The literature identifies various
factors which influence this choice:
Company strategy: The overall business and IT strat-
egy should be consulted to determine which operating
model fits best [76]. A SOC strategy should be defined
before selecting the respective operating model [75].
Industry sector: The industry sector in which a com-
pany mainly operates largely influences the scope of the
SOC required [7], [76].
Size: The size of a company also has an impact on the
decision, since a small company might not be able to set
up and run a SOC on their own [67], [68] or might not
even require a rigorously defined SOC [3], [25].
Cost: The costs of internally implementing and main-
taining a SOC must be compared with the costs of
outsourcing security operations [64]. Initially, deploying
an in-house SOC might be more expensive [78], but
such an option might turn out to be more cost-effective
in the long term. Costs of finding, hiring, and training
SOC staff constitute a significant factor, especially since
they might increase due to growing skill-shortage and
increasing market demand [3].
Time: It takes a considerable amount of time to set up
a SOC. Therefore, alignment with organizational plans
and timelines is necessary. Additionally, the time to set
up a SOC should be compared to the time needed for
outsourcing it.
Regulations: Depending on the industry sector, differ-
ent regulations must be considered. Some might enforce
the implementation of an operational SOC [25], oth-
ers might forbid the outsourcing of SOC operations
altogether, or at least to specific providers who do not
comply with the respective regulations [64].
Privacy: Privacy also falls under regulation and must be
respected whenever dealing with personal data [3].
Availability: Availability requirements should be con-
sidered [68]. Most of the time, the goal is to have a SOC
operational 24/7, 365 days a year [46], [78].
Management support: Management support is of cru-
cial importance when setting up a dedicated SOC.
If management is not committed and benefits of a SOC
are not communicated to upper management, the team
might not get the resources needed [33].
Integration: The capabilities of an internal SOC need
to be integrated with other IT departments [7], [63],
whereas, in an external SOC, the provider needs to be
integrated to get all the data needed.
Data loss concerns: The SOC is most often a central
place where a substantial amount of sensitive data is
processed. Internal SOCs need to be highly secured,
while for external SOC a trusted provider must be
selected, who can ensure that the data is secured
against intellectual property theft as well as accidental
loss [64], [78].
227760 VOLUME 8, 2020
M. Vielberth et al.: Security Operations Center: A Systematic Study and Open Challenges
TABLE 4. Identified literature for the topic People.
Expertise: It takes time and money to build up expertise.
The required skills for operating a SOC are not very easy
to find [63], [64]. Recruitment and retention (see also
Section V-A2) of personnel is a crucial factor for internal
SOCs. However, the necessary skills are already present
for external SOC providers. Especially in the context of
SOCs, having an insight into different companies might
give SOC providers a knowledge advantage [67], [68].
However, companies should be aware that outsourcing
reduces in-house knowledge [3].
With this list of important factors influencing a specific
SOC’s operating model decision, we conclude the General
Aspects of SOCs identified in academic literature.
The second part of our main contribution now focuses on the
main building blocks of a SOC. We structure this part of the
work following the previously described PPTGC framework.
The framework translates into defining processes to optimize
operations, implementing the right technology to make work
more efficient, and hiring the right people with the right
skills to run the processes. Therefore, the framework allows
us to define a SOC and its components cohesively. We also
include a dedicated section to the aspect of governance and
compliance within the SOC.
Following the PPTGC framework, we first look at the people
involved in a SOC. Literature allows us to derive the var-
ious roles and responsibilities involved in running a SOC.
Another important aspect discussed in related literature is
the recruitment of personnel and various retention methods.
Third, the importance of training and awareness programs is
outlined, and fourth, collaboration and communications pro-
cedures within a SOC are identified. The relevant literature
for each of these subtopics can be found in Table 4.
Just like in every other organizational unit, there are several
different roles and responsibilities within a SOC. Depending
on scope and size, different teams are needed in different
numbers. Typical core roles in a SOC are different tiers of
analysts as well as dedicated managers. Based on the identi-
fied work, we derive three roles with respective responsibili-
ties [8], [54], [66], [75], [80], [81], [100], [101]:
Tier 1 (Triage Specialist): Tier 1 analysts are mainly
responsible for collecting raw data as well as reviewing
alarms and alerts. They need to confirm, determine,
or adjust the criticality of alerts and enrich them with
relevant data. For every alert, the triage specialist has
to identify whether it is justified or a false positive.
An additional responsibility at this level is the identifi-
cation of other high-risk events and potential incidents.
All these need to be prioritized according to their crit-
icality. If occurring problems cannot be solved at this
level, they are escalated to tier 2 analysts. Furthermore,
triage specialists are often managing and configuring the
monitoring tools.
Tier 2 (Incident Responder): At tier 2 level, analysts
review the more critical security incidents escalated by
triage specialists and do a more in-depth assessment
using threat intelligence (Indicators of Compromise,
updated rules, etc.). They need to understand the scope
of an attack and be aware of the affected systems. The
raw attack telemetry data collected at tier 1 is trans-
formed into actionable threat intelligence at this second
tier. Incident responders are responsible for designing
and implementing strategies to contain and recover from
an incident. If a tier 2 analyst faces major issues with
identifying or mitigating an attack, additional tier 2 ana-
lysts are consulted, or the incident is escalated to tier 3.
Tier 3 (Threat Hunter): Tier 3 analysts are the most
experienced workforce in a SOC. They handle major
incidents escalated to them from the incident responders.
They also perform or at least supervise vulnerability
assessments and penetration tests to identify possible
attack vectors. Their most important responsibility is
to proactively identify possible threats, security gaps,
and vulnerabilities that might be unknown. As they gain
reasonable knowledge about a possible threat to the
systems, they also should recommend ways to optimize
the deployed security monitoring tools. Also, any critical
security alerts, threat intelligence, and other security
data provided by tier 1 and tier 2 analysts need to be
reviewed at this tier.
SOC Manager: SOC managers supervise the secu-
rity operations team. They provide technical guidance
if needed, but most importantly, they are in charge
of adequately managing the team. This includes hir-
ing, training, and evaluating team members, creating
VOLUME 8, 2020 227761
M. Vielberth et al.: Security Operations Center: A Systematic Study and Open Challenges
processes, assessing incident reports, and developing as
well as implementing necessary crisis communication
plans. They also oversee the financial aspects of a SOC,
support security audits, and report to the Chief Infor-
mation Security Officer (CISO) or a respective top-level
management position.
Each of these core roles is required to have a specific
skill set. We summarize the identified skill sets very briefly
within Figure 3. The core roles can be found in SOCs inde-
pendent of their size. However, in a smaller SOC, each role’s
responsibilities are broader, and they are narrowed down to be
more specific when the SOC grows. For example, in a small
SOC with only a few analysts, everyone needs to be knowl-
edgeable on several skills because a few employees need to
cover all the arising tasks. In a bigger SOC, roles can be more
specific as, for example, some analysts might be focused on
network monitoring while others are experts for Windows or
Linux specifics. This comes with many advantages, such as
a better and faster response to threats or better separation of
FIGURE 3. Necessary skills among SOC roles [54], [66], [75], [100], [101].
Besides the four already described essential roles, we iden-
tified additional roles that are at least to some extent involved
in the daily business of a SOC [14], [46], [75], [79]. Because
of the wide variety of identified roles, it is important to
attempt to structure them. We have derived a list of different
roles and possible interconnections between them. Figure 4
depicts those based on Olt [79]. These additional roles need
to lead, work together, or cooperate with the previously
described core SOC roles, which are also included in the
figure. However, substantial overlap between roles and addi-
tional roles might be included in running a specific SOC.
This is why we decided to group the roles into five main
groups indicated through different colors in Figure 4. These
groups can be adapted or expanded with additional roles when
Management roles: In the context of a SOC, we iden-
tify three critical managerial roles. First of all, the Chief
Information Security Officer defining strategies, goals,
and objectives of an organization’s overall security oper-
ations. A SOC Manager leads the SOC itself. We already
described this role upfront. Inside of the SOC, the
literature includes one additional high-level manage-
ment role: the Incident Response Coordinator, which
coordinates all activities related to incident response.
Technical roles: There is a wide variety of additional
security specialists who need to collaborate with the
SOC analysts to allow for efficient and effective SOC
operations. Malware Analysts help with responding to
sophisticated threats by performing malware reverse
engineering and creating crucial results for incident
response activities. To be aware of possibly ongoing
attacks, Threat Hunters actively look for threats inside
the organization, for example, by reviewing logs or out-
side of the organization by analyzing available TI data.
This TI data is also explicitly analyzed by Threat Intelli-
gence Analysts or researchers. They analyze threat intel-
ligence from various sources and produce input for the
SOC team. If parts of an attack have succeeded, Forensic
specialists conduct detailed investigations into them.
They collect and analyze forensic evidence in a legally
sound manner. Red Teams and Blue Teams actively try
to attack or respectively defend the organization’s sys-
tems to identify vulnerabilities, and both test as well
as increase the effectiveness and resilience of security
mechanisms. Finally, Vulnerability Assessment Experts
perform research to identify new, previously unknown
vulnerabilities and manages known vulnerabilities with
respect to business risk. These experts create detailed
technical reports with their findings and support SOC
analysts or incident response teams in specified vulner-
ability discoveries. Another vital role of this group is
the Security Engineer (SE). The SE develops, integrates,
and maintains SOC tools. Security Engineers also define
requirements for new tools. They ensure the appropriate
access to tools and systems. Additional tasks are the
configuration and installation of firewalls and intrusion
detection/prevention systems. Furthermore, they assist
in writing and updating detection rules for Security
Information and Event Management (SIEM) systems.
Consulting roles: The two most important roles of
this group are the Security Architect (SA) and the
Security Consultant. The SA plans, researches, and
designs a robust security infrastructure within a com-
pany. SAs conduct regular system and vulnerability
tests and implement or supervise the implementation of
enhancements. They are also in charge of establishing
recovery procedures. Security consultants often research
security standards, security best practices, and security
systems. They can provide an industry overview for an
organization and compare current SOC capabilities with
competitors. They can help to plan, research, and design
robust security architectures.
External personnel: External personnel can be
included in any SOC operation, and therefore, depend-
ing on the architecture and operating model of a SOC,
more or less external personnel are involved in the
different SOC roles and groups.
227762 VOLUME 8, 2020
M. Vielberth et al.: Security Operations Center: A Systematic Study and Open Challenges
FIGURE 4. Interaction of different roles within a SOC [79].
Besides technical skills, soft skills are becoming more and
more important. Desired skills include communication skills,
continuous learning abilities, analytical mindset, ability to
perform under stress, commitment, teamwork, curiosity, and
practical organizational skills [75]. The significance of rel-
evant soft skills grows with the level of responsibility an
individual has within a SOC. Besides hard and soft skills,
there is a number of useful certifications for SOC employ-
ees depending on their level, which are summarized by
DeCusatis et al. [80].
The people working in a SOC are the last line of defense
and responsible for detecting and successfully mitigating
attacks. Thus, having skilled human resources in an adequate
quantity is imperative for the success of a SOC [32]. However,
finding and retaining the right staff is not an easy task. The
International Information System Security Certification Con-
sortium ((ISC)2) puts the current cybersecurity workforce gap
at roughly four million people on a worldwide scale, and it
is still growing [102]. Therefore, recruiting new, skilled staff
for SOCs is getting increasingly difficult. There is little to no
literature about how to specifically recruit SOC staff. Most of
the relevant papers focus on retaining SOC staff and closing
the skills gaps with automation.
Working in a SOC is very demanding and can be extremely
stressful. Anthropological studies found that SOC analysts
are often not satisfied with their job [15], [16]. They are
overloaded with mundane, tedious tasks, and the currently
deployed tools are not sophisticated enough to automate
these tasks [82]–[84]. SOC analysts’ primary responsibil-
ity, especially at tier 1, is to follow Standard Operating
Procedures (SOPs), also called playbooks. This negatively
impacts their creativity, growth, skills, and empowerment.
Literature reveals a vicious cycle, which ultimately causes
analyst burnout in a noticeable number of cases [15], [16].
Therefore, companies should take action to increase the job
satisfaction of their SOC staff. Several methods to counteract
staff burnout and increase job satisfaction can be determined:
Increase Automation: Increasing automation helps decrease
the amount of mundane and boring tasks [83], [84].
This can be achieved with more efficient and helpful
tools deployed within the SOC. Analysts should be
consulted before buying and implementing tools, and
they should be engaged in the development of new tools.
New possibilities for automation can be discovered by
analysts themselves if they have time to reflect on their
daily work [16], [85]. Technology should amplify the
human capacity to be creative and apply critical thinking
to solve problems. Examples are studies analyzing data
triage tasks and trying to optimize the process [86]–[89].
Increase Operational Efficiency: Automating specific
tasks can also help to increase operational efficiency.
Additional improvements can be made by streamlining
processes, ensuring that analysts have access to the
data they need, and providing team communication and
collaboration possibilities. An example is the preferably
optimal prioritization of alerts, so analysts can focus on
the most critical ones [90], or the adaptive reallocation
of analysts based on the current needs [91].
Invest in Human Capital: Security professionals working
in a SOC need to possess the right skills to perform their
job correctly, as described above. Investing in their skills
will not only contribute to their personal well-being
but also benefit the company itself [92]. Skills can be
enhanced by in-house or outsourced training, conference
participation, observation of more senior staff, or even
learning-by-doing. The more skills employees master,
the more likely they are to be empowered. This empow-
erment enables employees to do their job efficiently
VOLUME 8, 2020 227763
M. Vielberth et al.: Security Operations Center: A Systematic Study and Open Challenges
and increases their morale [16]. Gaining skills and feel-
ing empowered, in turn, has a positive effect on the
creativity of analysts. Ultimately, employees grow and
increase their intellectual capacity, are empowered, and
more likely to be creative. If a positive causality among
the personal development factors exists, SOC staff will
be gratified [16], [93]. Unfortunately, it is not always
possible to exactly meet employees’ expectations. Tech-
nological limitations require personnel to sometimes
do tedious tasks, and budget restraints might hinder
staff from going on training. Other incentives, like a
competitive salary, monetary bonus, team-building or
after-work activities, flexible and competitive working
hours, respect, and recognition, can also play a role in
keeping up the SOC staff’s morale.
Well-trained employees are more productive because they
understand their responsibilities and tasks. Training strength-
ens their skills and addresses potential knowledge gaps. The
quality and consistency of the work also increases [93].
Furthermore, training benefits an organization itself because
employees are less likely to make mistakes. A study con-
ducted by Accenture and the Ponemon Institute revealed that
employee training could decrease the total cost of a cyber
breach by about 270.000 USD [1].
For junior staff members, training is a means to equip them
with the technical and soft skills required to perform well in
their job. Training for juniors has a broader scope and aims
to provide them with an overview of various security-related
topics. For example, for a SOC tier 1 analyst, training could
be given in real-time analysis, incident analysis and response,
scanning and assessment, alert correlation, and many more.
For more senior staff, training should be more tailored to their
specific role in the SOC as employees working in a SOC are
very likely specialized in specific tasks.
In general, training should consist of a mix of formal train-
ing, internal training, vendor-specific training, and on-the-
job learning. Formal training is a form of structured training
with predefined goals and objectives. Internal training is often
taught by other team members and of a more informal nature.
Thus, there is a less strict plan and internal training is more
Vendor-specific training is used to familiarize SOC staff
with deployed software (e.g. a specific SIEM system). On-
the-job learning or shadowing more experienced team mem-
bers is another form of acquiring the necessary skills [14].
As this type of learning is very unstructured, it is following
a steep learning curve. However, it might be overwhelming
for new SOC employees to deal with the flood of incoming
alerts without more formal training [94]. To support them,
Zhong et al. [88], for example, developed a system that
traces and models the data triage actions of senior analysts
to the present actions done in a similar context. All differ-
ent training approaches have several advantages as well as
disadvantages. There is only very little scientific work on
SOC-specific training methods. Further research is necessary
to show how different training methods can be applied in the
context of SOCs and measure their effectiveness. An interest-
ing approach to improve on-the-job learning and training is
pursued by Applebaum et al. [95] by developing playbooks
that provide analysts with an overview of tasks and actions
based on the experience of other analysts. Also, knowledge
graphs representing the domain knowledge and experience
of SOC analysts enable better learning and training for
others [89], [95]. A relatively exotic use case is considered
by Sanchez et al. [96]. They present particular challenges
for a SOC within the space domain and emphasize employee
training’s unique challenges.
Especially in high-pressure environments like a SOC, collab-
oration amongst the various team members is essential [17],
[47]. A few academic resources are focusing on collabora-
tion in SOCs. Hàmornik and Krasznay [8] emphasize the
need for further research about computer-supported collab-
orative work (CSCW) to see how computer systems can
support collaborative activities. The AOH-Map developed by
Zhong et al. [97] is a collaborative analysis report system
capturing and displaying the analytical reasoning process of
analysts. Afterward, analysts can look at the captured process,
review past decisions, share their results with others, and
divide their tasks effectively. Additionally, work between
analysts needs to be divided equally depending on their
skills [98]. Crémilleux et al. [11] propose a collaboration
process to create a feedback loop between tier 1 and tier 2
SOC analysts.
An upcoming trend is the operative use of visualization
platforms with collaboration features, e.g., the 3D Cyber-
COP platform [12], [99] distinguishes explicit collaboration
through the platform and implicit collaboration through oral
communication and logging every user’s actions. It is imper-
ative for the SOC team’s success to have constant interaction
and communication with other business units, for example,
the help desk, network administrators, or even the legal team.
This requires ensuring the other departments that the SOC
staff is not there to watch their every move but to help [23].
This section features academic work focusing on the pro-
cesses related to a SOC. We aim for a high-level perspective,
as there are different, very specific processes happening in
operations. Since the goal of a SOC is to respond to or prepare
for incidents, one way to structure the underlying processes is
through the Incident Response Lifecycle [103], [114], [119],
[120] or similar frameworks such as presented in ISO/IEC
27035:2016 [123]. According to the NIST Computer Secu-
rity Incident Handling Guide [124], the Incident Response
Lifecycle comprises the four steps ‘‘preparation’’, ‘‘detection
and analysis’’, ‘‘containment, eradication and recovery’’ and
‘‘Post-incident activity’’, which also form the structure of the
following chapter.
227764 VOLUME 8, 2020
M. Vielberth et al.: Security Operations Center: A Systematic Study and Open Challenges
TABLE 5. Identified literature for the topic Processes.
At this point, we would like to emphasize that, in our view,
the literature only allows an incomplete picture regarding
processes. For example, technical processes are treated very
intensively, whereas most surrounding processes are only
dealt with sporadically. These aspects are to be regarded
as research gaps and are presented in the following chapter
accordingly incomplete, in order to go into the gaps in more
detail in chapter VI. This is especially true for ‘‘post-incident
activity’’ since no SOC specific scientific publication deals
with this topic. Therefore, it will not be considered in the
following descriptions.
The analyzed literature mainly focuses on data collection
within the topic of preparation; however, it does not give
a uniform picture of which steps the data collection pro-
cess is composed. However, as illustrated in Figure 5, the
steps normalization with time synchronization [22], [55],
[104]–[107], filtering [22], [55], [105], [106], [108], reduc-
tion [22], [109], aggregation [22], [55], [106], [109], [113]
and prioritization [22], [55], [67], [103] or risk evalua-
tion [110] were most frequently mentioned. The order of pro-
cess steps is not uniform in literature, as this can vary depend-
ing on the application used. However, it is mostly described
in the presented sequence. The identified process steps are
explained in more detail to provide a general understanding:
Normalization: It is vital to translate the heterogeneous data
formats into a uniform representation to conduct fur-
ther processing. It is also essential to change all time
data to one standard time zone and format [22], [77].
Synchronization helps avoid confusion in the timeline
of the security events and reduces the likelihood that
erroneous conclusions are made on inconsistently mea-
sured network activity. In literature, normalization is
often referred to as log parsing or pre-processing.
Filtering: Since systems typically generate enormous
amounts of data, it is essential to filter for data elements
that are likely to contain important information from a
security perspective [125].
Reduction: Reduction is like filtering, with the difference
that individual, unimportant data fields are sorted out to
reduce the amount of data.
Aggregation: Similar events are combined into one single
data element. For example, three log entries, which indi-
cate a log attempt to a host, could be aggregated to one
single log, which states the type and number of login
attempts [125].
FIGURE 5. The data collection process.
Prioritization: Each log data should be classified according
to importance to facilitate further processing. For exam-
ple, to decide how to react to events or how long the logs
should be stored, it is useful to prioritize incoming data.
Considering literature about data collection specifically
for SOCs, there are only two notable papers: [111]
and [22]. This is probably because most SOCs deploy a
software solution responsible for collecting, processing, ana-
lyzing, and displaying events and alerts [112] and thus
data collection is addressed in a more technical context.
Bridges et al. [111] conduct interviews with 13 professionals
from five different SOCs to discover the current state-of-the-
art and future directions for host-based data collection. They
evaluate what and how host data is collected, which tools are
used, and whether dynamic collection (dynamically decide
how much and which data is collected depending on factors
such as security posture) is used. Their major takeaway is that
analysts desire a wider, less manual collection of data, but
only with the right toolset to understand and work with the
data. Madani et al. [22] propose a logging architecture for
SOCs. Their architecture contains log generators, a collection
server, a storage server, and a log database. The authors list
SIEM vendors incorporating log management in their SIEM
solution and outline their weaknesses. Normalization, filter-
ing, reduction, rotation, time synchronization, aggregation,
and integrity check are the most important functionalities.
Madani et al. [22] underline the importance of log collection
and management. However, since the paper was published
in 2011, there have been no SOC specific advances in the
The sheer amount of data collected in previous steps can be
overwhelming, even for seasoned security practitioners and
researchers. Turning this data into useful information is done
through data analysis and is essentially a means to make
sense of what is collected. Regarding automatic analysis and
detection, the identified literature mainly focuses on specific
VOLUME 8, 2020 227765
M. Vielberth et al.: Security Operations Center: A Systematic Study and Open Challenges
analysis and detection methods and technologies. However,
only a few papers look at the subject area from an abstract,
process-driven perspective. The following process steps were
identified by merging available processes [73], [114] and
by sequencing individually named steps within the stated
literature. This results in a process which is comprised of the
steps Detection [83], [114], Analysis [4], [115], [116], and
Alert Prioritization/Triage [67].
Detection: Incidents are detected with the help of
humans or by automatic procedures. Thereby, it must
be decided if the collected data indicates a security inci-
dent [114]. A more technical description of the identified
detection approaches can be found in Section V-C2.
Analysis: Regarding the techniques used for analy-
sis, one can distinguish between source and target
correlation, structural analysis, functional analysis, and
behavior analysis [4]. Thereby, the authors describe the
purpose of correlation as to enable the analysis of com-
plex sequences by producing simple, synthesized, and
accurate events.
Alert Prioritization/Triage: Alert prioritization, also
known as triage, can be seen as a link to containment,
eradication, and recovery. It serves two primary pur-
poses. First, to ensure that the most severe incidents are
treated with priority, and second, to ensure that incidents
are distributed for further processing according to avail-
able resources [67].
The activities in containment, eradication, and recovery are
described by Bhatt et al. [104] on a high level. This step
aims to decide whether an incident is an unharmful event
(e.g., during penetration testing), or a harmful event. In the
case of a harmful incident, it is passed on to appropriate
stakeholders to take further steps. In this context, Security
Orchestration, Automation, and Response (SOAR) is of great
importance and can be identified as a very active research
area of the last two years [83], [118], [122]. According to
Islam et al. [122] the key purpose of SOAR is the automation
of processes through orchestration. The functionalities of
SOAR are mainly categorized into integration, orchestration
and automation. Security orchestration is a prerequisite of
security automation, which is the process of automatic detec-
tion [117]. Therefore, SOAR integrates available information
about security incidents (Cyber Threat Intelligence) [121] to
automatically take appropriate measures to limit the damage
as quickly as possible. Islam et al. [122] conducted a detailed
survey on this topic.
A straightforward framework to tackle incidents is the
Observe, Orient, Decide, Act (OODA) loop, which is a
well-known analytical framework for decision-making devel-
oped by John Boyd [126]. It can be applied to incident
management in the context of a SOC, as demonstrated in
research [80], [97] (or similar to the Plan, Do, Check, Act
loop [120]). In SOC literature [103], [114], incident man-
agement is mentioned mostly related to the incident handling
lifecycle. Thus, the Alert and Incident Management process
presented in Figure 6comprises the process steps identified
by two primary standards for information security incident
management [123], [124].
FIGURE 6. The SOC incident analysis, detection and management process.
A more detailed description of these process steps concern-
ing SOC cannot be found in the analyzed literature, which
is why the standards mentioned above must be referred to if
necessary. The reason for this could be that employees know
which tasks they have to carry out, but this has not been
specified explicitly, which can cause problems, e.g., when
staff changes. Therefore, Cho et al. [119] conducted a study
where they show how it is possible to capture SOC staff’s tacit
knowledge on how they perform their tasks as processes.
This section discusses the technologies combined in a SOC.
It covers the process steps from Section V-B from a technical
point of view, whereby Containment, Eradication, and Recov-
ery is not considered, as we did not find any literature deal-
ing with SOC-specific technology covering this process step
(see Table 6).
We first take a look at data collection technologies which
support the preparation process mentioned in Section V-B1.
Every organization should determine which devices should
be monitored, what data needs to be collected, and in which
format it should be stored. Moreover, depending on the data,
the retention period of the data needs to be set. We then
shed light on the applied methodologies and approaches
to analyse data, detect threats and present the results,
which can be mapped to the process detection & analysis
(Section V-B2). As the interface between people and
machines, the presentation of data and analysis results is of
particular interest in a SOC context.
Various data collection techniques exist and can generally
be classified into four categories: push/pull, distributed/cen-
tralized, real-time/historical and partial/full collection. Data
can either be pulled by the data collector or pushed onto the
data collector from the data source itself [77]. Furthermore,
it can be collected in a centralized log collector (e.g. [171]) or
227766 VOLUME 8, 2020
M. Vielberth et al.: Security Operations Center: A Systematic Study and Open Challenges
TABLE 6. Identified literature for the topic Technology.
in a distributed topology (e.g. [172]) over different sub-nodes.
Thereby, data can either be captured fully or partially.
Within the identified literature, data collection mainly
relates to identifying data sources that capture relevant
security-related information. While new data sources are con-
tinuously being created, the most common sources, its classi-
fication [127], [173], [174], and corresponding examples are:
Security software: SIEM systems [80], intrusion detec-
tion/prevention systems [37], [103], [107], [128], [162],
[173], [174], firewalls [37], [104], [127], [128], [174],
anti-virus software [37], [111], [127], vulnerability
scanners [173], identity and access management [104]
Network assets: Switches [104], [173], routers [104],
[128], [173], servers [104], [127], [173], hosts [104],
[173], proxies [174]
Virtualization environments: Hypervisor, virtual
machine introspection, cloud environments [80]
Operational technology: Sensors, actuators, PLCs
Other Software: Open-Source Big Data Analytics [80],
databases [173], identity and access management [173],
mailserver [174], operating systems [111], [174]
Physical security assets: Security cameras, access
External (Threat) Intelligence: Geolocation and DNS
lookup [80], open source intelligence (OSINT) [47],
[129], intelligence from threat sharing platforms or other
organizations [130]–[132]
People: Employees (Human-as-a-Security-Sensor
[175]), external users.
Each of these data sources can deliver a vast amount of
information, of which not all is relevant. Capturing every-
thing may help in spotting malicious activity, but it can also
negatively impact system performance. Conversely, if fewer
data sources are used to collect data, an attack might go unde-
tected. Thus, finding the right balance between capturing too
much and capturing too little data is essential when designing
a SOC’s technological capabilities. However, as a rule of
thumb, it is generally better to capture data from as many
sources as possible (under performance constraints) and then
rely on well established data normalization, correlation, and
analysis mechanisms.
Depending on the data source, the data type collected
may vary as illustrated in Figure 7. All collected data can
be broadly classified into either log data or intelligence.
Logs document the current state of the system and usually
record all the changes occurring within the system. Logs
are generally divided into operating system/application logs
FIGURE 7. Data sources and the type of data they produce.
and security software logs [125]. Network logs proposed by
Zhiguo et al. [176] can be added since they have unique
features and cannot be categorized perfectly into log cate-
gories. Operating systems and applications often provide data
in the form of logs. These logs give the user information on
system events such as the shutdown or start-up of a service,
audit records, client requests and server responses, account
information, usage information, etc. Security logs instead
display suspicious activities, results of virus scans, etc. [125].
Intelligence provides additional context for threat analysis.
Attack detection is performed either automatically or manu-
ally. Manual detection is the detection of an incident through
an internal or external person. Thereby, the detection can be
performed by security experts such as analysts within the
SOC or by security novices. The different roles and tasks of
security experts are further discussed in Section V-A.
An example of manual detection through security novices
would be if an employee receives a phishing mail and then
reports it, so the security team can take appropriate measures.
The concept of integrating employees into the detection pro-
cess was introduced as ‘‘human-as-a-security-sensor’’ [175],
[177] and means that employees are enabled to detect and
report security incidents. Therefore, awareness training plays
a crucial role as further discussed in Section V-A3. All in
all, manual detection is necessary, because not all attacks can
be detected through technology, especially when it comes to
advanced attacks. However, automated detection cannot be
neglected, because the sheer amount of data would overstrain
humans. The topics of manual detection related to presenta-
tion are discussed in Section V-C3.
VOLUME 8, 2020 227767
M. Vielberth et al.: Security Operations Center: A Systematic Study and Open Challenges
TABLE 7. Classification of literature with respect to applied detection methodologies and approaches.
Regarding automatic analysis and detection, the
identified literature mainly focuses on specific analysis and
detection methods and technologies. To show the state-of-
the-art analytical methods, those mentioned in the litera-
ture are classified in Table 7. Therefore, a well-accepted
classification scheme of Liao et al. [178] was used. It dis-
tinguishes between detection methodologies and detection
Anomaly-based or behavior-based methodologies use the
system’s normal behavior as a foundation and try to detect
deviations. Signature-based or also knowledge-based meth-
ods use accumulated knowledge of attacks and is very useful
to detect known attacks or exploitation of known system vul-
nerabilities. Therefore, it is important to regularly update the
knowledge base. Specification-based methodologies focus
on detecting incidents based on predefined profiles or pro-
tocols. Hybrid methodologies use a mixture of the three
described detection methodologies.
Concerning detection approaches, statistics-based detec-
tion is one of the oldest methods used for intrusion detection
and uses statistical properties and statistical tests like mean,
median or variance, to detect deviation between the normal
behavior and observed behavior. Threshold metrics, hidden
Markov models and multivariate models are examples of sta-
tistical based detection approaches. Pattern-based and Rule-
based approaches use either predefined patterns, learned pat-
terns or rules for detection. An example for rule-based detec-
tion are support vector machines. Heuristic-based approaches
are inspired by biological concepts as for example artifi-
cial neural networks. State-based approaches try to infer
the behavior of attacks within the network for example by
utilizing finite state machines.
Table 7shows, that all used detection methodologies are
either anomaly- or signature-based. In none of the analyzed
papers, the potential of specification-based incident detection
was leveraged. In contrast, each detection approach class can
be assigned an approach described in the literature, whereby
a focus on statistics- and rule-based approaches is recog-
nizable. To enhance detection independent of the utilized
approach Karaçay et al. [133] propose a principle that allows
intrusion detection even when end-to-end encryption was
used and Smith [157] suggests that user behaviour analyt-
ics (UBA) should be used more intensively, since misused
credentials are a great threat.
227768 VOLUME 8, 2020
M. Vielberth et al.: Security Operations Center: A Systematic Study and Open Challenges
TABLE 8. Identified literature for the topic Governance & Compliance.
From a technological view, most identified publications
focus on specific visualization tackling problems related to
SOCs. They are briefly outlined in the following. DeCusatis
[80] describes an attack visualization based on force dia-
grams and hive plots. Settani et al. [158] shows how a
map and dashboard-based visualization of incidents and
a mobile visualization enables on-site personnel to make
qualified decisions. Besides, Erola et al. [159] present an
approach that combines machine learning and information
from business processes with visual analytics to guide SOC
employees through the decision-making process. Similarly,
Sopan et al. [9] aim at visually supporting SOC analysts by
automating decision-making using a machine learning model.
However, they also present the model visually to enable
the machine learning model’s decisions to be understood.
The Situ platform [13] has the goal to visualize the con-
text of an incident for leveraging the experience of security
experts. In contrast to the approaches described above, the
CyberCOP [12], [99], [160] platform relies on three-
dimensional visualization. The VISNU project [112], [161],
[162] takes a similar approach, which improves the collabora-
tion of multiple SOCs in different organizations by displaying
network data in three dimensions. Thereby, they aim at the
collaboration of multiple analysts in one environment by
providing different views on the same incident. The concept
of mind maps is leveraged by the AOH-Map [97] software,
which visualizes all the identified traces of an attack to
exchange it with collaborating analysts. Hassell et al. [163]
combine network simulation with its visualization for opti-
mizing its resilience against threats. Payer et al. [164] rely on
Virtual Reality (VR) to analyze threats, allowing new types
of interactions. To enhance tactical situational awareness
within a SOC Mullins et al. [170] describe three suitable
Starting 2018, increasing interest in sonification and its
potential for SOCs can be identified [165] as it was imple-
mented within the SIEM system of a SOC [166]. This
showed that humans can detect attacks by listening to network
traffic [127], [167] in specific contexts [168].
A fairly new approach to SOC is data presentation using
storytelling presented by Afzaliseresht et al. [169]. This
involves translating the analysis results into a narrative story
containing more or less details depending on the users’ level
of knowledge. In a SOC setting within a research institu-
tion, this approach is advantageous in terms of cognitive
The following section discusses the governance and com-
pliance aspect of a SOC (see Table 8). IT governance is
responsible for ensuring the effective and efficient use of
IT systems by providing a strategic direction, developing
standards, policies and procedures, and implementing them.
Compliance ensures that companies adhere to external rules,
for example standards and regulations and internal rules, for
example policies and procedures. Additionally, compliance is
essentially the feedback loop of security governance, because
it shows how governance rules are applied in practice. The
following section will look at three aspects of governance
and compliance: how security audits are performed, current
metrics in a SOC and standards and guidelines related to
SOCs. It should be noted that metrics play a major role in
maturity assessment, so the two sections partly overlap.
Today, many organizations are struggling to decide whether
they need a SOC, which kind of SOC they need, and what
components their SOC should have. There are no renowned
holistic SOC standards or industry specific guidelines to help
companies with their decisions [3]. However, a SOC can help
to ensure that certain compliance regulations are met [30],
[179] and many of the standards focus on one domain or task
within a SOC. We provide a list of these standards in Table 9.
Another noteworthy standard is provided by the European
Telecommunications Standards Institute (ETSI) [187] pro-
viding guidelines for building and operating a secured SOC.
It mainly focuses on requirements to be met by the service
provider operating a SOC for the telecommunication indus-
try. Some private organizations have started to provide com-
panies with best practices and recommendations, for example
by conducting a survey [188]. There is only very little work
on establishing best practices for a SOC [36], [60].
A SOC can help companies in conducting internal and exter-
nal IT (security) audits. In an IT audit, the IT infrastruc-
ture, policies, and procedures are examined and evaluated.
Independent and unbiased parties usually perform external
audits. An example would be a typical year-end audit in
the banking sector, which assesses the compliance of its IT
capabilities against relevant standards. Depending on the type
and scope of the audit, different IT capabilities are assessed.
Because a SOC collects valuable log data from almost all
VOLUME 8, 2020 227769
M. Vielberth et al.: Security Operations Center: A Systematic Study and Open Challenges
TABLE 9. Standards related to SOC domains or tasks.
systems, and hosts some relevant capabilities itself, it is an
invaluable source of data for IT auditors. Advanced SIEM
tools aggregate security information from across the company
and generate reports for compliance audits. This information
can be used to prove compliance with laws and regulations.
Additionally, the SOC team can help determine the IT risks
for the company.
Of course, the SOC itself should have controls in place,
which should be audited regularly. An example for an internal
SOC audit and its findings is given by NASA [189]. Due
to the lack of widely accepted standards and guidelines,
external assessments are not offered by independent parties.
However, there is literature proposing methods to assess the
current maturity of the SOC capabilities as well as the overall
effectiveness of the SOC [63]. Common maturity models
are compared and summarized into five capability matu-
rity stages: non-existent, initial, repeatable, defined process,
reviewed and updated, and continuously optimized [63]).
In practice a similar maturity assessment approach is
presented in an industry guideline from IBM [190].
Schinagl et al. [2] assess the effectiveness of a SOC by iden-
tifying the degree to which identified building blocks have
been implemented. These approaches enable SOC owners
to uniformly assess the maturity of their capabilities and
to spot the areas which still need to be improved. It also
allows various companies to compare their SOC operations
and benchmark against each other, if the data is made avail-
able, enabling the collaboration between SOCs. To locate
collaboration areas of SOCs, a questionnaire-based approach
is proposed by Kowtha et al. [5]. The authors describe a
model for characterizing SOCs by the seven dimensions of
scope, activities, organizational dynamics, facilities, process
management and external interactions.
Metrics are quantifiable measures used to track and assess
the status of a process or system. Metrics are mainly used to
support strategic decisions, to assure the quality, or to gain
tactical oversight [191]. A considerable body of literature
exists in the field of security metrics [192], [193], and many
of those metrics can be directly applied to a SOC. However,
there is very little scientific literature on how those security
metrics can be used in a SOC, let alone metrics specifically
covering SOCs. Ganame and Bougeois [180] propose metrics
to assess the security level of different sites in a multi-site
network in real-time. Their goal is to see whether threats
are occurring in a network or not. Aiming to improve the
resiliency of networks, Hassell et al. [163] test their simu-
lation software using resiliency metrics. They criticize the
lack of standardized metrics to evaluate resiliency techniques.
Ganesan et al. [181], [194] propose an optimization model to
dynamically schedule analysts and dynamically assign them
to sensors to decrease total time for alert investigation and
increase the Level of Operational Effectiveness (LOE). Some
literature, however, comes from SOC vendors [188], [195].
Typical metrics used in a SOC include:
General SOC metrics:
Coverage [188]: A SOC can only monitor a limited
amount of assets due to resource constraints, which
raises the question of how many of them are covered.
Examples: Number of monitored assets, coverage
(number of monitored assets vs. number of assets)
Performance metrics: Measurement of the perfor-
mance is crucial for managing and improving a SOC.
Historical performance metrics enable comparabil-
ity between work-shifts or longer time periods [68].
Agyepong et al. [85] conducted an extensive survey
about performance metrics for SOCs and proposed a
consecutive framework [186]. Examples: False posi-
tive rate [30], [68], average analysis time [68], readi-
ness level [81], [181], Mean Time to Detect [185]
People metrics: To improve the performance of security
analysts inside a SOC it is necessary to measure human
activities and workflows [68]. Examples: Security ana-
lyst performance [68], number of incidents closed in one
shift [188], workload [195]
Technical metrics:
– Threat metrics: A threat is the potential dam-
age posed by vulnerabilities. Thus, these metrics
are closely related and, in most cases, based on
227770 VOLUME 8, 2020
M. Vielberth et al.: Security Operations Center: A Systematic Study and Open Challenges
vulnerability and threat metrics. Examples: Security
level [180], threat actor attribution [188]
Vulnerability metrics: In general, vulnerabilities can
be exploited by attackers or can cause a security inci-
dent. Thus, it is particularly important for SOCs to
be aware of possible weak spots. Examples: Vulnera-
bility exposure [182], time-to-vulnerability remedia-
tion [182], vulnerability severity [182], incidents due
to known vs. unknown vulnerabilities [188]
Risk metrics: Risks are in most cases assessed in
real time, which is also summarized under the term
situational awareness [46]. The evaluation of risks
is especially important, when it comes to choos-
ing appropriate security measures. Examples: Risk
posture [23], [46], [183], [184], [188], risk per
system [81], [180], key risks [195]
– Alert metrics: Alerts are in most cases generated
automatically by technologies such as SIEM systems
or intrusion detection systems, based on the analysis
of sensor data [181]. Each alert should go through an
alert analysis process [194] in order to decide upon
possible measures. Examples: Time per alert investi-
gation [181], alert generation rate [181], number of
alerts that remain un-analyzed [81], criticality of an
alert [180]
Incident metrics: An incident is an occurrence, that
causes harm to an organization and a SOC aims
at averting incidents or reducing the caused harm.
As incidents are a very central element of SOCs,
appropriate metrics are essential. Examples: Inci-
dent priority [23], number of incidents [68], [183],
[188], number of successful attacks [163], recov-
ery time [181], costs per incident [188], mitigation
success [195]
Resiliency metrics: Cyber resilience is crucial, if an
environment is compromised in order to continue
operations with as little damage as possible [163].
Examples: Time spent per attack [163], defensive
efficiency [163], attack noise [163], number or time
of disruptions [163], [188].
Governance and Compliance metrics:
Compliance metrics: Since compliance to all reg-
ulatory guidelines and standards is hardly possible,
it is useful to define compliance goals and accordingly
appropriate metrics. Additionally, it can be of value to
provide measures for compliance audits. Examples:
Number of policy violations [30], [57], percentage of
systems with tested security controls
Maturity metrics: Usually refers to the level of matu-
rity as described in Section V-D2
The classification is not always strict and lines are blurry.
For example, some people metrics might be classified as
governance and compliance metrics.
To overcome the many problems with current security
metrics, a few things should be considered. It is impor-
tant to clearly define what the objectives of the metrics
are and how their success/failure can be measured. Some
SOC vendors use the S.M.A.R.T. management objectives
framework developed by Doran [196], as a guide to develop
metrics [195], [197].
Throughout Sections IV and V, we focused on our first
research question in terms of the state-of-the-art of a SOC.
We already mentioned a series of challenges that impose
the development and improvement of SOCs. Within the fol-
lowing paragraphs, we now briefly describe these challenges
in response to our second research questions regarding the
challenges needing to be solved to advance the field of
SOC research. Every SOC naturally faces different chal-
lenges depending on its operating model, architecture, scope,
or size. However, we derive several challenges applicable
to most SOCs. Although many of the challenges are some-
what related, we try to describe them as independently as
possible and along with the PPTGC framework, which we
followed throughout this work. Figure 8gives an overview of
these challenges and highlights some relevant dependencies
between them.
As mentioned earlier, there is a vast number of alerts coming
into the SOC every second. Even though tools are trying to
display only true positive alerts, the number of false positives
is still very high. Every incoming alert needs to be manually
investigated by an analyst, most of the time at tier 1 level. The
analysts need to open the alert and determine whether it is a
false positive or not. Sometimes it takes seconds to come to a
decision, sometimes minutes or even hours. Performing this
task over and over again is very repetitive and monotonous
as several works have shown previously [8], [11], [16], [32].
Additionally, this task is very demanding on a security ana-
lysts’ capability of information processing and analytical
reasoning due to the vast amount of data [94]. Although doing
a very monotonous task, the analysts are working under high
pressure and have high responsibility. Any incorrect decision
can lead to unpredictable consequences for the company if
an incident unfolds. This issue, combined with time pressure
faced in a SOC and the lack of creativity needed to solve
the tasks causes analyst boredom, which finally could lead to
burnout [8], [16]. Additionally, the non-challenging nature of
tasks and the fact that most analysts need to follow predefined
procedures all the time limits their ability to react to new and
innovative threats in the future [11]. An exciting direction for
retaining SOC analysts’ motivation might be the inclusion of
gamification aspects into the SOC operations. When the tasks
become too mundane and frustrating for the SOC employees,
it is tough to retain skilled staff [30], [32]. This amplifies the
next challenge in the context of people within SOCs.
A very severe challenge companies will continue to face is
the lack of skilled security staff [3], [8], [80]. In addition
VOLUME 8, 2020 227771
M. Vielberth et al.: Security Operations Center: A Systematic Study and Open Challenges
FIGURE 8. Challenges for SOC research.
to that, the nature of the work as highlighted in the pre-
vious chapter leads to a high turnover rate of personnel.
This means companies have to spend many resources on
training new staff, unless they are willing to spend their
resources on retaining the staff. We identified some options
in literature to retain staff like training or after-work activities
(Section V-A2). However, the lack of job-related security
training is still apparent [6], [32]. Practical experience is
required to perform data triage, but it is considered hard
to get the practical training and experience in the first
place [98]. Tier 1 analysts are not always empowered to
perform more challenging tasks to improve their knowledge
and experience. A lack of feedback from senior analysts
intensifies the challenge and can cause frustration [11]. Some
technological solutions are trying to overcome the prob-
lem by capturing past activities and decisions from expe-
rienced staff so the more junior can profit and learn from
this data. However, capturing the tacit knowledge involved in
the decision-making is a challenging task [98]. Despite this
fact, some approaches, especially from Human-Computer
Interface (HCI) and respective communities, have been trying
to capture the reasoning behind analytical decisions for quite
some time [198]. These aspects can help to improve SOCs’
working conditions.
Collaboration between analysts is still rare, and analysts usu-
ally work on a problem independently [12]. This challenge
might either stem from the time pressure the staff is fac-
ing or the lack of appropriate collaboration platforms. The
same applies to communication, which is mostly carried out
directly between analysts. This type of communication is
necessary but also time-consuming and inefficient [97]. Once
again, the absence of an appropriate communication platform
for SOC-specific requirements reduces the staff’s interac-
tions overall. Only with the appropriate means to collabo-
rate and communicate SOC analysts from any tier can learn
from each other and, therefore, improve their efficiency and
Identifying threats and incidents gets increasingly harder
as IT infrastructures grow and expand from the cyberspace
into the physical world, for example through the use of
cyber-physical systems [83]. Current automated threat detec-
tion tools work pretty well for detecting well-known attacks,
as they operate based on signatures and attack patterns [13],
[159]. Therefore, unknown situations remain undetected as
no rule is defined for them yet. To detect unknown attacks,
it is inevitable to include domain knowledge of security
experts and even non-security experts. Security experts are
valuable as they have a deep understanding of security rou-
tines, requirements and have already taken countermeasures.
However, non-security experts (e.g. engineers) become more
and more indispensable as they have the knowledge which
is often necessary to decide whether an alert or the reported
behavior is malicious or benign, especially in the context of
cyber-physical systems.
Additionally, it is necessary to communicate knowledge
of automated analyzes like machine learning models to the
SOC staff to understand and comprehend what their analy-
ses algorithms learned. Tying human experts and machines
closer together and providing them processes and technolo-
gies to transfer knowledge in either direction is a crucial
challenge for SOCs. Only when we succeed in leveraging
both domain knowledge from humans and explicit knowl-
edge from machines, we face the next generation of cyber
227772 VOLUME 8, 2020
M. Vielberth et al.: Security Operations Center: A Systematic Study and Open Challenges
The review showed that there is only very little literature on
the processes within a SOC. As these processes are the core of
understanding SOCs and deploying them effectively, the lack
of precisely defined processes hinders academia from entirely
comprehending what organizations are doing within a SOC.
Thus, room for small improvements, let alone innovations,
are very hard to identify on an abstract level. This might be
the reason for the imbalanced results regarding processes and
technology. As there is no abstract, high-level understanding
of a SOC’s processes, many researchers focus on trying to
improve technologies that might be useful with no clear
understanding of which specific process or task of a SOC
needs improvement. Also, having a clear understanding of a
SOC’s processes, tasks, and interfaces requires the integration
with other business processes. This blind spot needs to be
closed by academia to understand the processes running in
SOCs. Only then will it be possible to advance the current
proliferation that is imminent in SOCs in a sustainable man-
ner. Especially ‘‘post-incident activity’’ is barely mentioned
in SOC literature, although it is of great importance as it
mainly deals with learning and iterative improvement.
Several security standards, regulations, and frameworks [123],
[124] define general security-related processes that give rise
to the assumption that these can be related at least partially to
SOC. These can therefore serve as a basis for a SOC specific
process landscape. However, our analysis has not identified
any academic literature dealing with how these processes can
be related to SOCs. Further research should aim to identify
the aspects that apply to SOCs, adapt those to SOC, and
extend them by SOC specifics. This could lead simply to
a more comprehensive definition and understanding of the
We see three major challenges for SOCs resulting from the
increased complexity of the IT and OT environment in a com-
pany: First, the infrastructure is becoming more complicated
and intertwined, making it difficult to maintain situational
awareness and a cohesive overview. Managers and analysts
have poor visibility into the network because they cannot
keep track of all the devices in the network [7]. Second,
the data captured from the infrastructure is as heterogeneous
as its sources [22], [32], [94], making it hard to process,
analyze, understand, and link. It also impedes the discovery
of whether an event is part of a bigger attack [11]. Third,
having more data sources increases the overall number of
events and, in many cases, the number of false-positive alerts.
It is often mentioned that there is too much (useless) data in
general [22], and too many (false positive) alerts [9], [25],
[32], [159], [164]. Analysts are overloaded with a high vol-
ume of such alerts and face a typical ‘‘needle in a haystack’
problem when trying to filter the noise [12], [159]. There is
not much discussion about the negative impact of false posi-
tives on SOCs, although there are controversial opinions like
Kokulu et al. [7].
In many SOCs, the previous problem is approached by
implementing and deploying various SOC tools, for exam-
ple, a SIEM system. However, deploying a variety of tools
does not solve the overall problem, at least not immediately.
Tools need to be configured and maintained, which is a
time- and resource-consuming process [159]. If tools are not
maintained properly, they increase the amount of data and
false positives to be dealt with for the analysts. Different
tools are necessary because most of them only offer a solu-
tion to a specific problem. Therefore, a variety of tools is
needed to cover all capabilities within a SOC. Integrating
them so that they can run smoothly together poses a further
challenge [4], [23]. For example, tools typically only cover
the standard IT technologies and have no visibility into
operational technology. Some tools also suffer from poor
usability and regular malfunctioning [7]. This makes the job
for analysts much more complicated than it should be and
has a negative effect on the detection rate of a SOC. Lastly,
tools might be chosen for compliance or budget reasons, not
because they are helpful or practical [15].
Having the right visualization capabilities is another chal-
lenge. Generally, there is too much data to be able to visualize
it properly [173]. Visualizations need to be simple and easily
accessible, as well as precise and informative [12]. However,
there is no perfect solution, and a trade-off between these two
requirements is necessary. Selecting the right visualization
technique is rigid and very dependent on the context and tasks
that should be solved with the visualization.
Nonetheless, appropriate visualizations are crucial for an
efficient and effective SOC team. Additionally, visualizations
are a great deal to support the transfer of knowledge between
humans and machines. They can serve as an intermediary
allowing analysts to understand machine learning models and
improve automated analyses by implicit human input and
domain knowledge [199].
There is also an insufficient level of automation of SOC
components [7]. Many of the tasks carried out in a SOC, e.g.
threat hunting, scanning alerts, or responding to incidents,
still require a significant portion of manual work in a context
where human resources are scarce. The insufficient level
of automation is caused by the fact that analysts’ tasks are
hard to automate. However, automation is needed to reduce
the manual and repetitive tasks many SOC analysts have
to perform today. There is already a considerable body of
literature focusing on the applicability of machine learning
VOLUME 8, 2020 227773
M. Vielberth et al.: Security Operations Center: A Systematic Study and Open Challenges
techniques to automate the detection of attacks. Unfortu-
nately, many techniques prove to only be successful under
certain conditions or for specific types of attacks. These
techniques and their comprehensiveness and effectiveness in
detecting attacks need to be compared. More user studies
should be conducted to evaluate their usability. Additionally,
machine learning approaches produce a high number of false
positives. Determining whether an alert is real requires further
investigation by the analysts based on tacit knowledge.
Even though measuring a SOC’s performance and effective-
ness is one of the most important governance tasks, many
of the currently established metrics are considered ineffi-
cient [7], [171]. Additionally, if the metrics are too focused
on performance, analysts might be incentivized to work for
general statistics [16], [200], as described in Section V-D3.
This fuels the need for uniform metrics proving the value of
a SOC to management.
Some SOC capabilities, like incident management, are
already very advanced. Consequently, many standards and
industry best practices can be implemented for these specific
capabilities. They can then be audited to see whether they
adhere to the standard. Other capabilities are less advanced
and have no universal standard. Unfortunately, there is no
holistic SOC standard or framework, making it hard to audit
a cohesive and complex SOC. The lack of best practices also
means that there is no actual decision support for organiza-
tions. Decision-makers struggle to choose the right operating
model, the right scope, the right capabilities, and even the
right tools to support the capabilities. Best practices, either
from academia or industry, are needed to enable companies to
set up SOCs fitted to their needs. Currently, many guidelines
on SOCs are written by security vendors [77], [190]. Despite
their valuable contributions to the development of SOCs, they
are biased to a certain extent, which further highlights the
need for independent standards and impartial industry guide-
lines. Researchers alone cannot solve this problem. They need
to collaborate with regulators, standardization entities, and
industry expertise.
Existing privacy standards and regulations leave many ques-
tions regarding collecting and analyzing data unanswered.
The company needs to determine if they capture sensi-
tive information, if they could avoid it, and how they can
anonymize or at least pseudonymize the data without losing
their value. However, there is not much work providing guide-
lines to decide whether data contains sensitive information
or not and even less work giving practical advice on the
anonymization of data and still detecting incidents using the
anonymized data. Another challenge on the rise is to define
the right policies and procedures.
The main objective of this work is to identify and compile
the current state-of-the-art of SOCs. To thoroughly achieve
this goal, we needed to explore the frontiers of academic
literature on the topic. This work’s central part consists of
a comprehensive literature review on SOCs from a pure
research viewpoint. Its objective is to take a close look at
SOCs in general but also include their components. The
survey is conducted systematically to avoid the exclusion of
any relevant information. We planned the review, meaning
that the used search terms included various keywords and
terms relevant to SOCs. This work includes as many aspects
of SOCs as possible. Using the PPTGC framework, various
components of a SOC are generally classified into either peo-
ple, processes, technology, or governance and compliance.
We describe these SOC components as currently defined in
the literature.
We use the relevant literature and the defined state-of-the-
art to identify major challenges that hinder further devel-
opment and innovation for SOCs. The challenges can also
serve as a guideline for future research aiming to improve
SOCs. Regarding the people working in a SOC, we see a
major challenge in recruiting and retaining staff. Training and
Awareness play an essential role in addressing this challenge
while also helping to increase the company’s overall security
posture. When looking at the various processes in a SOC, it is
imperative to integrate them with other processes across the
whole organization. Analyzing processes regarding SOCs,
we can also see that academia and practice lack a thor-
ough and comprehensive definition of the specific processes
included in a SOC and their interactions. Without a proper
definition of processes, it might not be possible to advance
the current state-of-the-art. Technologies promise relief from
many repetitive tasks in a SOC; however, most of them are
not advanced enough to deliver on the expectations and hype
they have created. To maximize the potential of deployed
technological solutions, they need to be aligned with and
integrated with the rest of an organization’s technological
infrastructure. Lastly, an immaturity of SOC governance and
compliance aspects has been identified. Compared to peo-
ple or technological components of a SOC, comprehensive
standards and industry-specific guidelines are lacking. This
kind of immaturity generally impedes security audits and
overall SOC assessments. The lack of standards also prevents
various SOC components from advancing since a common
baseline of the status-quo has not yet been agreed upon. As we
have mainly analyzed academic literature, to provide a more
comprehensive picture we aim to include a more practical
view by considering information such as case studies in future
Concluding, SOCs surely help companies to be prepared
for cyber-attacks. However, they need to be planned thor-
oughly, implemented, and integrated very carefully, assessed
227774 VOLUME 8, 2020
M. Vielberth et al.: Security Operations Center: A Systematic Study and Open Challenges
regularly, and improved continually to unveil their full poten-
tial. If done correctly, they improve companies’ ability to
prevent hacks, financial losses, and personal data breaches.
[1] The Cost of Cybercrime, Accenture and Ponemon Institute, New York,
NY, USA, 2018.
[2] S. Schinagl, K. Schoon, and R. Paans, ‘‘A framework for designing a
security operations centre (SOC),’’ in Proc. 48th Hawaii Int. Conf. Syst.
Sci., Kauai, HI, USA, Jan. 2015, pp. 2253–2262.
[3] S. Radu, ‘‘Comparative analysis of security operations centre architec-
tures; Proposals and architectural considerations for frameworks and
operating models,’’ in Innovative Security Solutions for Information
Technology and Communications (Lecture Notes in Computer Science),
vol. 10006. Cham, Switzerland: Springer, 2016, pp. 248–260.
[4] R. Bidou, J. Bourgeois, and F. Spies, ‘‘Towards a global security archi-
tecture for intrusion detection and reaction management,’’ in Information
Security Applications (Lecture Notes in Computer Science), vol. 2908.
Berlin, Germany: Springer, 2004, pp. 111–123.
[5] S. Kowtha, L. A. Nolan, and R. A. Daley, ‘‘Cyber security operations
center characterization model and analysis,’’ in Proc. IEEE Conf. Technol.
Homeland Secur. (HST), Waltham, MA, USA, Nov. 2012, pp. 470–475.
[6] A. Karim Ganame, J. Bourgeois, R. Bidou, and F. Spies, ‘‘A global secu-
rity architecture for intrusion detection on computer networks,’Comput.
Secur., vol. 27, nos. 1–2, pp. 30–47, Mar. 2008.
[7] F. B. Kokulu, A. Soneji, T. Bao, Y. Shoshitaishvili, Z. Zhao, A. Doupé,
and G.-J. Ahn, ‘‘Matched and mismatched SOCs,’’ in Proc. ACM SIGSAC
Conf. Comput. Commun. Secur., New York, NY, USA, Nov. 2019,
pp. 1955–1970.
[8] B. Hámornik and C. Krasznay, ‘‘A team-level perspective of human
factors in cyber security: Security operations centers,’’ in Advances in
Human Factors in Cybersecurity, vol. 593 D. Nicholson, Ed. Cham,
Switzerland: Springer, 2018, pp. 224–236.
[9] A. Sopan, M. Berninger, M. Mulakaluri, and R. Katakam, ‘‘Building a
machine learning model for the SOC, by the input from the SOC, and
analyzing it for the SOC,’’ in Proc. IEEE Symp. Visualizat. Cyber Secur.
(VizSec), Berlin, Germany, Oct. 2018, pp. 1–8.
[10] V. Rooney and S. Foley, ‘‘What you can change and what you can’t:
Human experience in computer network defenses,’’ in Secure IT Systems
(Lecture Notes in Computer Science), vol. 11252, N. Gruschka, Ed.
Cham, Switzerland: Springer, 2018, pp. 219–235.
[11] D. Crémilleux, C. Bidan, F. Majorczyk, and N. Prigent, ‘‘Enhancing
collaboration between security analysts in security operations centers,’
in Risks and Security of Internet and Systems, vol. 11391. Cham, Switzer-
land: Springer, 2019, pp. 136–142.
[12] A. Kabil, T. Duval, N. Cuppens, G. Le Comte, Y. Halgand, and
C. Ponchel, ‘‘3D cybercop: A collaborative platform for cybersecurity
data analysis and training,’’ in Cooperative Design, Visualization, and
Engineering (Lecture Notes in Computer Science), vol. 11151, Y. Luo,
Ed. pp. 176–183. Cham, Switzerland: Springer, 2018, pp. 176–183.
[13] J. R. Goodall, E. D. Ragan, C. A. Steed, J. W. Reed, G. D. Richardson,
K. M. T. Huffer, R. A. Bridges, and J. A. Laska, ‘‘Situ: Identifying and
explaining suspicious behavior in networks,’IEEE Trans. Vis. Comput.
Graphics, vol. 25, no. 1, pp. 204–214, Jan. 2019.
[14] S. C. Sundaramurthy, J. Case, T. Truong, L. Zomlot, and M. Hoffmann,
‘‘A tale of three security operation centers,’’ in Proc. ACM Workshop
Secur. Inf. Workers, New York, NY, USA, 2014, pp. 43–50.
[15] S. C. Sundaramurthy, M. Wesch, X. Ou, J. McHugh, S. R. Rajagopalan,
and A. G. Bardas, ‘‘Humans are dynamic–our tools should be too,’’ IEEE
Internet Comput., vol. 21, no. 3, pp. 40–46, May 2017.
[16] S. Sundaramurthy, ‘‘An anthropological study of security operations cen-
ters to improve operational efficiency,’’ Ph.D. dissertation, Dept. Comput.
Sci. Eng., Univ. South Florida, Tampa, FL, USA, 2017.
[17] J. M. Brown, S. Greenspan, and R. Biddle, ‘‘Incidentresponse teams in IT
operations centers: The T-TOCs model of team functionality,’’ Cognition,
Technol. Work, vol. 18, no. 4, pp. 695–716, Nov. 2016.
[18] D. Tranfield, D. Denyer, and P. Smart, ‘‘Towards a methodology for
developing evidence-informed management knowledge by means of sys-
tematic review,’Brit. J. Manage., vol. 14, no. 3, pp. 207–222, Sep. 2003.
[19] J. Webster and R. T. Watson, ‘‘Analyzing the past to prepare for the future:
Writing a literature review,’MIS Quart., vol. 26, no. 2, pp. 13–23, 2002.
[20] Y. Levy and T. J. Ellis, ‘‘A systems approach to conduct an effective
literature review in support of information systems research,’’ Inf. Sci.,
Int. J. Emerg. Transdiscipline, vol. 9, pp. 181–212, Dec. 2006.
[21] C. Okoli, ‘‘A guide to conducting a standalone systematic literature
review,’Commun. Assoc. Inf. Syst., vol. 37, pp. 879–910, May 2015.
[22] A. Madani, S. Rezayi, and H. Gharaee, ‘‘Log management comprehensive
architecture in security operation center (SOC),’’ in Proc. Int. Conf.
Comput. Aspects Social Netw. (CASoN), Salamanca, Spain, Oct. 2011,
pp. 284–289.
[23] M. Mutemwa, J. Mtsweni, and L. Zimba, ‘‘Integrating a security oper-
ations centre with an Organization’s existing procedures, policies and
information technology systems,’’ in Proc. Int. Conf. Intell. Innov. Com-
put. Appl. (ICONIC), Plaine Magnien, Mauritius, Dec. 2018, pp. 1–6.
[24] N. Miloslavskaya, ‘‘Analysis of SIEM systems and their usage in security
operations and security intelligence centers,’’ in Biologically Inspired
Cognitive Architectures (BICA) for Young Scientists, vol. 636. Cham,
Switzerland: Springer, 2018, pp. 282–288.
[25] N. Miloslavskaya, A. Tolstoy, and S. Zapechnikov, ‘‘Taxonomy for unse-
cure big data processing in security operations centers,’’ in Proc. IEEE 4th
Int. Conf. Future Internet Things Cloud Workshops (FiCloudW), Vienna,
Austria, Aug. 2016, pp. 154–159.
[26] C.-H. Han, S.-T. Park, and S.-J. Lee, ‘‘The enhanced security control
model for critical infrastructures with the blocking prioritization process
to cyber threats in power system,’’ Int. J. Crit. Infrastruct. Protection,
vol. 26, Sep. 2019, Art. no. 100312.
[27] J. Kaplan, T. Bailey, C. Rezek, D. O’Halloran, and A. Marcus, ‘‘Engage
attackers with active defense,’’ in Beyond Cybersecurity. Hoboken, NJ,
USA: Wiley, 2015, pp. 123–139.
[28] G. Wang, Z. Yan, and J. Chen, ‘‘A method for software trusted update on
network security equipment,’IOP Conf. Ser., Mater. Sci. Eng., vol. 569,
Jul. 2019, Art. no. 052086.
[29] A. Shah, K. A. Farris, R. Ganesan, and S. Jajodia, ‘‘Vulnerabil-
ity selection for remediation: An empirical analysis,’J. Defense
Model. Simul., Appl., Methodol., Technol., vol. 21, no. 4, Sep. 2019,
Art. no. 154851291987412.
[30] C. Onwubiko, ‘‘Cyber security operations centre: Security monitor-
ing for protecting business and supporting cyber defense strategy,’’ in
Proc. Int. Conf. Cyber Situational Awareness, Data Analytics Assessment
(CyberSA), London, U.K., Jun. 2015, pp. 1–10.
[31] C. Onwubiko and K. Ouazzane, ‘‘Cyber onboarding is Broken,’’ in
Proc. Int. Conf. Cyber Secur. Protection Digit. Services, Oxford, U.K.,
Jun. 2019, pp. 1–13.
[32] S. Mansfield-Devine, ‘‘Creating security operations centres that work,’
Netw. Secur., vol. 2016, no. 5, pp. 15–18, May 2016.
[33] M. Majid and K. Ariffi, ‘‘Success factors for cyber security operation
center (SOC) establishment,’’ in Proc. 1st Int. Conf. Informat., Eng., Sci.
Technol., Bandung, IN, USA, May 2019, pp. 1–11.
[34] J. Bourgeois, A. Ganame, I. Kotenko, and A. Ulanov, ‘‘Software envi-
ronment for simulation and evaluation of a security operation center,’’ in
Information Fusion and Geographic Information Systems (Lecture Notes
in Geoinformation and Cartography). Berlin, Germany: Springer, 2007,
pp. 111–127.
[35] A. Bialas, M. Michalak, and B. Flisiuk, ‘‘Anomaly detection in network
traffic security assurance,’’ in Engineering in Dependability of Computer
Systems and Networks, vol. 987. Cham, Switzerland: Springer, 2020,
pp. 46–56.
[36] D. Kelley and R. Moritz, ‘‘Best practices for building a security operations
center,’’ Inf. Syst. Secur., vol. 14, no. 6, pp. 27–32, Jan. 2006.
[37] L. Aijaz, B. Aslam, and U. Khalid, ‘‘Security operations center—A need
for an academic environment,’’ in Proc. World Symp. Comput. Netw. Inf.
Secur. (WSCNIS), Hammamet, Tunisia, Sep. 2015, pp. 1–7.
[38] O. Podzins and A. Romanovs, ‘‘Why siem is irreplaceable in a secure it
environment?’’ in Proc. Open Conf. Electr., Electron. Inf. Sci., Vilnius,
Lithuania, May 2019, pp. 1–5.
[39] N. Miloslavskaya, ‘‘Security intelligence centers for big data process-
ing,’’ in Proc. 5th Int. Conf. Future Internet Things Cloud Workshops
(FiCloudW), Prague, Czech Republic, Aug. 2017, pp. 7–13.
[40] J. Bourgeois and R. Syed, ‘‘Managing security of grid architecture with a
grid security operation center,’’in Proc. Int. Conf. Secur.Cryptogr., Milan,
Italy, 2009, pp. 403–408.
[41] R. H. Syed, J. Pazardzievska, and J. Bourgeois, ‘‘Fast attack detection
using correlation and summarizing of security alerts in grid computing
networks,’J. Supercomput., vol. 62, no. 2, pp. 804–827, Nov. 2012.
VOLUME 8, 2020 227775
M. Vielberth et al.: Security Operations Center: A Systematic Study and Open Challenges
[42] R. H. Syed, M. Syrame, and J. Bourgeois, ‘‘Protecting grids from cross-
domain attacks using security alert sharing mechanisms,’Future Gener.
Comput. Syst., vol. 29, no. 2, pp. 536–547, Feb. 2013.
[43] A. Ganame, J. Bourgeois, R. Bidou, and F. Spies, ‘‘Evaluation of the
intrusion detection capabilities and performance of a security operation
center,’’ in Proc. Int. Conf. Secur. Cryptogr., 2006, pp. 48–55.
[44] X. Hu and C. Xie, ‘‘Security operation center design based on D-S
evidence theory,’’ in Proc. Int. Conf. Mechatronics Autom., Luoyang,
China, Jun. 2006, pp. 2302–2306.
[45] S. Yuan and C. Zou, ‘‘The security operations center based on correlation
analysis,’’ in Proc. IEEE 3rd Int. Conf. Commun. Softw. Netw., Xi’an,
China, May 2011, pp. 334–337.
[46] E. G. Amoroso, ‘‘Cyber attacks: Awareness,’Netw. Secur., vol. 2011,
no. 1, pp. 10–16, Jan. 2011.
[47] G. Settanni, F. Skopik, Y. Shovgenya, R. Fiedler, M. Carolan, D. Conroy,
K. Boettinger, M. Gall, G. Brost, C. Ponchel, M. Haustein, H. Kaufmann,
K. Theuerkauf, and P. Olli, ‘‘A collaborative cyber incident management
system for European interconnected critical infrastructures,’J. Inf. Secur.
Appl., vol. 34, pp. 166–182, Jun. 2017.
[48] T. Tafazzoli and H. Gharaee Garakani, ‘‘Security operation center imple-
mentation on OpenStack,’’ in Proc. 8th Int. Symp. Telecommun. (IST),
Tehran, Iran, Sep. 2016, pp. 766–770.
[49] J.-S. Li, C.-J. Hsieh, and H.-Y. Lin, ‘‘A hierarchical mobile-agent-
based security operation center,’’ Int. J. Commun. Syst., vol. 26, no. 12,
pp. 1503–1519, Dec. 2013.
[50] J.-S. Li and C.-J. Hsieh, ‘‘Implementation of the distributed hierarchical
security operation center using mobile agent group,’’ in Proc. Int. Symp.
Comput., Commun., Control Autom. (3CA), Tainan, Taiwan, May 2010,
pp. 79–82.
[51] G. Chamiekara, M. Cooray, L. Wickramasinghe, Y. Koshila,
K. Abeywardhana, and A. Senarathna, ‘‘Autosoc: A low budget
flexible security operations platform for enterprises and organizations,’’
in Proc. Nat. Inf. Technol. Conf. (NITC), Colombo, Sri Lanka, 2017,
pp. 100–105.
[52] E. Falk, S. Repcek, B. Fiz, S. Hommes, R. State, and R. Sasnauskas,
‘‘VSOC–A virtual security operating center,’’ in Proc. IEEE Global
Commun. Conf., Singapore, Dec. 2017, pp. 1–8.
[53] U. Glasser, P. Jackson, A. Araghi, and H. Shahir, ‘‘Intelligent deci-
sion support for marine safety and security operations,’’ in Proc. IEEE
Int. Conf. Intell. Secur. Inform., Vancouver, BC, Canada, May 2010,
pp. 101–107.
[54] B. AlSabbagh and S. Kowalski, ‘‘A framework and prototype for a
socio-technical security information and event management system (ST-
SIEM),’’ in Proc. Eur. Intell. Secur. Informat. Conf. (EISIC), Uppsala,
Sweden, Aug. 2016, pp. 192–195.
[55] F. Sailhan and J. Bourgeois, ‘‘Log-based distributed intrusion detection
for hybrid networks,’’ in Proc. 4th Annu. workshop Cyber Secur. infor-
maiton Intell. Res., New York, NY, USA, 2008, pp. 1–6.
[56] P. Bienias, G. Kolaczek, and A. Warzynski, ‘‘Architecture of anomaly
detection module for the security operations center,’’ in Proc. IEEE 28th
Int. Conf. Enabling Technologies: Infrastruct. Collaborative Enterprises
(WETICE), Naples, Italy, Jun. 2019, pp. 126–131.
[57] A. Chowdhary, D. Huang, G.-J. Ahn, M. Kang, A. Kim, and
A. Velazquez, ‘‘SDNSOC: Object oriented SDN framework,’’ in
Proc. ACM Int. Workshop Secur. Softw. Defined Netw. Netw. Function
Virtualization, New York, NY, USA, 2019, pp. 7–12.
[58] D. Crooks and L. Valsan, ‘‘Wlcg security operations centre working
group,’Proc. Sci., vol. 1, no. 1, pp. 1–25, 2017.
[59] D. Crooks, L. Vâlsan, K. Mohammad, S. McKee, P. Clark,
A. Boutcher, A. Padée, M. Wójcik, H. Giemza, and B. Kreukniet,
‘‘Operational security, threat intelligence & distributed computing: The
wlcg security operations center working group,’EPJ Web Conferences,
vol. 214, p. 15, May 2019.
[60] D. Crooks and L. Válsan, ‘‘Buildinga minimum viable security operations
centre for the modern grid environment,’’ in Proc. Int. Symp. Grids
Clouds, Trieste, Italy, Nov. 2019, p. 10.
[61] P. Danquah, ‘‘Security operations center: A framework for automated
triage, containment and escalation,’J. Inf. Secur., vol. 11, no. 4,
pp. 225–240, 2020.
[62] D. Forte, ‘‘An inside look at security operation centres,’’ Netw. Secur.,
vol. 2003, no. 5, pp. 11–12, 2003.
[63] P. Jacobs, A. Arnab, and B. Irwin, ‘‘Classification of security operation
centers,’’ in Proc. Inf. Secur. South Afr., Johannesburg, South Africa,
Aug. 2013, pp. 1–7.
[64] D. Forte, ‘‘State of the art security management,’’ Comput. Fraud Secur.,
vol. 2009, no. 10, pp. 17–18, Oct. 2009.
[65] N. Miloslavskaya, ‘‘Security operations centers for information security
incident management,’’ in Proc. IEEE 4th Int. Conf. Future Internet
Things Cloud (FiCloud), Vienna, Austria, Aug. 2016, pp. 131–136.
[66] F. David Janos and N. Huu Phuoc Dai, ‘‘Security concerns towards
security operations centers,’’ in Proc. IEEE 12th Int. Symp. Appl.
Comput. Intell. Informat. (SACI), Timisoara, Romania, May 2018,
pp. 000273–000278.
[67] A. Shah, R. Ganesan, and S. Jajodia, ‘‘A methodology for ensuring fair
allocation of CSOC effort for alert investigation,’’ Int. J. Inf. Secur.,
vol. 18, no. 2, pp. 199–218, Apr. 2019.
[68] M. Khalili, M. Zhang, D. Borbor, L. Wang, N. Scarabeo, and
M.-A. Zamor, ‘‘Monitoring and improving managed security services
inside a security operation center,’’ ICST Trans. Secur. Saf., vol. 5, no. 18,
Apr. 2019, Art. no. 157413.
[69] C. Crowley and J. Pescatore, ‘‘Sans 2018 security operations center
survey,’’ SANS Inst., Swansea, U.K., Tech. Rep., 2018.
[70] G. D. Bhatt, ‘‘Knowledge management in organizations: Examining the
interaction between technologies, techniques, and people,’J. Knowl.
Manage., vol. 5, no. 1, pp. 68–75, Mar. 2001.
[71] R. Ruefle, ‘‘Defining computer security incident response teams,’
Carnegie Mellon Univ., Pittsburgh, PA, USA, Tech. Rep., 2007.
[72] D. Robb, ‘‘How to manage a security operations center,’’eSecurity Planet,
Nashville, TN, USA, Tech. Rep., 2019.
[73] M. Vielberth and G. Pernul, ‘‘A security information and event man-
agement pattern,’’ in Proc. 12th Latin Amer. Conf. Pattern Lang. Prog.
(SLPLoP). 2018, pp. 1–5.
[74] F. Alruwaili and T. Gulliver, ‘‘Socaas: Security operations center as
a service for cloud computing environments,’’ Int. J. Cloud Comput.
Services Sci., vol. 3, no. 2, pp. 87–96, 2014.
[75] C. Zimmerman, ‘‘Ten strategies of a world-class cybersecurity operations
center,’’ MITRE Corp., Bedford, MA, USA, Tech. Rep., 2014.
[76] H. Security, ‘‘Choosing a soc service model: The key considerations,’’
Huntsman Secur., London, U.K., Tech. Rep., 2018.
[77] J. Muniz, G. McIntyre, and N. AlFardan, Security operations center:
Building, operating, and maintaining your SOC. Indianapolis, IN, USA:
Cisco Press, 2015.
[78] Outsourced Soc Vs. Internal Soc: How to Choose, Linkbynet, Montreal,
QC, Canada, 2018.
[79] C. Olt, ‘‘Establishing security operation centers for connected cars,’’
ATZelectronics worldwide, vol. 14, no. 5, pp. 40–43, May 2019.
[80] C. DeCusatis, R. Cannistra, A. Labouseur, and M. Johnson, ‘‘Design
and implementation of a research and education cybersecurity operations
center,’’ in Cybersecurity and Secure Information Systems (Advanced
Sciences and Technologies for Security Applications), vol. 33. Cham,
Switzerland: Springer, 2019, pp. 287–310.
[81] R. Ganesan, A. Shah, S. Jajodia, and H. Cam, ‘‘Optimizingalert data man-
agement processes at a cyber security operations center,’’ in Adversarial
and Uncertain Reasoning for Adaptive Cyber Defense (Lecture Notes
in Computer Science), vol. 11830. Cham, Switzerland: Springer, 2019,
pp. 206–231.
[82] C. Zhong, J. Yen, P. Liu, and R. F. Erbacher, ‘‘Learning from Experts’
experience: Toward automated cyber security data triage,’’ IEEE Syst.
J., vol. 13, no. 1, pp. 603–614, Mar. 2019.
[83] C. Islam, M. Babar, and S. Nepal, ‘‘Automated interpretation and
integration of security tools using semantic knowledge,’’ in Advanced
Information Systems Engineering (Lecture Notes in Computer Science),
vol. 11483. Cham, Switzerland: Springer, 2019, pp. 513–528.
[84] Y. Kanemoto, K. Aoki, M. Iwamura, J. Miyoshi, D. Kotani, H. Takakura,
and Y. Okabe, ‘‘Detecting successful attacks from IDS alerts based
on emulation of remote shellcodes,’’ in Proc. IEEE 43rd Annu. Com-
put. Softw. Appl. Conf. (COMPSAC), Milwaukee, WA, USA, Jul. 2019,
pp. 471–476.
[85] E. Agyepong, Y. Cherdantseva, P. Reinecke, and P. Burnap, ‘‘Challenges
and performance metrics for security operations center analysts: A sys-
tematic review,’J. Cyber Secur. Technol., vol. 76, no. 3, pp. 1–28, 2019.
[86] C. Zhong, J. Yen, P. Liu, R. Erbacher, C. Garneau, and B. Chen, ‘‘Study-
ing analysts’ data triage operations in cyber defense situational analy-
sis,’’ in Theory Models for Cyber Situation Awareness (Lecture Notes
in Computer Science), vol. 10030. Cham, Switzerland: Springer, 2017,
pp. 128–169.
227776 VOLUME 8, 2020
M. Vielberth et al.: Security Operations Center: A Systematic Study and Open Challenges
[87] C. Zhong, J. Yen, P. Liu, and R. F.Erbacher, ‘‘Automate cybersecurity data
triage by leveraging human Analysts’ cognitive process,’’ in Proc. IEEE
IEEE 2nd Int. Conf. Big Data Secur. Cloud, Apr. 2016, pp. 357–363.
[88] C. Zhong, T. Lin, P. Liu, J. Yen, and K. Chen, ‘‘A cyber security data triage
operation retrieval system,’’ Comput. Secur.,vol. 76, pp. 12–31, Jul. 2018.
[89] A. Pingle, A. Piplai, S. Mittal, A. Joshi, J. Holt, and R. Zak, ‘‘Relext:
Relation extraction using deep learning approaches for cybersecurity
knowledge graph improvement,’’ in Proc. IEEE/ACM Int. Conf. Adv. Soc.
Netw. Anal. Mining, 2019, pp. 879–886
[90] A. Shah, R. Ganesan, S. Jajodia, and H. Cam, ‘‘Adaptive reallocation of
cybersecurity analysts to sensors for balancing risk between sensors,’
Service Oriented Comput. Appl., vol. 12, no. 2, pp. 123–135, Jun. 2018.
[91] A. Shah, R. Ganesan, S. Jajodia, and H. Cam, ‘‘A two-step approach to
optimal selection of alerts for investigation in a CSOC,’’ IEEE Trans. Inf.
Forensics Security, vol. 14, no. 7, pp. 1857–1870, Jul. 2019.
[92] S. Sundaramurthy, A. Bardas, J. Case, X. Ou, M. Wesch, J. McHugh,
and R. Rajagopalan, ‘‘A human capital model for mitigating security
analyst burnout,’’ in Proc. 11th Symp. Usable Privacy Secur., Ontario,
ON, Canada, 2015 pp. 347–359.
[93] T. Sander and J. Hailpern, ‘‘UX aspects of threat information sharing
platforms,’’ in Proc. 2nd ACM Workshop Inf. Sharing Collaborative
Secur., New York, NY, USA, 2015, pp. 51–59.
[94] T. Lin, C. Zhong, J. Yen, and P. Liu, ‘‘Retrieval of relevant historical
data triage operations in security operation centers,’’ in From Database to
Cyber Security (Lecture Notes in Computer Science), vol. 11170. Cham,
Switzerland: Springer, 2018, pp. 227–243.
[95] A. Applebaum, S. Johnson, M. Limiero, and M. Smith, ‘‘Playbook ori-
ented cyber response,’’ in Proc. Nat. Cyber Summit (NCS), Huntsville,
Alabama, Jun. 2018, pp. 8–15.
[96] S. Sanchez, R. Mazzolin, I. Kechaoglou, D. Wiemer, W. Mees, and
J. Muylaert, ‘‘Cybersecurity space operation center: Countering cyber
threats in the space domain,’’ in Handbook Space Security, K.-U. Schrogl,
Ed. Cham, Switzerland: Springer, 2020, pp. 921–939.
[97] C. Zhong, A. Alnusair, B. Sayger, A. Troxell, and J. Yao, ‘‘AOH-map:
A mind mapping system for supporting collaborative cyber security anal-
ysis,’’ in Proc. IEEE Conf. Cognit. Comput. Aspects Situation Manage.
(CogSIMA), Las Vegas, NV, USA, Apr. 2019, pp. 74–80.
[98] A. Shah, R. Ganesan, S. Jajodia, and H. Cam, ‘‘Optimal assignment
of sensors to analysts in a cybersecurity operations center,’’ IEEE Syst.
J., vol. 13, no. 1, pp. 1060–1071, Mar. 2019.
[99] A. Kabil, T. Duval, N. Cuppens, G. Le Comte, Y. Halgand, and
C. Ponchel, ‘‘From cyber security activities to collaborative virtual envi-
ronments practices through the 3D cybercop platform,’’ in Information
Systems Security (Lecture Notes in Computer Science), vol. 11281.
Cham, Switzerland: Springer, 2018, pp. 272–287.
[100] A. Vault, ‘‘How to build a security operations center,’’ Alien Vault, San
Mateo, CA, USA, Tech. Rep., 2017.
[101] O. Cassetto, ‘‘Security operations center roles and responsibilities,’’
Exabeam, Foster City, CA, USA, Tech. Rep., 2019.
[102] Strategies for Building and Growing Strong Cybersecurity Teams: Cyber-
security Workforce Study, International Information System Security Cer-
tification Consortium, Clearwater, FL, USA, 2019.
[103] A. Chin-Ching Lin, H.-K. Wong, and T.-C. Wu, ‘‘Enhancing interoper-
ability of security operation center to heterogeneous intrusion detection
systems,’’ in Proc. 39th Annu. Int. Carnahan Conf. Secur. Technol.,
Las Palmas, Spain, 2005, pp. 216–221.
[104] S. Bhatt, P. K. Manadhata, and L. Zomlot, ‘‘The operational role of secu-
rity information and event management systems,’’ IEEE Secur. Privacy,
vol. 12, no. 5, pp. 35–41, Sep. 2014.
[105] D. Zhang and D. Zhang, ‘‘The analysis of event correlation in security
operations center,’’in Proc. 4th Int. Conf. Intell. Comput. Technol.Autom.,
Guangdong, Shenzhen, Mar. 2011, pp. 1214–1216.
[106] Z. Qu and L. Wang, ‘‘The design of a correlation analysis engine model
based on Carma_VE algorithm,’’ in Proc. IEEE Int. Symp. Med. Edu.,
Jinan, China, Aug. 2009, pp. 1267–1270.
[107] B. Bösch, ‘‘Approach to enhance the efficiency of security operation cen-
ters to heterogeneous ids landscapes,’’ in Critical Information Infrastruc-
tures Security (Lecture Notes in Computer Science), vol. 7722. Berlin,
Germany: Springer, 2013, pp. 1–9.
[108] F. Sailhan, J. Bourgeois, and V. Issarny, ‘‘A security supervision system
for hybrid networks,’’ in Software Engineering, Artificial Intelligence,
Networking and Parallel/Distributed Computing (Studies in Computa-
tional Intelligence), vol. 149, R. Lee, Ed. Berlin, Germany: Springer,
2008, pp. 137–149.
[109] M. E. Verma and R. A. Bridges, ‘‘Defining a metric space of host logs
and operational use cases,’’ in Proc. IEEE Int. Conf. Big Data (Big Data),
Seattle, WA, USA, Dec. 2018, pp. 5068–5077.
[110] M. Alam, S.-U.-R. Malik, Q. Javed, A. Khan, S. B. Khan, A. Anjum,
N. Javed, A. Akhunzada, and M. K. Khan, ‘‘Formal modeling and
verification of security controls for multimedia systems in the cloud,’
Multimedia Tools Appl., vol. 76, no. 21, pp. 22845–22870, Nov. 2017.
[111] R. Bridges, M. Iannacone, J. Goodall, and J. Beaver, ‘‘How do infor-
mation security workers use host data? A summary of interviews
with security analysts,’’ 2018, arXiv:1812.02867v1. [Online]. Available:
[112] B. Song, J. Choi, S.-S. Choi, and J. Song, ‘‘Visualization of security event
logs across multiple networks and its application to a CSOC,’Cluster
Comput., vol. 22, no. S1, pp. 1861–1872, Jan. 2019.
[113] D. Weissman and A. Jayasumana, ‘‘Integrating IoT monitoring for secu-
rity operation center,’’ in Proc. Global Internet Things Summit (GIoTS),
Dublin, Ireland, Jun. 2020, pp. 1–6.
[114] M. Nabil, S. Soukainat, A. Lakbabi, and O. Ghizlane, ‘‘SIEM selection
criteria for an efficient contextual security,’’ in Proc. Int. Symp. Netw.,
Comput. Commun. (ISNCC), Marrakech, Morocco, May 2017, pp. 1–6.
[115] Y.-C. Cheng, C.-H. Chen, C.-C. Chiang, J.-W. Wang, and C.-S. Laih,
‘‘Generating attack scenarios with causal relationship,’’ in Proc. IEEE
Int. Conf. Granular Comput., Fremont, CA, USA, Nov. 2007, p. 368.
[116] G. Gonzalez Granadillo, M. El-Barbori, and H. Debar, ‘‘New types of
alert correlation for security information and event management sys-
tems,’’ in Proc. 8th IFIP Int. Conf. New Technol., Mobility Secur. (NTMS),
Larnaca, Cyprus, Nov. 2016, pp. 1–7.
[117] C. Islam, M. A. Babar, and S. Nepal, ‘‘A multi-vocal review of security
orchestration,’ACM Comput. Surv., vol. 52, no. 2, pp. 1–45, May 2019.
[118] K. Hughes, K. McLaughlin, and S. Sezer, ‘‘Dynamic countermeasure
knowledge for intrusion response systems,’’ in Proc. 31st Irish Signals
Syst. Conf. (ISSC), Letterkenny, Ireland, Jun. 2020, pp. 1–6.
[119] S. Y. Cho, J. Happa, and S. Creese, ‘‘Capturing tacit knowledge in security
operation centers,’IEEE Access, vol. 8, pp. 42021–42041, 2020.
[120] M. H. Khyavi, ‘‘Isms role in the improvement of digital forensics
related process in soc’s,’’ 2015, arXiv:2006.08255. [Online]. Available:
[121] W. Yang and K.-Y. Lam, ‘‘Automated cyber threat intelligence reports
classification for early warning of cyber attacks in next generation
soc,’’ in Information and Communications Security, vol. 11999, J. Zhou,
X. Luo, Q. Shen, and Z. Xu, Eds. Cham, Switzerland: Springer, 2020,
pp. 145–164.
[122] C. Islam, M. A. Babar, and S. Nepal, ‘‘Architecture-centric support
for integrating security tools in a security orchestration platform,’’ in
Software Architecture (Lecture Notes in Computer Science), vol. 12292,
A. Jansen, I. Malavolta, H. Muccini, I. Ozkaya, O. Zimmermann, Eds.
Cham, Switzerland: Springer, 2020, pp. 165–181.
[123] Information Technology - Security Techniques—Information Security
Incident Management—Part 1: Principles of Incident Management,Stan-
dard Iso/iec 27035-1:2016, 2016.
[124] P. Cichonski, T. Millar, T. Grance, and K. Scarfone, ‘‘Computer security
incident handling guide: Special publication 800-61 revision 2,’’ Nat. Inst.
Standards Technol., Gaithersburg, MD, USA, Tech. Rep. 800-61, 2012.
[125] K. Kent and M. Souppaya, ‘‘Guide to computer security log man-
agement: Recommendations of the national institute of standards and
technology,’’ Nat. Inst. Standards Technol., Gaithersburg, MD, USA,
Tech. Rep. 800-92, 2006.
[126] F. Osinga, Science, Strategy and War: The Strategic Theory of John Boyd.
London, U.K.: Routledge, 2007.
[127] C. Falk and J. Dykstra, ‘‘Sonification with music for cybersecurity sit-
uational awareness,’’ in Proc. 25th Int. Conf. Auditory Display (ICAD),
Jun. 2019, pp. 50–55.
[128] D. Ambawade, P. Kedar, and J. Bakal, ‘‘A comprehensive architecture
for correlation analysis to improve the performance of security operation
center,’’ in Innovations in Computer Science and Engineering (Lecture
Notes in Networks and Systems), vol. 8. Singapore: Springer, 2017,
pp. 205–216.
[129] M. Almukaynizi, E. Marin, E. Nunes, P. Shakarian, G. I. Simari,
D. Kapoor, and T. Siedlecki, ‘‘DARKMENTION: A deployed sys-
tem to predict enterprise-targeted external cyberattacks,’’ in Proc. IEEE
Int. Conf. Intell. Secur. Informat. (ISI), Miami, FL, USA, Nov. 2018,
pp. 31–36.
VOLUME 8, 2020 227777
M. Vielberth et al.: Security Operations Center: A Systematic Study and Open Challenges
[130] R. Graf and R. King, ‘‘Neural network and blockchain based technique
for cyber threat intelligence and situational awareness,’’ in Proc. 10th Int.
Conf. Cyber Conflict (CyCon), Tallinn, Estonia, May 2018, pp. 409–426.
[131] R. Graf and R. King, ‘‘Secured transactions technique based on smart
contracts for situational awareness tools,’’ in Proc. 12th Int. Conf. Inter-
net Technol. Secured Trans. (ICITST), Cambridge, U.K., Dec. 2017,
pp. 81–86.
[132] D.-R. Tsai, W.-C. Chen, Y.-C. Lu, and C.-W. Wu, ‘‘A trusted security
information sharing mechanism,’’ in Proc. 43rd Annu. Int. Carnahan
Conf. Secur. Technol., Zurich, Switzerland, Oct. 2009, pp. 257–260.
[133] L. Karaçay, E. Savaä, and H. Alptekin, ‘‘Intrusion detection over
encrypted network data,’Comput. J., vol. 63, no. 4, pp. 604–619,
Apr. 2020.
[134] M. M. Baskaran, T. Henretty, J. Ezick, R. Lethin, and D. Bruns-Smith,
‘‘Enhancing network visibility and security through tensor analysis,’’
Future Gener. Comput. Syst., vol. 96, pp. 207–215, Jul. 2019.
[135] K. Berlin, D. Slater, and J. Saxe, ‘‘Malicious behavior detection using
windows audit logs,’’ in Proc. 8th ACM Workshop Artif. Intell. Secur.,
New York, NY, USA, 2015, pp. 35–44.
[136] P. Burnap, R. French, F. Turner, and K. Jones, ‘‘Malware classification
using self organising feature maps and machine activity data,’’ Comput.
Secur., vol. 73, pp. 399–410, Mar. 2018.
[137] Q. Chen, R. Islam, H. Haswell, and R. Bridges, ‘‘Automated ransomware
behavior analysis: Pattern extraction and early detection,’’ in Proc. Int.
Conf. Sci. Cyber Secur., 2019, pp. 199–214.
[138] K. Demertzis, N. Tziritas, P. Kikiras, S. L. Sanchez, and L. Iliadis, ‘‘The
next generation cognitive security operations center: Adaptive analytic
lambda architecture for efficient defense against adversarial attacks,’’ Big
Data Cognit. Comput., vol. 3, no. 1, p. 6, Jan. 2019.
[139] H. M. Farooq and N. M. Otaibi, ‘‘Optimal machine learning algorithms
for cyber threat detection,’’ in Proc. 20th Int. Conf. Comput. Model. Simul.
(UKSim), Cambridge, U.K., Mar. 2018, pp. 32–37.
[140] C. Feng, S. Wu, and N. Liu, ‘‘A user-centric machine learning framework
for cyber security operations center,’’ in Proc. IEEE Int. Conf. Intell.
Secur. Informat. (ISI), Beijing, China, Jul. 2017, pp. 173–175.
[141] W. Feng, S. Wu, X. Li, and K. Kunkle, ‘‘A deep belief net-
work based machine learning system for risky host detection,’’ 2017,
arXiv:1801.00025. [Online]. Available:
[142] J. D. Hernandez Guillen, A. Martin del Rey, and R. Casado-Vara, ‘‘Secu-
rity countermeasures of a SCIRAS model for advanced malware propa-
gation,’IEEE Access, vol. 7, pp. 135472–135478, 2019.
[143] S. Hiruta, S. Ikeda, S. Shima, and H. Takakura, ‘‘Ids alert priority deter-
mination based on traffic behavior,’’ in Advances in Information and
Computer Security (Lecture Notes in Computer Science), vol. 11689.
Cham, Switzerland: Springer, 2019, pp. 189–206.
[144] K.-F. Hong, C.-C. Chen, Y.-T. Chiu, and K.-S. Chou, ‘‘Ctracer: Uncover
C&C in advanced persistent threats based on scalable framework for
enterprise log data,’’ in Proc. IEEE Int. Congr. Big Data, New York, NY,
USA, Jun. 2015, pp. 551–558.
[145] C. Mao, H. Pao, C. Faloutsos, and H. Lee, ‘‘Sbad: Sequence based attack
detection via sequence comparison,’’ in Privacy and Security Issues in
Data Mining and Machine Learning (Lecture Notes in Computer Sci-
ence), vol. 6549. Berlin, Germany: Springer, 2011, pp. 78–91.
[146] H. Mao, C. Wu, E. Papalexakis, C. Faloutsos, K. Lee, and T. Kao,
‘‘Malspot: Multi2 malicious network behavior patterns analysis,’’ in
Advances in Knowledge Discovery and Data Mining (Lecture Notes
in Computer Science), vol. 8443. Cham, Switzerland: Springer, 2014,
pp. 1–14.
[147] Y. Niu and Y. C. Peng, ‘‘Application of radial function neural network
in network security,’’ in Proc. Int. Conf. Comput. Intell. Secur., Suzhou,
China, Dec. 2008, pp. 458–463.
[148] Y. Niu, Q. Zhang, Q. Zheng, and H. Peng, ‘‘Security operation center
based on immune system,’’ in Proc. Int. Conf. Comput. Intell. Secur.
Workshops (CISW), Heilongjiang, China, Dec. 2007, pp. 97–103.
[149] A. Oprea, Z. Li, T.-F. Yen, S. H. Chin, and S. Alrwais, ‘‘Detection of
early-stage enterprise infection by mining large-scale log data,’’ in Proc.
45th Annu. IEEE/IFIP Int. Conf. Dependable Syst. Netw., Rio de Janeiro,
Brazil, Jun. 2015, pp. 45–56.
[150] A. Oprea, Z. Li, R. Norris, and K. Bowers, ‘‘MADE: Security analytics
for enterprise threat detection,’’ in Proc. 34th Annu. Comput. Secur. Appl.
Conf., New York, NY, USA, Dec. 2018, pp. 124–136.
[151] H.-K. Pao, C.-H. Mao, H.-M. Lee, C.-D. Chen, and C. Faloutsos, ‘‘An
intrinsic graphical signature based on alert correlation analysis for intru-
sion detection,’’ in Proc. Int. Conf. Technol. Appl. Artif. Intell., Hsinchu,
Taiwan, Nov. 2010, pp. 102–109.
[152] R. Vaidyanathan, A. Ghosh, Y.-H. Cheng, A. Yamada, and Y. Miyake,
‘‘On the use of BGP AS numbers to detect spoofing,’’ in Proc. IEEE
Globecom Workshops, Miami, FL, USA, Dec. 2010, pp. 1606–1610.
[153] S. Wu, J. Fulton, N. Liu, C. Feng, and L. Zhang, ‘‘Risky host detection
with bias reduced semi-supervised learning,’’ in Proc. Int. Conf. Artif.
Intell. Comput. Sci., New York, NY, USA, Jul. 2019, pp. 34–40.
[154] T.-F. Yen, A. Oprea, K. Onarlioglu, T. Leetham, W. Robertson, A. Juels,
and E. Kirda, ‘‘Beehive: Large-scale log analysis for detecting suspicious
activity in enterprise networks,’’ in Proc. 29th Annu. Comput. Secur. Appl.
Conf., New York, NY, USA, 2013, pp. 199–208.
[155] N. Yi, Z. Qi-Lun, and P. Hong, ‘‘Network security management based on
data fusion technology,’’ in Proc. 7th Int. Conf. Comput.-Aided Ind. Des.
Conceptual Des., Hangzhou, China, May 2006, pp. 889–892.
[156] P. Dymora and M. Mazurek, ‘‘An innovative approach to anomaly detec-
tion in communication networks using multifractal analysis,’Appl. Sci.,
vol. 10, no. 9, p. 3277, May 2020.
[157] M. Smith, ‘‘The soc is dead, long live the soc!’’ Itnow, vol. 62, no. 1,
pp. 34–35, 2020.
[158] G. Settanni, Y. Shovgenya, F. Skopik, R. Graf, M. Wurzenberger, and
R. Fiedler, ‘‘Acquiring cyber threat intelligence through security infor-
mation correlation,’’ in Proc. 3rd IEEE Int. Conf. Cybern. (CYBCONF),
Exeter, U.K., Jun. 2017, pp. 1–7.
[159] A. Erola, I. Agrafiotis, J. Happa, M. Goldsmith, S. Creese, and P. Legg,
‘‘Richerpicture: Semi-automated cyber defence using context-aware data
analytics,’’ in Proc. Int. Conf. On Cyber Situational Awareness, Data
Anal. Assessment, London, U.K., Aug. 2017, pp. 1–8.
[160] A. Kabil, T. Duval, N. Cuppens, G. L. Comte, Y. Halgand, and C. Ponchel,
‘‘Why should we use 3D collaborative virtual environments for cyber
security?’’ in Proc. IEEE 4th VR Int. Workshop Collaborative Virtual
Environ. (3DCVE), Reutlingen, Germany, Mar. 2018, pp. 1–2.
[161] T. Kwon, J.-S. Song, S. Choi, Y. Lee, and J. Park, ‘‘VISNU: A novel
visualization methodology of security events optimized for a centralized
SOC,’’ in Proc. 13th Asia Joint Conf. Inf. Secur. (AsiaJCIS), Guilin,
China, Aug. 2018, pp. 1–7.
[162] B. Song, S. Choi, J. Choi, and J. Song, ‘‘Visualization of intrusion detec-
tion alarms collected from multiple networks,’’ in Information Security
(Lecture Notes in Computer Science), vol. 10599. Cham, Switzerland:
Springer, 2017, pp. 437–454.
[163] S. Hassell, P. Beraud, A. Cruz, G. Ganga, S. Martin, J. Toennies,
P. Vazquez, G. Wright, D. Gomez, F. Pietryka, N. Srivastava, T. Hester,
D. Hyde, and B. Mastropietro, ‘‘Evaluating network cyber resiliency
methods using cyber threat, vulnerability and defense modeling and
simulation,’’ in Proc. IEEE Mil. Commun. Conf., Orlando, FL, USA,
Oct. 2012, pp. 1–6.
[164] G. Payer and L. Trossbach, ‘‘The application of virtual reality for cyber
information visualization and investigation,’’ in Evolution of Cyber Tech-
nologies and Operations, vol. 63, M. Blowers, Ed. Cham, Switzerland:
2015, pp. 71–90.
[165] L. Axon, B. Alahmadi, J. Nurse, M. Goldsmith, and S. Creese, ‘‘Sonifica-
tion in security operations centres: What do security practitioners think?’’
in Proc. Workshop Usable Secur., Reston, VA, USA, 2018, pp. 1–12.
[166] L. Axon, J. Happa, A. van Janse Rensburg, M. Goldsmith, and
S. Creese, ‘‘Sonification to support the monitoring tasks of security oper-
ations centres,’IEEE Trans. Dependable Secure Comput., early access,
Jul. 29, 2019, doi: 10.1109/TDSC.2019.2931557.
[167] L. Axon, J. Happa, M. Goldsmith, and S. Creese, ‘‘Hearing attacks in net-
work data: An effectiveness study,’’ Comput. Secur., vol. 83, pp. 367–388,
Jun. 2019.
[168] L. Axon, B. A. Alahmadi, J. R. C. Nurse, M. Goldsmith, and S. Creese,
‘‘Data presentation in security operations centres: Exploring the potential
for sonification to enhance existing practice,’J. Cybersecurity, vol. 6,
no. 1, Jan. 2020, Art. no. tyaa004.
[169] N. Afzaliseresht, Y. Miao, S. Michalska, Q. Liu, and H. Wang, ‘‘From
logs to stories: human-centred data mining for cyber threat intelligence,’
IEEE Access, vol. 8, pp. 19089–19099, 2020.
[170] R. Mullins, B. Nargi, and A. Fouse, ‘‘Understanding and enabling tactical
situational awareness in a security operations center,’’ in Advances in
Human Factors in Cybersecurity, vol. 1219, I. Corradini, E. Nardelli, and
T. Ahram, Eds. Cham, Switzerland: Springer, 2020, pp. 75–82.
[171] Z. Wang and Y. Zhu, ‘‘A centralized HIDS framework for private cloud,’
in Proc. 18th IEEE/ACIS Int. Conf. Softw. Eng., Artif. Intell., Netw. Paral-
lel/Distrib. Comput. (SNPD), Kanazawa, Japan, Jun. 2017, pp. 115–120.
[172] R. Gad, M. Kappes, and I. Medina-Bulo, ‘‘Monitoring traffic in com-
puter networks with dynamic distributed remote packet capturing,’’
in Proc. IEEE Int. Conf. Commun. (ICC), London, U.K., Jun. 2015,
pp. 5759–5764.
227778 VOLUME 8, 2020
M. Vielberth et al.: Security Operations Center: A Systematic Study and Open Challenges
[173] H. Shiravi, A. Shiravi, and A. A. Ghorbani, ‘‘A survey of visualization
systems for network security,’’ IEEE Trans. Vis. Comput. Graphics,
vol. 18, no. 8, pp. 1313–1329, Aug. 2012.
[174] R. Marty, Applied Security Visualization. Boston, MA, USA: Addison-
Wesley, 2009.
[175] M. Vielberth, F. Menges, and G. Pernul, ‘‘Human-as-a-security-sensor
for harvesting threat intelligence,’Cybersecurity, vol. 2, no. 1, p. 35,
Dec. 2019.
[176] G. Zhiguo, X. Luo, J. Chen, F. L. Wang, and J. Lei, Eds., Emerging
Research in Web Information Systems and Mining (Communications in
Computer and Information Science). Berlin, Germany: Springer, 2011.
[177] R. Heartfield, G. Loukas, and D. Gan, ‘‘You are probably not the weakest
link: Towards practical prediction of susceptibility to semantic social
engineering attacks,’IEEE Access, vol. 4, pp. 6910–6928, 2016.
[178] H. Liao, C. Richard Lin, Y. Lin, and K. Tung, ‘‘Intrusion detection
system: A comprehensive review,’’ J. Netw. Comput. Appl., vol. 36, no. 1,
pp. 16–24, 2013.
[179] N. Miloslavskaya, ‘‘SOC-and SIC-based information security monitor-
ing,’’ in Recent Advances in Information Systems and Technologies
(Advances in Intelligent Systems and Computing), vol. 570. Cham,
Switzerland: Springer, 2017, pp. 364–374.
[180] A. K. Ganame and J. Bourgeois, ‘‘Defining a simple metric for real-
time security level evaluation of multi-sites networks,’’ in Proc. IEEE Int.
Symp. Parallel Distrib. Process., Miami, FL, USA, Apr. 2008, pp. 1–8.
[181] R. Ganesan and A. Shah, ‘‘A strategy for effective alert analysis at a cyber
security operations center,’’ in From Database to Cyber Security (Lecture
Notes in Computer Science), vol. 11170. Cham, Switzerland: Springer,
2018, pp. 206–226.
[182] K. A. Farris, A. Shah, G. Cybenko, R. Ganesan, and S. Jajodia, ‘‘VUL-
CON: A system for vulnerability prioritization, mitigation, and manage-
ment,’ACM Trans. Privacy Secur., vol. 21, no. 4, pp. 1–28, Oct. 2018.
[183] T. Sadamatsu, Y. Yoneyama, and K. Yajima, ‘‘Practice within Fujitsu of
security operations center: Operation and security dashboard,’Fujitsu
Sci. Tech. J., vol. 52, no. 3, pp. 52–58, 2016.
[184] L. Allodi and F. Massacci, ‘‘Security events and vulnerability data for
cybersecurity risk estimation,’Risk Anal., vol. 37, no. 8, pp. 1606–1627,
Aug. 2017.
[185] C. Onwubiko and K. Ouazzane, ‘‘SOTER: A playbook for cyberse-
curity incident management,’IEEE Trans. Eng. Manag., early access,
May 6, 2020, doi: 10.1109/TEM.2020.2979832.
[186] E. Agyepong, Y. Cherdantseva, P. Reinecke, and P. Burnap, ‘‘Towards
a framework for measuring the performance of a security operations
center analyst,’’ in Proc. Int. Conf. Cyber Secur.Protection Digit. Services
(Cyber Secur.), Dublin, Republic of Ireland, Jun. 2020, pp. 1–8.
[187] G. Gaudin, H. Debar, A. Fillette, J. deMeer, A. Rennoch, P. Saadé, and
J. Saugeot, Guidelines for Building and Operating a Secured Security
Operations Center (SOC), document ETSI GS ISI 007, 2018.
[188] C. Crowley and J. Pescatore, ‘‘Common and best practices for security
operations centers: Results of the 2019 SOC survey,’’ SANS, Bethesda,
MD, USA, Tech. Rep., 2019.
[189] ‘‘Audit of NASA’s security operations center,’’ Nat. Aeronaut. Space
Admin., Washington, DC, USA, Tech. Rep. ig-18-020, 2018.
[190] Strategy Considerations for Building a Security Operations Center: Opti-
mize Your Security Intelligence to Better Safeguard Your Business From
Threats, IBM, Armonk, NY, USA, 2013.
[191] W. Jansen, Directions in Security Metrics Research. Gaithersburg, MD,
USA: Diane Publishing, 2010.
[192] R. M. Savola, ‘‘Towards a taxonomy for information security metrics,’
in Proc. ACM Workshop Qual. Protection (QoP), 2007, pp. 28–30.
[193] P. Black, K. Scarfone, and M. Souppaya, ‘‘Cyber security metrics and
measures,’’ in Wiley Handbook of Science and Technology for Homeland
Security. Hoboken, NJ, USA: Wiley, 2008, pp. 1–15.
[194] R. Ganesan, S. Jajodia, and H. Cam, ‘‘Optimal scheduling of cyberse-
curity analysts for minimizing risk,’ACM Trans. Intell. Syst. Technol.,
vol. 8, no. 4, pp. 1–32, Jul. 2017.
[195] J. Moran, ‘‘Key performance indicators (KPIS) for security operations
and incident response: Identifying which KPIS should be set, monitored
and measured,’’ DFLABS, Milano, IT, USA, Tech. Rep., 2019.
[196] G. Doran, ‘‘There’sa SMART way to write management’s goals and
objectives,’’ Manage. Rev., vol. 70, no. 11, pp. 35–36, 1981.
[197] R. Cambra, ‘‘Metrics for operational security control,’’ SANS Inst.,
Swansea, U.K., Tech. Rep., 2004.
[198] K. Xu, S. Attfield, T. J. Jankun-Kelly, A. Wheat, P. H. Nguyen, and
N. Selvaraj, ‘‘Analytic provenance for sensemaking: A research agenda,’’
IEEE Comput. Graph. Appl., vol. 35, no. 3, pp. 56–64, May 2015.
[199] M. Wagner, A. Rind, N. Thür, and W. Aigner, ‘‘A knowledge-assisted
visual malware analysis system: Design, validation, and reflection of
KAMAS,’Comput. Secur., vol. 67, pp. 1–15, Jun. 2017.
[200] M. Hummer, S. Groll, M. Kunz, L. Fuchs, and G. Pernul, ‘‘Measuring
identity and access management Performance—An expert survey on
possible performance indicators,’’ in Proc. 4th Int. Conf. Inf. Syst. Secur.
Privacy, Funchal, Portugal, 2018, pp. 233–240.
MANFRED VIELBERTH received the bachelor’s
and master’s degrees in management informa-
tion systems with a specialization in cyber secu-
rity from the University of Regensburg, Germany.
He is currently pursuing the Ph.D. degree with
the Chair of Information Systems, University of
Regensburg. Since February 2017, he has been a
Research Assistant with the Chair of Information
Systems, University of Regensburg. His research
interest includes human aspects in the security
analytics domain. On the expert side, this mainly comprises improving
processes for better integrating security analysts within a Security Operations
Center. In terms of security novices, this primarily covers capturing reports
about security incidents in the context of the Human-as-a-Security-Sensor
FABIAN BÖHM received the master’s degree
(Hons.) in management information systems from
the Elite Program, University of Regensburg,
and the Polytechnic University of Catalonia,
Barcelona, in 2016. He is currently pursuing
the Ph.D. degree with the Chair of Information
Systems, University of Regensburg. Since 2017,
he has been a Research Assistant with the Chair of
Information Systems, University of Regensburg.
His research interest includes the application of
Visual Analytics for cybersecurity. His primary focus within this topic is to
leverage Visual Analytics approaches to integrate human domain knowledge
into different cybersecurity areas. The core research results show the pos-
sibilities offered by Visual Analytics in crucial security domains as Cyber
Threat Intelligence, Identity and Access Management, Security Analytics,
and Digital Forensics.
INES FICHTINGER received her B.Sc. and M.Sc.
degrees in management information systems with
a specialization in cyber security from the Uni-
versity of Regensburg, Germany. She is currently
working at Deloitte Belgium as a Senior Cyber
Security Consultant. Her research interests include
security operations and SOC-as-a-service, as well
as evaluating the current cyber security posture of
companies and helping them design a strategy to
reach their desired security posture.
GÜNTHER PERNUL (Member, IEEE) received
the diploma and Ph.D. degrees (Hons.) in busi-
ness informatics from the University of Vienna,
Austria. He is currently a Professor with the
Department of Information Systems, University
of Regensburg, Germany. Previously, he held
positions at the University of Duisburg-Essen,
Germany; the University of Vienna; the University
of Florida, Gainesville; and the College of Com-
puting, Georgia Institute of Technology, Atlanta.
His research interests include data and information-security aspects, data
protection and privacy, data analytics, and advanced datacentric applications.
VOLUME 8, 2020 227779
... Since then, the technical/organizational functions of an SOC have evolved several decades with an increasing variety of more complex tasks. The SOC has only attracted the interest of applied research for about a decade (see the extensive review article [2] provides a multifaceted overview of the state of knowledge). The practical definition and modeling used here for SOC and the SIEM processes applied in it refers to the basic empirical study [3], wherein the core tasks of an SOC are derived based on empirical surveys of IT practitioners in various organizations and the ENISA guide [4]. ...
... In addition, frequently posed practical requirements are collected in [5]. Since the study [3] in 2015, the weighting between tasks has shifted in practice and in the literature (see [2]). In comparison to [3], Figure 1 shows a task structure for an SOC that is partially tailored to the characteristics of the organization examined herein and is therefore more refined regarding the relationship of the SOC to other organizational units (OU). ...
... • The SIEM function is here regarded (differing from [3], where it appeared as a subfunction of monitoring) as a core task of the SOC (cf. [2]). Classic sub-tasks of SIEM are monitoring and systematic data collection (Security Information Management, SIM) and the detection of security incidents with the subsequent (control of) the reaction to them, i.e., mitigation and recovery, (Security Event Management, SEM). ...
Full-text available
We present a case study on the strategic planning of a security operations center in a typical, modern, mid-size organization. Against the backdrop of the company's multi-cloud strategy a distributed approach envisioning the involvement of external providers is taken. From a security-centric abstraction of the organizational IT-landscape, a novel strategic planning method for security operation centers is developed with an adaptable relationship matrix as core tool. The method is put to a practical test in modeling different levels of engagement of external providers in the center's operation. It is shown that concrete output, such as a core statement of work for an external provider, can easily be derived.
... A SOC is the central unit in an organization's cybersecurity. It aims to enhance the organization's overall security posture by identifying security threats, taking appropriate measures, and contributing to regulatory compliance [Vielberth et al., 2020]. A SOC is not a single entity but a complex structure of skilled people working in predefined processes supported by sophisticated tools [Schinagl et al., 2015]. ...
... A SOC is not a single entity but a complex structure of skilled people working in predefined processes supported by sophisticated tools [Schinagl et al., 2015]. Thus, besides the implementation of suitable technologies and processes, people are of central importance for successful SOCs [Vielberth et al., 2020], making SOCs dependent on a sufficient number of well-trained security experts. Therefore, it is not surprising that SOCs suffer from the aforementioned skills gap making staffing one of the main challenges modern SOCs are facing [Crowley and Filkins, 2022]. ...
Full-text available
Purpose: Cybersecurity training plays a decisive role in overcoming the global shortage of security experts and the resulting cybersecurity risks. To train these experts as efficacious and efficient as possible, we explore the potential of visual programming languages (VPLs) for learning code-based cybersecurity skills in a cyber range. Methodology: We integrated the VPL Blockly into an existing cyber range training. To evaluate its effect on the training we conducted a user study with a Randomized Controlled Trail (RCT) design with 30 participants to compare skills development of trainees using the VPL Blockly to solve the tasks in the training (experimental group) to those using a textual programming approach (control group). Findings: Our study indicates that integrating a VPL to solve code-based tasks in cybersecurity training can improve the trainees' learning experience while providing equally good learning outcomes compared to the control group. Originality: The originality of this work lies in studying the effect that the integration of a VPL has on learning a code-based cybersecurity task compared to a text-based programming language. Investigating this through a RCT has-to the best of our knowledge-not been attempted yet.
... The responsibility is often placed upon a group of expert human operators within a Security Operation Center (SOC) . There are different terms used for centers responsible for cyber security that emphasize different aspects of operations e.g., Cyber Security Operation Centers (CSOCs), Network Operations Centers (NOCs) and Security Intelligence Centers (SICs) ( Vielberth et al., 2020 ;Zimmerman, 2014 ). For consistency, such centers are hereby referred to only as "SOCs". ...
... For consistency, such centers are hereby referred to only as "SOCs". A SOC is responsible for cyber security within a specified set of cyber systems through activities like monitoring, analyzing, and reacting to potentially harmful events ( Vielberth et al., 2020 ). ...
Situation awareness is shown through human factors research to be a valuable construct to understand and improve how humans perform while operating complex systems in critical environments. Within cyber security one such environment is the Security Operations Center (SOC). With the increasing threat of hybrid warfare, knowledge about situation awareness within SOC environments, where human error or low performance may be detrimental, must be developed. This paper reports on the results of a Systematic Descriptive Literature Review of the current research on situation awareness within SOCs. The goal of the paper is to analyze how situation awareness is understood in the current research. To achieve this goal three aspects of understanding were addressed: Theoretical foundations; levels of conceptualization; and measurement of situation awareness. Theoretical foundations in the literature were assessed by how situation awareness was defined and the presence of references to theoretical models of SA. The results show a clear trend of basing the research on Endsley's three level situation awareness model; this model has been developed into a domain specific formulation called “Cyber Situation Awareness”. Some parts of the literature, particularly in research aimed at developing tools for improving situation awareness, lack a theoretical foundation; some refer to alternative theoretical foundations of situation awareness like Stanton et al.’s Distributed Situation Awareness. Further, a balance between conceptualizations on the individual, group and system level has been identified. Within research aimed at developing tools for improving situation awareness there are some examples of specialized and precise measurements of situation awareness, but in general the research seems too reliant on indirect measures of situation awareness. The paper concludes with the proposition of connecting the systems-based theoretical perspective of distributed situation awareness into the research, utilizing a systems level conceptualization of situation awareness. This might prove to be a useful bridge between the human cognitive perspective of situation awareness and the development of the complex technical environment of critical importance that SOCs represent.
... SOC activities may include reverse engineering to study the incidents, as well as many other proposed tools for statistical analysis of the dynamic characteristics of the network. This reality and its challenges have been collected and published in some works [1], [2]. This literature tells us how the activities and initiatives taken by the work members of the SOC are exhausting and stressful. ...
Full-text available
High-Power electric grid networks require extreme security in their associated telecommunication network to ensure protection and control throughout power transmission. Accordingly, supervisory control and data acquisition systems form a vital part of any critical infrastructure, and the safety of the associated telecommunication network from intrusion is crucial. Whereas events related to operation and maintenance are often available and carefully documented, only some tools have been proposed to discriminate the information dealing with the heterogeneous data from intrusion detection systems and to support the network engineers. In this work, we present the use of deep learning techniques, such as Autoencoders or conventional Multiple Correspondence Analysis, to analyze and prune the events on power communication networks in terms of categorical data types often used in anomaly and intrusion detection (such as addresses or anomaly description). This analysis allows us to quantify and statistically describe high-severity events. Overall, portions of alerts around 5-10% have been prioritized in the analysis as first to handle by managers. Moreover, probability clouds of alerts have been shown to configure explicit manifolds in latent spaces. These results offer a homogeneous framework for implementing anomaly detection prioritization in power communication networks.
... Analysts are obligated to inspect most of these alerts because ignoring them can have catastrophic outcomes. Such pressure can lead to organizational retention issues and increased operational costs [2]. Security information and event management (SIEM) platforms help streamline the process by partially normalizing data, but they still discard potentially useful data and ultimately fail to scale. ...
Full-text available
In place of in-house solutions, organizations are increasingly moving towards managed services for cyber defense. Security Operations Centers are specialized cybersecurity units responsible for the defense of an organization, but the large-scale centralization of threat detection is causing SOCs to endure an overwhelming amount of false positive alerts -- a phenomenon known as alert fatigue. Large collections of imprecise sensors, an inability to adapt to known false positives, evolution of the threat landscape, and inefficient use of analyst time all contribute to the alert fatigue problem. To combat these issues, we present That Escalated Quickly (TEQ), a machine learning framework that reduces alert fatigue with minimal changes to SOC workflows by predicting alert-level and incident-level actionability. On real-world data, the system is able to reduce the time it takes to respond to actionable incidents by $22.9\%$, suppress $54\%$ of false positives with a $95.1\%$ detection rate, and reduce the number of alerts an analyst needs to investigate within singular incidents by $14\%$.
Full-text available
We present a case study on the strategic planning of a security operations center in a typical, modern, mid-size organization. Against the backdrop of the company’s multi-cloud strategy a distributed approach envisioning the involvement of external providers is taken. From a security-centric abstraction of the organizational IT-landscape, a novel strategic planning method for security operation centers is developed with an adaptable relationship matrix as core tool. The method is put to a practical test in modeling different levels of engagement of external providers in the center’s operation. It is shown that concrete output, such as a core statement of work for an external provider, can easily be derived.
The rapidly changing landscape of information security threats, directly related to the development of information technologies, requires continuous automated monitoring of information security events for the purpose of quick response, retrospective analysis for targeted attacks, as well as compliance with the requirements of the regulators of the sphere. This article presents the process of creating a concept that is being implemented everywhere – an information security monitoring center. This complex, multifactorial process takes into account the elaboration of regulatory legal acts and regulatory and methodological documentation, the analysis of current international practices, the formation of a pool of technologies used, the formation of a service team and the debugging of workflows. At the same time, the possibility of the SOC's interaction with regulatory authorities, the specific of communication with customers, its own resistance to attacks, economic feasibility, the peculiarities of human psychology, etc. should be taken into account. To visualize the work of the SOC, a process diagram of the SOC's work is presented. In the article attention is paid to the choice of the core of the SOC – SIEM system. The result clearly represents the current cross-section of the Russian market of systems of this class, which is important in the context of import substitution.
Full-text available
Cybersecurity operations are highly complex, requiring the coordination of specialized skills across multiple teams to successfully execute missions. Command and control within security operations centers is dominated by fragile mental models, demonstrating a need for systems that reinforce shared situational awareness across the organization. In this paper, we present the results of our research to: (1) define the needs associated with tactical cyber situational awareness; and (2) evaluate the usability and utility of a prototype tactical situational awareness dashboard. We found that incident tracking, tasking structure, execution timeline, and resource health constitute the essential aspects of tactical cyber situational awareness. Evaluations of prototypes suggest that three visualizations are well suited for conveying this information. We believe these results generalizable and will enable the development of tactical situational awareness capabilities in Security Operations Centers across public and private enterprises.
Although Immersive Analytics solutions are now developed in order to ease data analysis, cyber security systems are still using classical graphical representations and are not harnessing yet the potential of virtual reality systems and collaborative virtual environments. 3D Collaborative Virtual Environments (3DCVE) can be used in order to merge learning and data analysis approaches, as they can allow users to have a better understanding of a cyber situation by mediating interactions towards them and also by providing different points of view of the same data, on different scales. So we propose a 3D Cyber Common Operational Picture (3D CyberCOP) that will allow operators to face together a situation by using immersive and non immersive visualizations and by collaborating through user-defined roles. After visiting French Security Operations Centers (SOCs), we have defined a collaborative interaction model and some use-cases, to assess of the effectiveness of our solution.
Cybersecurity threats are on the rise with evermore digitization of the information that many day-to-day systems depend upon. The demand for cybersecurity analysts outpaces supply, which calls for optimal management of the analyst resource. Therefore, a key component of the cybersecurity defense system is the optimal scheduling of its analysts. Sensor data is analyzed by automatic processing systems, and alerts are generated. A portion of these alerts is considered to be significant , which requires thorough examination by a cybersecurity analyst. Risk, in this article, is defined as the percentage of unanalyzed or not thoroughly analyzed alerts among the significant alerts by analysts. The article presents a generalized optimization model for scheduling cybersecurity analysts to minimize risk (a.k.a., maximize significant alert coverage by analysts) and maintain risk under a pre-determined upper bound. The article tests the optimization model and its scalability on a set of given sensors with varying analyst experiences, alert generation rates, system constraints, and system requirements. Results indicate that the optimization model is scalable and is capable of identifying both the right mix of analyst expertise in an organization and the sensor-to-analyst allocation in order to maintain risk below a given upper bound. Several meta-principles are presented, which are derived from the optimization model, and they further serve as guiding principles for hiring and scheduling cybersecurity analysts. The simulation studies (validation) of the optimization model outputs indicate that risk varies non-linearly with an analyst/sensor ratio, and for a given analyst/sensor ratio, the risk is independent of the number of sensors in the system.
Effective protection against cyber-attacks requires constant monitoring and analysis of system data in an IT infrastructure, such as log files and network packets, which may contain private and sensitive information. Security operation centers (SOC), which are established to detect, analyze and respond to cyber-security incidents, often utilize detection models either for known types of attacks or for anomaly and applies them to the system data for detection. SOC are also motivated to keep their models private to capitalize on the models that are their propriety expertise, and to protect their detection strategies against adversarial machine learning. In this paper, we develop a protocol for privately evaluating detection models on the system data, in which privacy of both the system data and detection models is protected and information leakage is either prevented altogether or quantifiably decreased. Our main approach is to provide an end-to-end encryption for the system data and detection models utilizing lattice-based cryptography that allows homomorphic operations over ciphertext. We employ recent data sets in our experiments which demonstrate that the proposed privacy-preserving intrusion detection system is feasible in terms of execution times and bandwidth requirements and reliable in terms of accuracy.
Conference Paper
Security Operation Centers (SOC) leverage a number of tools to detect, thwart and deal with security attacks. One of the key challenges of SOC is to quickly integrate security tools and operational activities. To address this challenge , an increasing number of organizations are using Security Orchestration, Automation and Response (SOAR) platforms, whose design needs suitable architectural support. This paper presents our work on architecture-centric support for designing a SOAR platform. Our approach consists of a conceptual map of SOAR platform and the key dimensions of an architecture design space. We have demonstrated the use of the approach in designing and implementing a Proof of Concept (PoC) SOAR platform for (i) automated integration of security tools and (ii) automated interpretation of activities to execute incident response processes. We also report a preliminary evaluation of the proposed architectural support for improving a SOAR's design.
Conference Paper
A Security Operation Center (SOC) performs critical functions in alerting and taking defensive actions for computer security. As network infrastructures evolve with broader inclusion of IoT (Internet of Things) and ad hoc wireless connectivity, the SOC function takes on additional challenges and has a need for greater visibility of connected devices. In particular, SOCs must interpret different protocols that are used for IoT operation. As a result, SOCs need real-time accurate asset inventory with information of deployed IoT devices and their status. The quantity of IoT devices can significantly outnumber deployed PCs and servers, depending on the network. Responsibilities within the SOC are usually defined based on the network infrastructure in place, the size of the entity, the threat landscape, and the organizational strategy decided. This paper discusses the classification of attacks as it relates to SOC integration for IoT. A framework to improve monitoring and response with security orchestration and automation is presented. Keywords—security operation center (SOC), IoT, Internet of Things, CPS, SIEM, endpoint detection and response (EDR), Managed Security Service Provider (MSSP)