Building a Security Operations Center (SOC) for Mid-Size Companies

A Security Operations Center (SOC) serves as the nerve center for an organization's cybersecurity defense—monitoring, detecting, analyzing, and responding to security incidents around the clock. While enterprise-grade SOCs with 50-person teams are impractical for mid-size companies, a right-sized SOC is achievable with the correct architecture and tooling. At Nexis Limited, we have helped organizations across Bangladesh build effective security operations capabilities without enterprise-level budgets.

SOC Architecture and Core Components

A functional SOC requires four foundational components: a Security Information and Event Management (SIEM) platform, an incident response workflow system, threat intelligence feeds, and skilled analysts. The SIEM aggregates and correlates log data from across the infrastructure—firewalls, endpoints, servers, applications, and cloud services. Modern SIEM platforms like Wazuh (open-source), Elastic Security, or Microsoft Sentinel provide log ingestion, correlation rules, alerting, and dashboards. For mid-size deployments, Wazuh offers an excellent cost-to-capability ratio, combining SIEM functionality with host-based intrusion detection and compliance monitoring.

Log Collection Strategy

Effective SOC operations depend on comprehensive log visibility. Priority log sources include: perimeter firewalls and IDS/IPS systems, Active Directory and authentication logs, DNS query logs, endpoint detection and response (EDR) telemetry, email gateway logs, web application firewalls, cloud platform audit trails (AWS CloudTrail, Azure Activity Log), and VPN access logs. Each source should be normalized to a common schema—Elastic Common Schema (ECS) or OCSF—enabling consistent correlation across disparate data sources. A mid-size organization typically generates 5-50 GB of log data daily, which must be factored into storage and processing capacity planning.

Detection Engineering and Alert Tuning

Raw log data is meaningless without detection logic. Detection engineering involves creating correlation rules, behavioral baselines, and anomaly detection models that identify genuine threats while minimizing false positives. Start with known attack patterns from the MITRE ATT&CK framework—map your detection rules to specific techniques and sub-techniques. For example, detecting credential dumping (T1003) requires monitoring for specific process behaviors: LSASS memory access, suspicious use of comsvcs.dll, or Mimikatz-like tool execution. Alert fatigue from excessive false positives is the primary reason SOCs fail—invest significant effort in tuning detection rules before going live.

Incident Response Workflow

When the SOC detects a potential incident, a structured response process must activate. The NIST Incident Response lifecycle defines four phases: preparation, detection and analysis, containment/eradication/recovery, and post-incident activity. Each phase should have documented playbooks—step-by-step procedures for common incident types like malware infection, phishing compromise, unauthorized access, and data exfiltration. Ticketing integration with platforms like TheHive or even Jira ensures incidents are tracked, escalated, and resolved systematically.

Threat Intelligence Integration

Threat intelligence transforms raw alerts into contextual understanding. Open-source threat intelligence platforms (TIPs) like MISP or OpenCTI aggregate indicators of compromise (IOCs)—malicious IP addresses, domain names, file hashes—from multiple feeds. These IOCs are integrated into the SIEM as watchlists, enriching alerts with threat context. For Bangladeshi organizations, regional threat intelligence from BD-CERT and APNIC provides locally relevant insights about threat actors targeting South Asian infrastructure.

Staffing and Operational Model

A 24/7 SOC requires a minimum of 5-6 analysts across three shifts—this is often the most expensive component. For mid-size companies, a hybrid model is practical: in-house analysts during business hours with an outsourced Managed Detection and Response (MDR) provider covering nights and weekends. SOC analysts should be structured in tiers: Tier 1 handles initial alert triage, Tier 2 performs deeper investigation and incident handling, and Tier 3 focuses on threat hunting and detection engineering. Continuous training through platforms like CyberDefenders, LetsDefend, or Blue Team Labs Online is essential for skill development.

Building a SOC is a strategic investment in organizational resilience. Start small with a focused scope, mature your detection capabilities iteratively, and scale operations as your threat landscape evolves. Contact us to explore how we can help you establish security operations that match your organization's risk profile and budget.