The evolving threat landscape and plethora of new technologies and business practices necessitates enterprises match the dexterity and skills of their adversaries, while ensuring their detection capabilities stay relevant and constantly advance their ability to respond. A key foundational element toward this is a competent Security Operations Center (SOC), alerting stakeholders of meaningful security events, centralizing alerts into a single functional unit and providing the ability to coordinate a response to emerging situations, thus limiting the impact of security incidents. 

Modern day SOCs have at their disposal a wide array of sophisticated prevention, detection and response technologies, cyber intelligence reporting capabilities, and access to a rapidly expanding skilled cyber workforce. It is therefore necessary to outline baseline capabilities for Security Operations Centers within the Critical Information Infrastructure (CII) and propose maturity targets across technology, tools and supporting people and processes. 

From the context of building national monitoring capabilities, it is expected that SOCs of CII entities are aligned and feed into the National Security Operations Center (NSOC) to support the UAE’s situational awareness. Supported by a common taxonomy of security events and incidents, it enables coherence in national incident response against cyber-attacks.

The Cyber Security Council has established this baseline to outline minimum requirements for CII Security Operations Centers and define maturity targets to enhance national cyber resilience. This initiative builds upon the UAE’s position as a global leader in cyber security, and further enhances the security posture of organizations and individuals within the UAE.

Significant Event vs Incident 

Distinguishes between an incident, defined by ITIL as the unplanned interruption or quality reduction of an IT service, and an event, which is any significant occurrence for IT management. 
 

Formal Definition of Impact 

Impact refers to any damage or significant risk to the confidentiality, availability, or integrity of information, assets, and operations. In modern SOCs, this definition expands beyond the CIA triad to include aspects of control and safety, particularly in environments involving ICS, OT, or IoT.

Capability 

Capability is the ability to execute actions effectively within a SOC, including communication, coordination, prevention, detection, analysis, containment, and remediation. Capabilities are assessed based on achievement levels, with a focus on technological aspects.
 

Maturity 

Maturity is the codified experience within an organization, reflected in predictable and reproducible SOC processes. It is evaluated through the documentation of processes and their integration into the organization's culture.
 

Evaluation Methodology 

The framework provides a grid to evaluate and plan improvements, outlining the necessary documents and capabilities for a SOC to become exemplary.

Defines the required maturity and capability levels across SOC domains that critical industries must achieve within three years of implementing the baseline. The target maturity is calculated as the average maturity and capability score across all relevant SOC domains, setting a clear benchmark for progress.

Describes the key components of the SOC (Security Operations Center) framework, which includes Business, Technology, Services, Processes, and People. Each of these elements plays a critical role in the effective operation and security posture of the SOC.

People

Manage people as the principal resource of a SOC, from acquisition to optimization and retention. Establish role-based hierarchies, knowledge management practices, and a training program to address skill gaps.
 

Process

Organize SOC relationships, ensure service availability, produce and review reports, and provide structured security monitoring tied to business drivers.
 

Technology 

Provide log management, correlation capabilities, detection, blocking of IoCs, and security analytics. Enable automation to integrate disparate security tools.
 

Services 

Collect and analyze logs to identify security incidents, establish processes for significant events, differentiate true and false positives, manage IoCs, and enable threat hunting and vulnerability management.

National Security Operations Center (NSOC)

NSOC 

Aims to centralize UAE’s defense against cyber threats, providing assistance and fostering collaboration. It maintains the UAE cybersecurity framework and policies and assesses compliance within sector SOCs.
 

Federation

 Federation involves two-way communication, where Sector SOCs report incidents to NSOC and receive guidance. All organizations within the federation are obligated to report incidents, ensuring comprehensive incident awareness.