Building a context-aware in-house SOC

As a global leader in asset management, it was critical that this client had a strong security monitoring capability for quick threat detection and response. When the results of an industry security test pointed to serious gaps, the client decided it needed a new approach to ensure it had a capability that was fit for purpose.

With a history of strong investment in its security programme, the client was using a global Managed Security Services Provider (MSSP) to manage its perimeter security devices and perform security monitoring across its estate. As part of an industry scheme to test UK financial organisations’ security posture, the client embarked on a red team exercise to understand how it would handle an Advanced Persistent Threat (APT).


While many positives were identified during the exercise, a number of concerns were raised around the capability and maturity of its defences particularly because successful breaches had not been identified by its security monitoring partner.

As part of a security transformation programme, the company decided to take a fresh approach to its cybersecurity monitoring. It felt that its MSSP did not have enough context of the particular environment or threat landscape, plus a lack of flexibility and no proactive threat hunting. As a result, the client decided to take security monitoring in-house and build its own SOC.

Due to the specialist skills and experience required, the client chose to work with ECS to build and run the SOC, eventually transferring the operations to an internal team.

Value Realisation

Using its SOC Toolkit and experienced team, ECS was able to work with the client to design and build a SOC specifically for its needs. ECS focused on the elements of people, process and technology as the dedicated SOC was built in one of the client’s offices and then run by ECS in close collaboration with the client.

The client immediately benefited from a dedicated in -house SOC run by an expert team. Closer collaboration – and deep knowledge of the environment being monitored – resulted in efficient tuning and a vast reduction in the number of false positives escalated to the internal team. It also allowed the development of a new security monitoring use cases in line with the client’s particular threat landscape.

One benefit was the expansion of the capabilities as proactive threat hunting was added to the detect and respond service. The new SOC strives for a 1:1 ratio of reactive to proactive work. Plus, the hunting focus immediately added value by detecting existing malware and suspicious internal behaviour.