sesa 19(18): e1

Research Article

Monitoring and Improving Managed Security Services inside a Security Operation Center

Download440 downloads
  • @ARTICLE{10.4108/eai.8-4-2019.157413,
        author={Mina Khalili and Mengyuan Zhang and Daniel Borbor and Lingyu Wang and Nicandro Scarabeo and Michel-Ange Zamor},
        title={Monitoring and Improving Managed Security Services inside a Security Operation Center},
        journal={EAI Endorsed Transactions on Security and Safety},
        keywords={Managed Security Services, Network Security Monitoring, Security Operation Center, Performance Metrics, Service Level Agreement, SLA, SOC, MSS, NSM, Security analysts},
  • Mina Khalili
    Mengyuan Zhang
    Daniel Borbor
    Lingyu Wang
    Nicandro Scarabeo
    Michel-Ange Zamor
    Year: 2019
    Monitoring and Improving Managed Security Services inside a Security Operation Center
    DOI: 10.4108/eai.8-4-2019.157413
Mina Khalili1, Mengyuan Zhang1,*, Daniel Borbor1, Lingyu Wang1, Nicandro Scarabeo2, Michel-Ange Zamor3
  • 1: Concordia Institute for Information Systems Engineering (CIISE), Concordia University, Montreal, QC H3G 1M8, Canada
  • 2: University of Cassino and Southern Lazio, Viale dell’Università, 03043 Cassino FR, Italy
  • 3: Département d’informatique, Université de Sherbrooke, Sherbrooke, QC J1K 2R1, Canada
*Contact email:


Monitoring and improving the performance of Security Operation Centers (SOC) are becoming crucial due to the emerging need of benefiting from Managed Security Services (MSS) rather than hiring in-house security experts. In this paper, by observing workflows of a real-world SOC, a system consisting of three different modules is designed for monitoring analysts’ activities, analysis performance measurement, and performing simulation scenarios. The system empowers managers to evaluate the SOC’s performance, which helps them to conform to Service Level Agreement (SLA) and see the need for improvement. Moreover, the designed system is strengthened by a background service module to provide feedback about anomalies or informative issues for security analysts. Three case studies have been conducted based on real data collected from the operational SOC, and simulation results have demonstrated the effectiveness of the different modules of the designed system in improving the SOC performance.